Github user MikeThomsen commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/2518#discussion_r182792431
  
    --- Diff: 
nifi-nar-bundles/nifi-hbase-bundle/nifi-hbase-processors/src/main/java/org/apache/nifi/hbase/VisibilityFetchSupport.java
 ---
    @@ -0,0 +1,53 @@
    +/*
    + * Licensed to the Apache Software Foundation (ASF) under one or more
    + * contributor license agreements.  See the NOTICE file distributed with
    + * this work for additional information regarding copyright ownership.
    + * The ASF licenses this file to You under the Apache License, Version 2.0
    + * (the "License"); you may not use this file except in compliance with
    + * the License.  You may obtain a copy of the License at
    + *
    + *     http://www.apache.org/licenses/LICENSE-2.0
    + *
    + * Unless required by applicable law or agreed to in writing, software
    + * distributed under the License is distributed on an "AS IS" BASIS,
    + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    + * See the License for the specific language governing permissions and
    + * limitations under the License.
    + */
    +
    +package org.apache.nifi.hbase;
    +
    +import org.apache.nifi.components.PropertyDescriptor;
    +import org.apache.nifi.components.Validator;
    +import org.apache.nifi.flowfile.FlowFile;
    +import org.apache.nifi.processor.ProcessContext;
    +import org.apache.nifi.util.StringUtils;
    +
    +import java.util.ArrayList;
    +import java.util.List;
    +
    +public interface VisibilityFetchSupport {
    +    PropertyDescriptor AUTHORIZATIONS = new PropertyDescriptor.Builder()
    +        .name("hbase-fetch-row-authorizations")
    +        .displayName("Authorizations")
    +        .description("The list of authorizations to pass to the scanner. 
This will be ignored if cell visibility labels are not in use.")
    --- End diff --
    
    In your three cases, the visibility labels would be:
    
    * A
    * A&B
    * B
    
    Passing `[B]` would eliminate the first two.
    
    With HBase and Accumulo, you can tell the scanner "yeah, I know have set X, 
but use subset Y of my authorizations" because there are so many valid use 
cases where the scanner has to limit itself on the authorizations. A good 
example is that in a user-facing deployment, the scanner user will frequently 
have all authorizations, but be configured on the fly to do a scan with those 
of a particular user sitting at the keyboard setting up a scan.
    
    Again, the distinction between "authorizations" and labels" holds because 
label is the requirement statement and authorizations are the tokens used to 
hopefully make it evaluate to `true`.


---

Reply via email to