Github user MikeThomsen commented on a diff in the pull request:
https://github.com/apache/nifi/pull/2518#discussion_r182792431
--- Diff:
nifi-nar-bundles/nifi-hbase-bundle/nifi-hbase-processors/src/main/java/org/apache/nifi/hbase/VisibilityFetchSupport.java
---
@@ -0,0 +1,53 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.hbase;
+
+import org.apache.nifi.components.PropertyDescriptor;
+import org.apache.nifi.components.Validator;
+import org.apache.nifi.flowfile.FlowFile;
+import org.apache.nifi.processor.ProcessContext;
+import org.apache.nifi.util.StringUtils;
+
+import java.util.ArrayList;
+import java.util.List;
+
+public interface VisibilityFetchSupport {
+ PropertyDescriptor AUTHORIZATIONS = new PropertyDescriptor.Builder()
+ .name("hbase-fetch-row-authorizations")
+ .displayName("Authorizations")
+ .description("The list of authorizations to pass to the scanner.
This will be ignored if cell visibility labels are not in use.")
--- End diff --
In your three cases, the visibility labels would be:
* A
* A&B
* B
Passing `[B]` would eliminate the first two.
With HBase and Accumulo, you can tell the scanner "yeah, I know have set X,
but use subset Y of my authorizations" because there are so many valid use
cases where the scanner has to limit itself on the authorizations. A good
example is that in a user-facing deployment, the scanner user will frequently
have all authorizations, but be configured on the fly to do a scan with those
of a particular user sitting at the keyboard setting up a scan.
Again, the distinction between "authorizations" and labels" holds because
label is the requirement statement and authorizations are the tokens used to
hopefully make it evaluate to `true`.
---
