Accumulo Tour: Authorizations
Tour page 5 of 11
Authorizations are a set of Strings that enable a user to read protected data. Users are granted authorizations and choose which ones to use when scanning a table. The chosen authorizations are evaluated against the ColumnVisibility of each Accumulo key in the scan. If the boolean expression of the ColumnVisibility evaluates to true, the data will be visible to the user.
- Bob has authorizations
- Tina has authorizations
- The key
sales && employee
- When Bob scans with all of his authorizations, he will not see
- When Tina scans with all of her authorizations, she will see
We now want to secure our secret identities of the heroes so that only users with the proper authorizations can read their names.
- Using the code from the previous exercise, add the following to the beginning of the exercise method (after we get the Connector).
// Create a "secretId" authorization & visibility final String secretId = "secretId"; Authorizations auths = new Authorizations(secretId); ColumnVisibility colVis = new ColumnVisibility(secretId); // Create a user with the "secretId" authorization and grant him read permissions on our table conn.securityOperations().createLocalUser("commissioner", new PasswordToken("gordonrocks")); conn.securityOperations().changeUserAuthorizations("commissioner", auths); conn.securityOperations().grantTablePermission("commissioner", "GothamPD", TablePermission.READ);
The Mutation API allows you to set the
secretIdvisibility on a column. Find the proper method for setting a column visibility in the Mutation API and modify the code so the
colVisvariable created above secures the “name” columns.
- Build and run. What data do you see?
- You should see all of the data except the secret identities of Batman and Robin. This is because the Scanner was created
from the root user which doesn’t have the
- Replace the
Authorizations.EMPTYin the Scanner with the
authsvariable created above and run it again.
- This should result in an error since the root user doesn’t have the authorizations we tried to pass to the Scanner.
- You should see all of the data except the secret identities of Batman and Robin. This is because the Scanner was created from the root user which doesn’t have the
Get a connector for the “commissioner” and from it create a Scanner with the authorizations needed to view the secret identities.
- Build and run. You should see all the rows in the GothamPD table printed, including these secured key/value pairs:
Key : id0001 hero:name [secretId] 1511900180231 false Value : Bruce Wayne Key : id0002 hero:name [secretId] 1511900180231 false Value : Dick Grayson