accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John Vines (JIRA)" <>
Subject [jira] [Commented] (ACCUMULO-1681) Adjust Authorizor Interface to validate auths instead of retrieving a list
Date Thu, 05 Sep 2013 15:54:51 GMT


John Vines commented on ACCUMULO-1681:

One thing that isn't handled in that patch is exposing the interface to the Constraint system
(which currently uses getAuths). There's no way to directly switch the VisibilityConstraint
over because it uses the VisibilityEvaluator, and we don't want to replicate that code. Instead,
I'm thinking that we should abstract out Authorizations just a smidge to have an AuthorizationContainer
interface which can be used for validation. Then, both Authorizations and the Authorizor could
both have contains() and then the VisibiltyEvaluator's logic could be used for both directly
checking against a set of labels (normal in code) but also against a configured Authorizor
> Adjust Authorizor Interface to validate auths instead of retrieving a list
> --------------------------------------------------------------------------
>                 Key: ACCUMULO-1681
>                 URL:
>             Project: Accumulo
>          Issue Type: Bug
>          Components: tserver
>            Reporter: John Vines
>            Assignee: John Vines
>             Fix For: 1.6.0
>         Attachments: ACCUMULO-1681.patch
> Currently the Authorizor interface is used to request a set of authorizations which then
get checked against the authorizations a user is attempting to use. However, some security
systems only support the ability to validate authorizations/permissions/roles and not provide
a list. That makes these systems (entirely) incompatible with Accumulo when they don't have
to be.
> We should switch the behavior of Accumulo to ask the Authorizor (via SecurityOperations)
if the auths are valid. The existing getAuths functionality will still use that call and would
have potentially limited support, similar to the potentially limited support of any of the
set operations.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message