buttercream wrote:
I'm working on a system where there are many users and the users credentials and information are stored in a third party system. I was thinking the best approach would be to have my default Accumulo user have the superset of all permissions and then when a query is performed, proxy in the specific user credential that may be a subset. But, this seems a bit cumbersome to have to up front define all available credentials, especially if new authorizations are added without our knowledge.
Yeah, this is the pain point. The approach works, but you have to assume a lot of security testing in your "proxy". You have to certify your software to get a full picture on the security of the system.
Any thoughts on an alternative approach? I'd like to just be able to proxy through credentials and not have to worry about whether my Accumulo-defined user that I'm proxying through already has them. Is there a way to just let that Accumulo-defined user have max credentials and not have to specifically call them out? Thanks.
Another approach could be writing your own Accumulo Authorizor and Authenticator. You could directly contact the third-party system to determine if a user can be authenticated with Accumulo. Assuming you can extrapolate the Authorizations for each user from that system as well, the Authorizor can be done in the same fashion.
http://accumulo.apache.org/1.6/accumulo_user_manual.html#_pluggable_security
-- View this message in context: http://apache-accumulo.1065345.n5.nabble.com/Authorizations-for-complex-user-management-tp13294.html Sent from the Users mailing list archive at Nabble.com.
