accumulo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher <ctubb...@apache.org>
Subject Re: "NOT" operator in visibility string
Date Wed, 19 Mar 2014 15:48:13 GMT
I think you're looking at the design of visibility labels backwards.
Visibility labels and corresponding authorizations are not user
groups, for which you assign data to, they represent attributes of the
data itself, which determine which groups can access it. If you have a
new group, in Accumulo that would mean you have a new kind of data. By
default, this data shouldn't be visible, in Accumulo. You have to make
a conscious decision to allow access to that new data label and assign
users to the data.

--
Christopher L Tubbs II
http://gravatar.com/ctubbsii


On Wed, Mar 19, 2014 at 11:43 AM, Jeff Kunkle <kunklejr@gmail.com> wrote:
> New groups are created on the fly by our application when needed. Under the
> scenario you describe we’d have to go through all the data in Accumulo
> whenever a group is created so that users in the group can see the existing
> data.
>
> On Mar 19, 2014, at 11:34 AM, Sean Busbey <busbey+lists@cloudera.com> wrote:
>
>
> On Wed, Mar 19, 2014 at 10:22 AM, Jeff Kunkle <kunklejr@gmail.com> wrote:
>>
>> My particular use case meets both of those conditions. I’d like to use a
>> not operator to soft delete things for specific groups of users, which are
>> assigned a given authorization. For example, assume I have two groups of
>> users: group1 and group2. If I want to temporarily hide something from
>> group1 I would add “& !group1” to the visibility. In my case I’m not really
>> using the NOT operator for access control. The users in the group have
>> access to the data; they’ve just chosen to hide it from their view.
>>
>>
>
> This scenario includes rewriting the data with the "& !group1" addition? Why
> not just rewrite the data to not include the group1 visibility at all?
>
>

Mime
View raw message