Only authenticated users can access Accumulo.
- Kerberos can be enabled to replace Accumulo’s default, password-based authentication
Users can only perform actions if they are given permission.
Users can only view labeled data that they are authorized to see.
Data can be encrypted on disk and over-the-wire

Implementation

Below is a description of how security is implemented in Accumulo.

Once a user is authenticated by the Authenticator, the user has access to the other actions within Accumulo. All actions in Accumulo are ACLed, and this ACL check is handled by the PermissionHandler. This is what manages all of the permissions, which are divided in system and per table level. From there, if a user is doing an action which requires authorizations, the Authorizor is queried to determine what authorizations the user has.

This setup allows a variety of different mechanisms to be used for handling different aspects of Accumulo’s security. A system like Kerberos can be used for authentication, then a system like LDAP could be used to determine if a user has a specific permission, and then it may default back to the default Authorizor to determine what Authorizations a user is ultimately allowed to use. This is a pluggable system so custom components can be created depending on your need.

Find documentation for all releases in the archive Edit this page