[jira] [Commented] (ACCUMULO-1681) Adjust Authorizor Interface to validate auths instead of retrieving a list

Thu, 05 Sep 2013 09:22:16 -0700 

    [ 
https://issues.apache.org/jira/browse/ACCUMULO-1681?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13759174#comment-13759174
 ] 

John Vines commented on ACCUMULO-1681:
--------------------------------------

One thing that isn't handled in that patch is exposing the interface to the 
Constraint system (which currently uses getAuths). There's no way to directly 
switch the VisibilityConstraint over because it uses the VisibilityEvaluator, 
and we don't want to replicate that code. Instead, I'm thinking that we should 
abstract out Authorizations just a smidge to have an AuthorizationContainer 
interface which can be used for validation. Then, both Authorizations and the 
Authorizor could both have contains() and then the VisibiltyEvaluator's logic 
could be used for both directly checking against a set of labels (normal in 
code) but also against a configured Authorizor (constraint).
                
> Adjust Authorizor Interface to validate auths instead of retrieving a list
> --------------------------------------------------------------------------
>
>                 Key: ACCUMULO-1681
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-1681
>             Project: Accumulo
>          Issue Type: Bug
>          Components: tserver
>            Reporter: John Vines
>            Assignee: John Vines
>             Fix For: 1.6.0
>
>         Attachments: ACCUMULO-1681.patch
>
>
> Currently the Authorizor interface is used to request a set of authorizations 
> which then get checked against the authorizations a user is attempting to 
> use. However, some security systems only support the ability to validate 
> authorizations/permissions/roles and not provide a list. That makes these 
> systems (entirely) incompatible with Accumulo when they don't have to be.
> We should switch the behavior of Accumulo to ask the Authorizor (via 
> SecurityOperations) if the auths are valid. The existing getAuths 
> functionality will still use that call and would have potentially limited 
> support, similar to the potentially limited support of any of the set 
> operations.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to