Return-Path: X-Original-To: apmail-accumulo-user-archive@www.apache.org Delivered-To: apmail-accumulo-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id F076310607 for ; Wed, 19 Mar 2014 15:22:59 +0000 (UTC) Received: (qmail 48548 invoked by uid 500); 19 Mar 2014 15:22:58 -0000 Delivered-To: apmail-accumulo-user-archive@accumulo.apache.org Received: (qmail 48162 invoked by uid 500); 19 Mar 2014 15:22:54 -0000 Mailing-List: contact user-help@accumulo.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@accumulo.apache.org Delivered-To: mailing list user@accumulo.apache.org Received: (qmail 48154 invoked by uid 99); 19 Mar 2014 15:22:51 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 19 Mar 2014 15:22:51 +0000 X-ASF-Spam-Status: No, hits=2.2 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of kunklejr@gmail.com designates 209.85.192.44 as permitted sender) Received: from [209.85.192.44] (HELO mail-qg0-f44.google.com) (209.85.192.44) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 19 Mar 2014 15:22:45 +0000 Received: by mail-qg0-f44.google.com with SMTP id a108so26170995qge.3 for ; Wed, 19 Mar 2014 08:22:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:message-id:mime-version:subject:date:references :to:in-reply-to; bh=Fyl95ht9WwtB+HxUU2K7q5UxoM3pDCd8rryynAzdY+k=; b=P2XPTm1C7gEp7EANmx//QOvuxOVy1lho22wzZFpYxf6ztKtdzl1R1sYw84PB9hsan+ cuk3oH8AMMoby26HvCBS9Wt5l9GdHKo5jHF/t8yraGLW35L4NQ96LI07nX1StB6Q5TrQ fGXyDJU7nm9PMSgueSgVjVoWZylEr6yV7XtOJ/fvigNEJUeKw3gYiyy8lOPhUyltZlm9 clPEFXLtlXM62h2KzCbnHi9JHM4EHQNE5RHbhZWQ7hBWd0/4PFD89VhLtkMx274HGdQp 0gvqBhw7SHAcFAplSDpojSxIbZI+ddZm5Yauyi98V+qEwazMAvSd/69xSywgtlcsE4hm wgWQ== X-Received: by 10.140.102.215 with SMTP id w81mr2618289qge.109.1395242543674; Wed, 19 Mar 2014 08:22:23 -0700 (PDT) Received: from [10.0.1.65] ([64.132.109.254]) by mx.google.com with ESMTPSA id k6sm31335912qgd.17.2014.03.19.08.22.21 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 19 Mar 2014 08:22:22 -0700 (PDT) From: Jeff Kunkle Content-Type: multipart/alternative; boundary="Apple-Mail=_611DD3D4-6294-4A3A-8777-26DFBC92A501" Message-Id: <3A4D953C-8AA2-44FF-8FF4-7A00A9D92862@gmail.com> Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) Subject: Re: "NOT" operator in visibility string Date: Wed, 19 Mar 2014 11:22:22 -0400 References: <1394052507311-7949.post@n5.nabble.com> <004301cf3c71$8e2898f0$aa79cad0$@insufficient-light.com> <531DE9A3.6030502@gmail.com> <1395239784170-8220.post@n5.nabble.com> To: user@accumulo.apache.org In-Reply-To: X-Mailer: Apple Mail (2.1874) X-Virus-Checked: Checked by ClamAV on apache.org --Apple-Mail=_611DD3D4-6294-4A3A-8777-26DFBC92A501 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 My particular use case meets both of those conditions. I=92d like to use = a not operator to soft delete things for specific groups of users, which = are assigned a given authorization. For example, assume I have two = groups of users: group1 and group2. If I want to temporarily hide = something from group1 I would add =93& !group1=94 to the visibility. In = my case I=92m not really using the NOT operator for access control. The = users in the group have access to the data; they=92ve just chosen to = hide it from their view.=20 =20 On Mar 19, 2014, at 10:47 AM, Sean Busbey = wrote: >=20 > On Wed, Mar 19, 2014 at 9:36 AM, kunklejr wrote: > So is there any consensus on whether this should be included? I would = use it > right away on a current project if it were. I understand the security = risks > that have been discussed with having a NOT operator, but I see its use = as a > decision to be made by the development team. If the project deems use = of a > the NOT operator as too risky, then they should implement a design = that > doesn't use it. I don't think you can prevent people from making poor > decisions/implementations simply by limiting the functionality. It = could be > misused as is today. >=20 >=20 > Could you describe the use case you have in mind? In order for NOT to = be usable today, you'd need one of two things: >=20 > 1) Use of visibility labels for something other than enabling access = control (because you'd have to expressly design for users being trusted = to only misrepresent themselves appropriately) >=20 > 2) Client requests would need to pass through an broker application = that controlled the set of user authorizations and knew not to leave off = any of the ones used in NOT expressions. This would require a hard = network boundary between all untrusted clients and Accumulo >=20 >=20 > -Sean --Apple-Mail=_611DD3D4-6294-4A3A-8777-26DFBC92A501 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1252 My = particular use case meets both of those conditions. I=92d like to use a = not operator to soft delete things for specific groups of users, which = are assigned a given authorization. For example, assume I have two = groups of users: group1 and group2. If I want to temporarily hide = something from group1 I would add =93& !group1=94 to the visibility. = In my case I=92m not really using the NOT operator for access control. = The users in the group have access to the data; they=92ve just chosen to = hide it from their view. 
 
On Mar 19, 2014, = at 10:47 AM, Sean Busbey <busbey+lists@cloudera.com>= ; wrote:


On Wed, Mar 19, 2014 at 9:36 AM, kunklejr <kunklejr@gmail.com> wrote:
So is there any = consensus on whether this should be included? I would use it
right away on a current project if it were. I understand the security = risks
that have been discussed with having a NOT operator, but I see its use = as a
decision to be made by the development team. If the project deems use of = a
the NOT operator as too risky, then they should implement a design = that
doesn't use it. I don't think you can prevent people from making = poor
decisions/implementations simply by limiting the functionality. It could = be
misused as is = today.


Could you = describe the use case you have in mind? In order for NOT to be usable = today, you'd need one of two things:

1) Use of = visibility labels for something other than enabling access control = (because you'd have to expressly design for users being trusted to only = misrepresent themselves appropriately)

2) Client requests would need to pass through an = broker application that controlled the set of user authorizations and = knew not to leave off any of the ones used in NOT expressions. This = would require a hard network boundary between all untrusted clients and = Accumulo


-Sean

= --Apple-Mail=_611DD3D4-6294-4A3A-8777-26DFBC92A501--