accumulo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Srikanth Viswanathan <>
Subject Re: Authorizations for complex user management
Date Thu, 19 Feb 2015 06:04:23 GMT
Accumulo's authorizations are designed to be a whitelist, so you
cannot define "max credentials" in the authorization layer.

I faced a problem similar to yours, and I went with the custom
Authorizor approach. You can use the custom Authorizor to call out to
your third party service/database to obtain authorizations for end
users like Josh suggested.

On Wed, Feb 18, 2015 at 10:58 PM, Josh Elser <> wrote:
> buttercream wrote:
>> I'm working on a system where there are many users and the users
>> credentials
>> and information are stored in a third party system. I was thinking the
>> best
>> approach would be to have my default Accumulo user have the superset of
>> all
>> permissions and then when a query is performed, proxy in the specific user
>> credential that may be a subset. But, this seems a bit cumbersome to have
>> to
>> up front define all available credentials, especially if new
>> authorizations
>> are added without our knowledge.
> Yeah, this is the pain point. The approach works, but you have to assume a
> lot of security testing in your "proxy". You have to certify your software
> to get a full picture on the security of the system.
>> Any thoughts on an alternative approach?
>> I'd like to just be able to proxy through credentials and not have to
>> worry
>> about whether my Accumulo-defined user that I'm proxying through already
>> has
>> them. Is there a way to just let that Accumulo-defined user have max
>> credentials and not have to specifically call them out? Thanks.
> Another approach could be writing your own Accumulo Authorizor and
> Authenticator. You could directly contact the third-party system to
> determine if a user can be authenticated with Accumulo. Assuming you can
> extrapolate the Authorizations for each user from that system as well, the
> Authorizor can be done in the same fashion.
>> --
>> View this message in context:
>> Sent from the Users mailing list archive at

View raw message