accumulo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Josh Elser <>
Subject Re: Authorizations for complex user management
Date Thu, 19 Feb 2015 03:58:03 GMT
buttercream wrote:
> I'm working on a system where there are many users and the users credentials
> and information are stored in a third party system. I was thinking the best
> approach would be to have my default Accumulo user have the superset of all
> permissions and then when a query is performed, proxy in the specific user
> credential that may be a subset. But, this seems a bit cumbersome to have to
> up front define all available credentials, especially if new authorizations
> are added without our knowledge.

Yeah, this is the pain point. The approach works, but you have to assume 
a lot of security testing in your "proxy". You have to certify your 
software to get a full picture on the security of the system.

> Any thoughts on an alternative approach?
> I'd like to just be able to proxy through credentials and not have to worry
> about whether my Accumulo-defined user that I'm proxying through already has
> them. Is there a way to just let that Accumulo-defined user have max
> credentials and not have to specifically call them out? Thanks.

Another approach could be writing your own Accumulo Authorizor and 
Authenticator. You could directly contact the third-party system to 
determine if a user can be authenticated with Accumulo. Assuming you can 
extrapolate the Authorizations for each user from that system as well, 
the Authorizor can be done in the same fashion.

> --
> View this message in context:
> Sent from the Users mailing list archive at

View raw message