Return-Path: 
 <dev-return-8494-apmail-accumulo-dev-archive=accumulo.apache.org@accumulo.apache.org>
X-Original-To: apmail-accumulo-dev-archive@www.apache.org
Delivered-To: apmail-accumulo-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 04679CC97
	for <apmail-accumulo-dev-archive@www.apache.org>;
 Mon, 10 Mar 2014 16:40:53 +0000 (UTC)
Received: (qmail 73204 invoked by uid 500); 10 Mar 2014 16:40:50 -0000
Delivered-To: apmail-accumulo-dev-archive@accumulo.apache.org
Received: (qmail 73060 invoked by uid 500); 10 Mar 2014 16:40:48 -0000
Mailing-List: contact dev-help@accumulo.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@accumulo.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@accumulo.apache.org>
List-Post: <mailto:dev@accumulo.apache.org>
List-Id: <dev.accumulo.apache.org>
Reply-To: dev@accumulo.apache.org
Delivered-To: mailing list dev@accumulo.apache.org
Received: (qmail 72891 invoked by uid 99); 10 Mar 2014 16:40:46 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 10 Mar 2014 16:40:46 +0000
X-ASF-Spam-Status: No, hits=1.5 required=5.0
	tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: local policy includes SPF record at
 spf.trusted-forwarder.org)
Received: from [209.85.220.182] (HELO mail-vc0-f182.google.com)
 (209.85.220.182)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 10 Mar 2014 16:40:40 +0000
Received: by mail-vc0-f182.google.com with SMTP id ks9so1328466vcb.27
        for <dev@accumulo.apache.org>; Mon, 10 Mar 2014 09:40:19 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:date
         :message-id:subject:from:to:content-type;
        bh=IWfVXHkcpSw4KcE7tr5UQGJYnKOVxBSYQFIaKaKniio=;
        b=BK4iupBeKcMrDtQqp/qCUo75aGt8OERTzqVPMbL5VZLuOTJiJct3I7nT7P1fCcG8tE
         ekHxDFf3CvM52EvZBFLTlPePnyZwr4iRu5n23HPHiMQhgR6bPW+uN7lhur2oyOExMN6W
         IcjOU+MWZv4n/Zx8AuflNon2ure1MioH3j0RZlQmQYX+4aRqclT2UX59rZd8ibOl3cvr
         BpEycnUSv8YS1hXNGBpaQxTA+yXqcgLsea7ubeqwGNaRxdfU0id3w5ukipcSz8PkQnA9
         6OZFXZ5nS1CiujDRW9doJiNJhgMbPFuxjee0fGbEMPIiKSL/qkpGa887PTizLKyx/12g
         LQwQ==
X-Gm-Message-State: 
 ALoCoQmTz518SrO15+N5fgqJo6stnyQUNNotQcv6PWCURTyd8+y6HHXyd6EpdazazVyJD2DqOufw
MIME-Version: 1.0
X-Received: by 10.52.188.41 with SMTP id fx9mr23117646vdc.19.1394469619362;
 Mon, 10 Mar 2014 09:40:19 -0700 (PDT)
Received: by 10.221.21.199 with HTTP; Mon, 10 Mar 2014 09:40:19 -0700 (PDT)
In-Reply-To: 
 <CAGHyZ6+-jebtXRm6X9VU_Ei+WkyVhh4T_SKrysKJxhd_m=igkg@mail.gmail.com>
References: <1394052507311-7949.post@n5.nabble.com>
	<CAOyNEs7dj1u+hCGc=sZ-RbmLdid-hTm_weKXCByTrwoNJAy5qA@mail.gmail.com>
	<004301cf3c71$8e2898f0$aa79cad0$@insufficient-light.com>
	<CADczPYTRgVi=3_=7NUv4AkoZ_iA7931YvM_Odfju-ERw6w-dZQ@mail.gmail.com>
	<CAGHyZ6+kNwV7EHjVK=BUk+KLtvW66oJgYu4z=3EQZLqtOMCB3g@mail.gmail.com>
	<CAGUtCHoRW7fEAMrS=eHZA=ZR8+hTmm2Q+rDfed8rU17VTLAevA@mail.gmail.com>
	<CAGHyZ6+-jebtXRm6X9VU_Ei+WkyVhh4T_SKrysKJxhd_m=igkg@mail.gmail.com>
Date: Mon, 10 Mar 2014 12:40:19 -0400
Message-ID: 
 <CAGUtCHrcpUyk-bsG_SiR_2tfZpJgLD0pRfz+DXisj0saBiNAkg@mail.gmail.com>
Subject: Re: "NOT" operator in visibility string
From: Keith Turner <keith@deenlo.com>
To: Accumulo Dev List <dev@accumulo.apache.org>
Content-Type: multipart/alternative; boundary=bcaec5485ca050039904f44342ee
X-Virus-Checked: Checked by ClamAV on apache.org

--bcaec5485ca050039904f44342ee
Content-Type: text/plain; charset=ISO-8859-1

On Mon, Mar 10, 2014 at 12:19 PM, Sean Busbey <busbey+lists@cloudera.com>wrote:

> +dev@accumulo
>
> We may be getting into the weeds enough to remove user@accumulo, but I'll
> leave in place for now.
>
>
> inline below
>
> On Mon, Mar 10, 2014 at 11:10 AM, Keith Turner <keith@deenlo.com> wrote:
>
> >
> >
> >
> > On Mon, Mar 10, 2014 at 11:50 AM, Sean Busbey <busbey+lists@cloudera.com
> >wrote:
> >
> >>
> >> Phil,
> >>
> >> What John is getting at here is that since Accumulo's security label
> >> model is trying to enforce role presence, our APIs allow a user to
> request
> >> that only a subset of their authorizations be used in a given request.
> >>
> >> The ability to request only a subset of authorizations on a per-request
> >> basis is needed to implement some common Accumulo use cases (such as a
> >> trusted application filtering for a variety of users in an multi-level
> >> security environment).
> >>
> >
> > To safely add not, it seems like we would also need to add the concept of
> > a minimal authorization set.  Currently an Accumulo user has a maximum
> set
> > of authorizations they can query.  However they can choose to use any
> > subset of this including the empty set.  For exmaple Accumulo user doc
> has
> > a maximum authorization set of (doctor, researcher) and a minimal set
> > (doctor).  So every scan must specify at least 'doctor' or it will fail.
> >
> > This seems very complicated and easy for users to get wrong.
> >
> >
>
> I agree that this is adding a significant amount of complexity. One option
> would be to annotate NOT as advisory, or to specify in the docs that it'd
> be up to the application layer to enforce the inclusion of the minimal set.
> (then again, that leaves even more room for erroneous implementations)
>

If we are going to do it, I think we should try to come up with a design
that solves end-to-end use cases. The not op seems useful but also
dangerous, there is a real possibility of unintended data leakage.  A
minimal authorization set is a solution.  Are there other solutions? Ones
that better translate a users intent into constraints in the system.


>
> Does anyone have time to review the design docs from HBase's implementation
> of cell level visibilities? I know their visibility parsing allows NOT and
> I'm wondering if they worked through this already.
>

--bcaec5485ca050039904f44342ee--