[jira] [Commented] (ACCUMULO-246) Improve scan authorizations behavior

Mon, 06 Aug 2012 08:32:04 -0700 

    [ 
https://issues.apache.org/jira/browse/ACCUMULO-246?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13429197#comment-13429197
 ] 

Edmon Begoli commented on ACCUMULO-246:
---------------------------------------

I would make the behavior of accumulo on this configurable. 
In some cases, security posture may prefer no messages of any kind so that 
scanning by malicious user does not give any hints if the data is there, if the 
authorizations are correct.
We might also want to consider some form of auditing, lockup feature for 
continuing failed attempts.

In other circumstances, we want to have an exception or a warning.

I therefore propose we have three levels - silent, warning, error, lock.
I am also willing to participate in implementation with appropriate guidance. 
                
> Improve scan authorizations behavior
> ------------------------------------
>
>                 Key: ACCUMULO-246
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-246
>             Project: Accumulo
>          Issue Type: Task
>          Components: client
>            Reporter: Billie Rinaldi
>              Labels: authorization, scan
>             Fix For: 1.5.0
>
>
> When a user creates a scanner a set of Authorizations is passed.  If the 
> authorizations passed to the scanner are not a subset of the user's 
> authorizations, then an exception is thrown.  An alternative would be to 
> intersect the set of scan authorizations with the user's authorizations.  
> Many users have had trouble understanding the "silent intersection" behavior, 
> which resulted in switching to throwing an Exception.  However, in situations 
> where the user's authorizations are lazily updated, and for very long running 
> scans, intersection would be preferable.  Possible fixes are 1) adding a flag 
> to indicate whether to intersect or throw an exception or 2) making it easier 
> for the user to perform the intersection manually (which would fix some 
> issues, but not the long-running scans).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to