incubator-accumulo-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r797867 [9/12] - in /websites/staging/accumulo/trunk/content: ./ accumulo/ accumulo/css/ accumulo/governance/ accumulo/images/ accumulo/user_manual_1.3-incubating/ accumulo/user_manual_1.3-incubating/examples/ accumulo/user_manual_1.4-incub...
Date Tue, 01 Nov 2011 17:08:19 GMT
Added: websites/staging/accumulo/trunk/content/accumulo/user_manual_1.4-incubating/Introduction.html
==============================================================================
--- websites/staging/accumulo/trunk/content/accumulo/user_manual_1.4-incubating/Introduction.html
(added)
+++ websites/staging/accumulo/trunk/content/accumulo/user_manual_1.4-incubating/Introduction.html
Tue Nov  1 17:08:17 2011
@@ -0,0 +1,120 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<!--
+
+    Licensed to the Apache Software Foundation (ASF) under one or more
+    contributor license agreements.  See the NOTICE file distributed with
+    this work for additional information regarding copyright ownership.
+    The ASF licenses this file to You under the Apache License, Version 2.0
+    (the "License"); you may not use this file except in compliance with
+    the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE- 2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+  <link href="/accumulo/css/accumulo.css" rel="stylesheet" type="text/css">
+  <title>Accumulo User Manual: Introduction</title>
+  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+  <script type="text/javascript">
+
+  var _gaq = _gaq || [];
+  _gaq.push(['_setAccount', 'UA-21103458-6']);
+  _gaq.push(['_trackPageview']);
+
+  (function() {
+    var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
+    ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
+    var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
+  })();
+
+  </script>
+</head>
+
+<body>
+  <div id="banner">
+    <img id="logo" alt="Apache accumulo (Incubating)" src="/accumulo/images/accumulo-logo.png"/>
+    <div id="bannertext">
+&nbsp; 
+    </div><br />
+  </div>
+  
+  <div id="navigation">
+  <h1 id="project">Project</h1>
+<ul>
+<li><a href="/accumulo">Home</a></li>
+<li><a href="http://incubator.apache.org/projects/accumulo.html">Incubator page</a>
+<!--  - Download --></li>
+<li><a href="/accumulo/notable_features.html">Features</a></li>
+<li><a href="http://www.apache.org/licenses/LICENSE-2.0">License</a></li>
+</ul>
+<h1 id="community">Community</h1>
+<ul>
+<li><a href="/accumulo/get_involved.html">Get Involved</a></li>
+<li><a href="/accumulo/mailing_list.html">Mailing Lists</a></li>
+<li><a href="https://issues.apache.org/jira/secure/ConfigureReport.jspa?versionId=-2&amp;selectedProjectId=12312121&amp;reportKey=com.sourcelabs.jira.plugin.report.contributions%3Acontributionreport">People</a></li>
+</ul>
+<h1 id="development">Development</h1>
+<ul>
+<li><a href="/accumulo/source.html">Source Code</a></li>
+<li><a href="https://issues.apache.org/jira/browse/accumulo">Issues</a></li>
+<li><a href="https://builds.apache.org/job/Accumulo-Trunk">Builds</a></li>
+</ul>
+<h1 id="documentation">Documentation</h1>
+<ul>
+<li><a href="/accumulo/user_manual_1.3-incubating">Manual v1.3</a><ul>
+<li><a href="/accumulo/user_manual_1.3-incubating/examples.html">Examples v1.3</a></li>
+</ul>
+</li>
+<li><a href="/accumulo/user_manual_1.4-incubating">Manual v1.4</a>
+<!-- - klzzwxh:0005 -->
+<!-- - Javadoc -->
+<!-- - Examples --></li>
+<li><a href="/accumulo/screenshots.html">Screenshots</a></li>
+</ul>
+<!--
+# Development
+ - Source code
+ - Building
+-->
+
+<h1 id="asf_links">ASF links</h1>
+<ul>
+<li><a href="http://www.apache.org">Apache Software Foundation</a></li>
+<li><a href="http://www.apache.org/foundation/thanks.html">Thanks</a></li>
+<li><a href="http://www.apache.org/foundation/sponsorship.html">Become a Sponsor</a></li>
+</ul>
+  </div>
+
+  <div id="content">
+    <h1 class="title">Accumulo User Manual: Introduction</h1>
+    <p><strong> Next:</strong> <a href="Accumulo_Design.html">Accumulo
Design</a> <strong> Up:</strong> <a href="accumulo_user_manual.html">Accumulo
User Manual Version 1.4</a> <strong> Previous:</strong> <a href="Contents.html">Contents</a>
  <strong> <a href="Contents.html">Contents</a></strong> <br />
+</p>
+<h2 id="a_idintroductiona_introduction"><a id=Introduction></a> Introduction</h2>
+<p>Accumulo is a highly scalable structured store based on Google's BigTable. Accumulo
is written in Java and operates over the Hadoop Distributed File System (HDFS), which is part
of the popular Apache Hadoop project. Accumulo supports efficient storage and retrieval of
structured data, including queries for ranges, and provides support for using Accumulo tables
as input and output for MapReduce jobs. </p>
+<p>Accumulo features automatic load-balancing and partitioning, data compression and
fine-grained security labels. </p>
+<hr />
+  </div>
+
+  <div id="footer">
+    <div class="copyright">
+      <p>
+        Copyright &copy; 2011 The Apache Software Foundation, Licensed under
+        the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version
2.0</a>.
+        <br />
+        Apache and the Apache feather logos are trademarks of The Apache Software Foundation.
+      </p>
+    </div> 
+    <a alt="Apache Incubator" href="http://incubator.apache.org">
+      <img id="asf-logo" alt="Apache Incubator" src="/accumulo/images/apache-incubator-logo.png"
width="150"/>
+    </a>
+
+  </div>
+
+</body>
+</html>

Added: websites/staging/accumulo/trunk/content/accumulo/user_manual_1.4-incubating/Security.html
==============================================================================
--- websites/staging/accumulo/trunk/content/accumulo/user_manual_1.4-incubating/Security.html
(added)
+++ websites/staging/accumulo/trunk/content/accumulo/user_manual_1.4-incubating/Security.html
Tue Nov  1 17:08:17 2011
@@ -0,0 +1,196 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<!--
+
+    Licensed to the Apache Software Foundation (ASF) under one or more
+    contributor license agreements.  See the NOTICE file distributed with
+    this work for additional information regarding copyright ownership.
+    The ASF licenses this file to You under the Apache License, Version 2.0
+    (the "License"); you may not use this file except in compliance with
+    the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE- 2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+  <link href="/accumulo/css/accumulo.css" rel="stylesheet" type="text/css">
+  <title>Accumulo User Manual: Security</title>
+  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+  <script type="text/javascript">
+
+  var _gaq = _gaq || [];
+  _gaq.push(['_setAccount', 'UA-21103458-6']);
+  _gaq.push(['_trackPageview']);
+
+  (function() {
+    var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
+    ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
+    var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
+  })();
+
+  </script>
+</head>
+
+<body>
+  <div id="banner">
+    <img id="logo" alt="Apache accumulo (Incubating)" src="/accumulo/images/accumulo-logo.png"/>
+    <div id="bannertext">
+&nbsp; 
+    </div><br />
+  </div>
+  
+  <div id="navigation">
+  <h1 id="project">Project</h1>
+<ul>
+<li><a href="/accumulo">Home</a></li>
+<li><a href="http://incubator.apache.org/projects/accumulo.html">Incubator page</a>
+<!--  - Download --></li>
+<li><a href="/accumulo/notable_features.html">Features</a></li>
+<li><a href="http://www.apache.org/licenses/LICENSE-2.0">License</a></li>
+</ul>
+<h1 id="community">Community</h1>
+<ul>
+<li><a href="/accumulo/get_involved.html">Get Involved</a></li>
+<li><a href="/accumulo/mailing_list.html">Mailing Lists</a></li>
+<li><a href="https://issues.apache.org/jira/secure/ConfigureReport.jspa?versionId=-2&amp;selectedProjectId=12312121&amp;reportKey=com.sourcelabs.jira.plugin.report.contributions%3Acontributionreport">People</a></li>
+</ul>
+<h1 id="development">Development</h1>
+<ul>
+<li><a href="/accumulo/source.html">Source Code</a></li>
+<li><a href="https://issues.apache.org/jira/browse/accumulo">Issues</a></li>
+<li><a href="https://builds.apache.org/job/Accumulo-Trunk">Builds</a></li>
+</ul>
+<h1 id="documentation">Documentation</h1>
+<ul>
+<li><a href="/accumulo/user_manual_1.3-incubating">Manual v1.3</a><ul>
+<li><a href="/accumulo/user_manual_1.3-incubating/examples.html">Examples v1.3</a></li>
+</ul>
+</li>
+<li><a href="/accumulo/user_manual_1.4-incubating">Manual v1.4</a>
+<!-- - klzzwxh:0005 -->
+<!-- - Javadoc -->
+<!-- - Examples --></li>
+<li><a href="/accumulo/screenshots.html">Screenshots</a></li>
+</ul>
+<!--
+# Development
+ - Source code
+ - Building
+-->
+
+<h1 id="asf_links">ASF links</h1>
+<ul>
+<li><a href="http://www.apache.org">Apache Software Foundation</a></li>
+<li><a href="http://www.apache.org/foundation/thanks.html">Thanks</a></li>
+<li><a href="http://www.apache.org/foundation/sponsorship.html">Become a Sponsor</a></li>
+</ul>
+  </div>
+
+  <div id="content">
+    <h1 class="title">Accumulo User Manual: Security</h1>
+    <p><strong> Next:</strong> <a href="Administration.html">Administration</a>
<strong> Up:</strong> <a href="accumulo_user_manual.html">Accumulo User
Manual Version 1.4</a> <strong> Previous:</strong> <a href="Analytics.html">Analytics</a>
  <strong> <a href="Contents.html">Contents</a></strong> <br />
+</p>
+<p><a id=CHILD_LINKS></a><strong>Subsections</strong></p>
+<ul>
+<li><a href="Security.html#Security_Label_Expressions">Security Label Expressions</a></li>
+<li><a href="Security.html#Security_Label_Expression_Syntax">Security Label Expression
Syntax</a></li>
+<li><a href="Security.html#Authorization">Authorization</a></li>
+<li><a href="Security.html#User_Authorizations">User Authorizations</a></li>
+<li><a href="Security.html#Secure_Authorizations_Handling">Secure Authorizations
Handling</a></li>
+<li><a href="Security.html#Query_Services_Layer">Query Services Layer</a></li>
+</ul>
+<hr />
+<h2 id="a_idsecuritya_security"><a id=Security></a> Security</h2>
+<p>Accumulo extends the BigTable data model to implement a security mechanism known
as cell-level security. Every key-value pair has its own security label, stored under the
column visibility element of the key, which is used to determine whether a given user meets
the security requirements to read the value. This enables data of various security levels
to be stored within the same row, and users of varying degrees of access to query the same
table, while preserving data confidentiality. </p>
+<h2 id="a_idsecurity_label_expressionsa_security_label_expressions"><a id=Security_Label_Expressions></a>
Security Label Expressions</h2>
+<p>When mutations are applied, users can specify a security label for each value. This
is done as the Mutation is created by passing a ColumnVisibility object to the put() method:
</p>
+<div class="codehilite"><pre><span class="n">Text</span> <span
class="n">rowID</span> <span class="o">=</span> <span class="k">new</span>
<span class="n">Text</span><span class="p">(</span><span class="s">&quot;row1&quot;</span><span
class="p">);</span>
+<span class="n">Text</span> <span class="n">colFam</span> <span
class="o">=</span> <span class="k">new</span> <span class="n">Text</span><span
class="p">(</span><span class="s">&quot;myColFam&quot;</span><span
class="p">);</span>
+<span class="n">Text</span> <span class="n">colQual</span> <span
class="o">=</span> <span class="k">new</span> <span class="n">Text</span><span
class="p">(</span><span class="s">&quot;myColQual&quot;</span><span
class="p">);</span>
+<span class="n">ColumnVisibility</span> <span class="n">colVis</span>
<span class="o">=</span> <span class="k">new</span> <span class="n">ColumnVisibility</span><span
class="p">(</span><span class="s">&quot;public&quot;</span><span
class="p">);</span>
+<span class="n">long</span> <span class="n">timestamp</span> <span
class="o">=</span> <span class="n">System</span><span class="o">.</span><span
class="n">currentTimeMillis</span><span class="p">();</span>
+
+<span class="n">Value</span> <span class="n">value</span> <span
class="o">=</span> <span class="k">new</span> <span class="n">Value</span><span
class="p">(</span><span class="s">&quot;myValue&quot;</span><span
class="p">);</span>
+
+<span class="n">Mutation</span> <span class="n">mutation</span> <span
class="o">=</span> <span class="k">new</span> <span class="n">Mutation</span><span
class="p">(</span><span class="n">rowID</span><span class="p">);</span>
+<span class="n">mutation</span><span class="o">.</span><span class="n">put</span><span
class="p">(</span><span class="n">colFam</span><span class="p">,</span>
<span class="n">colQual</span><span class="p">,</span> <span class="n">colVis</span><span
class="p">,</span> <span class="n">timestamp</span><span class="p">,</span>
<span class="n">value</span><span class="p">);</span>
+</pre></div>
+
+
+<h2 id="a_idsecurity_label_expression_syntaxa_security_label_expression_syntax"><a
id=Security_Label_Expression_Syntax></a> Security Label Expression Syntax</h2>
+<p>Security labels consist of a set of user-defined tokens that are required to read
the value the label is associated with. The set of tokens required can be specified using
syntax that supports logical AND and OR combinations of tokens, as well as nesting groups
of tokens together. </p>
+<p>For example, suppose within our organization we want to label our data values with
security labels defined in terms of user roles. We might have tokens such as: </p>
+<div class="codehilite"><pre><span class="n">admin</span>
+<span class="n">audit</span>
+<span class="nb">system</span>
+</pre></div>
+
+
+<p>These can be specified alone or combined using logical operators: </p>
+<div class="codehilite"><pre><span class="sr">//</span> <span
class="n">Users</span> <span class="n">must</span> <span class="n">have</span>
<span class="n">admin</span> <span class="n">privileges:</span>
+<span class="n">admin</span>
+
+<span class="sr">//</span> <span class="n">Users</span> <span
class="n">must</span> <span class="n">have</span> <span class="n">admin</span>
<span class="ow">and</span> <span class="n">audit</span> <span
class="n">privileges</span>
+<span class="n">admin</span><span class="o">&amp;</span><span
class="n">audit</span>
+
+<span class="sr">//</span> <span class="n">Users</span> <span
class="n">with</span> <span class="n">either</span> <span class="n">admin</span>
<span class="ow">or</span> <span class="n">audit</span> <span class="n">privileges</span>
+<span class="n">admin</span><span class="o">|</span><span class="n">audit</span>
+
+<span class="sr">//</span> <span class="n">Users</span> <span
class="n">must</span> <span class="n">have</span> <span class="n">audit</span>
<span class="ow">and</span> <span class="n">one</span> <span class="ow">or</span>
<span class="n">both</span> <span class="n">of</span> <span class="n">admin</span>
<span class="ow">or</span> <span class="nb">system</span>
+<span class="p">(</span><span class="n">admin</span><span class="o">|</span><span
class="nb">system</span><span class="p">)</span><span class="o">&amp;</span><span
class="n">audit</span>
+</pre></div>
+
+
+<p>When both <code>|</code> and <code>&amp;</code> operators
are used, parentheses must be used to specify precedence of the operators. </p>
+<h2 id="a_idauthorizationa_authorization"><a id=Authorization></a> Authorization</h2>
+<p>When clients attempt to read data from Accumulo, any security labels present are
examined against the set of authorizations passed by the client code when the Scanner or BatchScanner
are created. If the authorizations are determined to be insufficient to satisfy the security
label, the value is suppressed from the set of results sent back to the client. </p>
+<p>Authorizations are specified as a comma-separated list of tokens the user possesses:
</p>
+<div class="codehilite"><pre><span class="sr">//</span> <span
class="n">user</span> <span class="n">possess</span> <span class="n">both</span>
<span class="n">admin</span> <span class="ow">and</span> <span
class="nb">system</span> <span class="n">level</span> <span class="n">access</span>
+<span class="n">Authorization</span> <span class="n">auths</span>
<span class="o">=</span> <span class="k">new</span> <span class="n">Authorization</span><span
class="p">(</span><span class="s">&quot;admin&quot;</span><span
class="p">,</span><span class="s">&quot;system&quot;</span><span
class="p">);</span>
+
+<span class="n">Scanner</span> <span class="n">s</span> <span
class="o">=</span> <span class="n">connector</span><span class="o">.</span><span
class="n">createScanner</span><span class="p">(</span><span class="s">&quot;table&quot;</span><span
class="p">,</span> <span class="n">auths</span><span class="p">);</span>
+</pre></div>
+
+
+<h2 id="a_iduser_authorizationsa_user_authorizations"><a id=User_Authorizations></a>
User Authorizations</h2>
+<p>Each accumulo user has a set of associated security labels. To manipulate these
in the shell use the setuaths and getauths commands. These may also be modified using the
java security operations API. </p>
+<p>When a user creates a scanner a set of Authorizations is passed. If the authorizations
passed to the scanner are not a subset of the users authorizations, then an exception will
be thrown. </p>
+<p>To prevent users from writing data they can not read, add the visibility constraint
to a table. Use the -evc option in the createtable shell command to enable this constraint.
For existing tables use the following shell command to enable the visibility constraint. Ensure
the constraint number does not conflict with any existing constraints. </p>
+<div class="codehilite"><pre><span class="n">config</span> <span
class="o">-</span><span class="n">t</span> <span class="n">table</span>
<span class="o">-</span><span class="n">s</span> <span class="n">table</span><span
class="o">.</span><span class="n">constraint</span><span class="mf">.1</span><span
class="o">=</span><span class="n">org</span><span class="o">.</span><span
class="n">apache</span><span class="o">.</span><span class="n">accumulo</span><span
class="o">.</span><span class="n">core</span><span class="o">.</span><span
class="n">security</span><span class="o">.</span><span class="n">VisibilityConstraint</span>
+</pre></div>
+
+
+<p>Any user with the alter table permission can add or remove this constraint. This
constraint is not applied to bulk imported data, if this a concern then disable the bulk import
pesmission. </p>
+<h2 id="a_idsecure_authorizations_handlinga_secure_authorizations_handling"><a id=Secure_Authorizations_Handling></a>
Secure Authorizations Handling</h2>
+<p>For applications serving many users, it is not expected that a accumulo user will
be created for each application user. In this case a accumulo user with all authorizations
needed by any of the applications users must be created. To service queries, the application
should create a scanner with the application users authorizations. These authorizations could
be obtined from a trusted 3rd party. </p>
+<p>Often production systems will integrate with Public-Key Infrastructure (PKI) and
designate client code within the query layer to negotiate with PKI servers in order to authenticate
users and retrieve their authorization tokens (credentials). This requires users to specify
only the information necessary to authenticate themselves to the system. Once user identity
is established, their credentials can be accessed by the client code and passed to Accumulo
outside of the reach of the user. </p>
+<h2 id="a_idquery_services_layera_query_services_layer"><a id=Query_Services_Layer></a>
Query Services Layer</h2>
+<p>Since the primary method of interaction with Accumulo is through the Java API, production
environments often call for the implementation of a Query layer. This can be done using web
services in containers such as Apache Tomcat, but is not a requirement. The Query Services
Layer provides a mechanism for providing a platform on which user facing applications can
be built. This allows the application designers to isolate potentially complex query logic,
and enables a convenient point at which to perform essential security functions. </p>
+<p>Several production environments choose to implement authentication at this layer,
where users identifiers are used to retrieve their access credentials which are then cached
within the query layer and presented to Accumulo through the Authorizations mechanism. </p>
+<p>Typically, the query services layer sits between Accumulo and user workstations.
</p>
+<hr />
+<p><strong> Next:</strong> <a href="Administration.html">Administration</a>
<strong> Up:</strong> <a href="accumulo_user_manual.html">Accumulo User
Manual Version 1.4</a> <strong> Previous:</strong> <a href="Analytics.html">Analytics</a>
  <strong> <a href="Contents.html">Contents</a></strong></p>
+  </div>
+
+  <div id="footer">
+    <div class="copyright">
+      <p>
+        Copyright &copy; 2011 The Apache Software Foundation, Licensed under
+        the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version
2.0</a>.
+        <br />
+        Apache and the Apache feather logos are trademarks of The Apache Software Foundation.
+      </p>
+    </div> 
+    <a alt="Apache Incubator" href="http://incubator.apache.org">
+      <img id="asf-logo" alt="Apache Incubator" src="/accumulo/images/apache-incubator-logo.png"
width="150"/>
+    </a>
+
+  </div>
+
+</body>
+</html>



Mime
View raw message