Return-Path: X-Original-To: apmail-accumulo-dev-archive@www.apache.org Delivered-To: apmail-accumulo-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 84B2FCE22 for ; Mon, 10 Mar 2014 17:13:15 +0000 (UTC) Received: (qmail 2560 invoked by uid 500); 10 Mar 2014 17:13:14 -0000 Delivered-To: apmail-accumulo-dev-archive@accumulo.apache.org Received: (qmail 2529 invoked by uid 500); 10 Mar 2014 17:13:14 -0000 Mailing-List: contact dev-help@accumulo.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@accumulo.apache.org Delivered-To: mailing list dev@accumulo.apache.org Received: (qmail 2521 invoked by uid 99); 10 Mar 2014 17:13:14 -0000 Received: from minotaur.apache.org (HELO minotaur.apache.org) (140.211.11.9) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 10 Mar 2014 17:13:14 +0000 Received: from localhost (HELO mail-la0-f44.google.com) (127.0.0.1) (smtp-auth username vines, mechanism plain) by minotaur.apache.org (qpsmtpd/0.29) with ESMTP; Mon, 10 Mar 2014 17:13:13 +0000 Received: by mail-la0-f44.google.com with SMTP id hr13so4834825lab.17 for ; Mon, 10 Mar 2014 10:13:11 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=mime-version:reply-to:in-reply-to:references:from:date:message-id :subject:to:content-type; bh=gsHfTcU/oXJTb57qyOjZQ9k6SBoJib1SSWPMAnrHtdo=; b=KvT+IOMySmaTmD5ro+mnM4T7oXoNCqWQAYk03kNau9oxoEUnORrErPQ56NU5QhVRs+ Gx+zimnMikxybsr+9NdaZ3GTJtPyVMKyDDukNb3xcuFcOs3hTJG5lVax3Pn6ZPFqnO5L VYfNfAE3QI2pO3H79uFwz3JIdXX2L03Oc4Ueyio47mw9ATLEpO2AVmpwgsaBijiE66qC CSKO1t/fzVMtfUsVQlh5n+54xf3e+USNv2sHI+Au94hG4Yn+sGe48wEzQ0FWYqxNcnd7 /tOhnbz01MoJa13lVYswE/avPhKAsEpFAXRoa1akicfZjsyOAMFQwA0b8fdAo40Le0A5 uqZw== X-Received: by 10.112.140.202 with SMTP id ri10mr22937026lbb.9.1394471591405; Mon, 10 Mar 2014 10:13:11 -0700 (PDT) MIME-Version: 1.0 Reply-To: vines@apache.org Received: by 10.114.93.3 with HTTP; Mon, 10 Mar 2014 10:12:31 -0700 (PDT) In-Reply-To: References: <1394052507311-7949.post@n5.nabble.com> <004301cf3c71$8e2898f0$aa79cad0$@insufficient-light.com> From: John Vines Date: Mon, 10 Mar 2014 13:12:31 -0400 Message-ID: Subject: Re: "NOT" operator in visibility string To: Accumulo Dev List Content-Type: multipart/alternative; boundary=001a11c25deadaf2aa04f443b718 --001a11c25deadaf2aa04f443b718 Content-Type: text/plain; charset=ISO-8859-1 I feel like that's the space for either refined labelling or the pluggable authorization framework. Maybe both. If you have a piece of data that can only be seen under XOR conditions, then it should probably have a unique label which can be provided under those conditions from the authorizor. On Mon, Mar 10, 2014 at 12:40 PM, Keith Turner wrote: > On Mon, Mar 10, 2014 at 12:19 PM, Sean Busbey >wrote: > > > +dev@accumulo > > > > We may be getting into the weeds enough to remove user@accumulo, but > I'll > > leave in place for now. > > > > > > inline below > > > > On Mon, Mar 10, 2014 at 11:10 AM, Keith Turner wrote: > > > > > > > > > > > > > > On Mon, Mar 10, 2014 at 11:50 AM, Sean Busbey < > busbey+lists@cloudera.com > > >wrote: > > > > > >> > > >> Phil, > > >> > > >> What John is getting at here is that since Accumulo's security label > > >> model is trying to enforce role presence, our APIs allow a user to > > request > > >> that only a subset of their authorizations be used in a given request. > > >> > > >> The ability to request only a subset of authorizations on a > per-request > > >> basis is needed to implement some common Accumulo use cases (such as a > > >> trusted application filtering for a variety of users in an multi-level > > >> security environment). > > >> > > > > > > To safely add not, it seems like we would also need to add the concept > of > > > a minimal authorization set. Currently an Accumulo user has a maximum > > set > > > of authorizations they can query. However they can choose to use any > > > subset of this including the empty set. For exmaple Accumulo user doc > > has > > > a maximum authorization set of (doctor, researcher) and a minimal set > > > (doctor). So every scan must specify at least 'doctor' or it will > fail. > > > > > > This seems very complicated and easy for users to get wrong. > > > > > > > > > > I agree that this is adding a significant amount of complexity. One > option > > would be to annotate NOT as advisory, or to specify in the docs that it'd > > be up to the application layer to enforce the inclusion of the minimal > set. > > (then again, that leaves even more room for erroneous implementations) > > > > If we are going to do it, I think we should try to come up with a design > that solves end-to-end use cases. The not op seems useful but also > dangerous, there is a real possibility of unintended data leakage. A > minimal authorization set is a solution. Are there other solutions? Ones > that better translate a users intent into constraints in the system. > > > > > > Does anyone have time to review the design docs from HBase's > implementation > > of cell level visibilities? I know their visibility parsing allows NOT > and > > I'm wondering if they worked through this already. > > > --001a11c25deadaf2aa04f443b718--