Hello: I'm working on updating our security posture for our various Accumulo users. I took a look at the Permissions Page <https://accumulo.apache.org/docs/2.x/security/permissions> along with the Java docs for SystemPermission <https://www.javadoc.io/doc/org.apache.accumulo/accumulo-core/latest/org/apache/accumulo/core/security/SystemPermission.html> , NamespacePermission <https://www.javadoc.io/doc/org.apache.accumulo/accumulo-core/latest/org/apache/accumulo/core/security/NamespacePermission.html>, and TablePermission <https://www.javadoc.io/doc/org.apache.accumulo/accumulo-core/latest/org/apache/accumulo/core/security/TablePermission.html> but still have some questions. Specifically, I would like to know what the following Permissions are used for:
- SystemPermssion.GRANT - My assumption is that this means a user with these permissions can grant other users various system permissions. Effectively if you have this permission you have the ability to have all other system permissions. - SystemPermission.SYSTEM - SystemPermission.OBTAIN_DELEGATION_TOKEN Also, I'd be interested in your opinions on what permissions I should set up for the following scenario. I would like to create a root user that can only manage user/authorizations but cannot read data from any tables, the root user would be responsible for creating application users which can do everything but create users and alter authorizations. What permissions should I set up to make that happen? Thanks, - Logan
