Edmon Begoli
2012-08-06, 13:25
Keith Turner
2012-08-06, 14:43
John Vines
2012-08-06, 14:45
John Armstrong
2012-08-06, 14:49
Keith Turner
2012-08-06, 15:02
Keith Turner
2012-08-06, 15:07
John Armstrong
2012-08-06, 15:09
Edmon Begoli
2012-08-06, 15:27
David Medinets
2012-08-06, 17:34
-
Setting appropriate user authorizations - how and what are the best practicesEdmon Begoli 2012-08-06, 13:25
I implemented a simple example for writing and then reading a data
from a table in Accumulo (code attached).
When I run the code I get the exception printed below. I suspect that
I am getting this because user (root) who inserted this data might not
have permissions to read it.
I would like to know what is the proper way to:
A. Assign these authorizations and how
B. What are the best practices in Accumulo for assign privileges as my
next step will be to create hierarchies of user authorizations.
I want to at the minimum reflect the HIPAA domain where usually only
owner of the private data and some, narrow group can actually see all
of the data, but
many can see some de-identified fragments of it.
Exception
------------------------------------------------------------------
12/08/03 09:27:28 INFO zookeeper.ClientCnxn: Socket connection
established to localhost/127.0.0.1:2181, initiating session
12/08/03 09:27:28 INFO zookeeper.ClientCnxn: Session establishment
complete on server localhost/127.0.0.1:2181, sessionid 0x138d87a3657fbfc, negotiated timeout = 30000
Exception in thread "main" java.lang.RuntimeException:
org.apache.accumulo.core.client.AccumuloSecurityException: Error
BAD_AUTHORIZATIONS - The user does not have the specified
authorizations assigned
at org.apache.accumulo.core.client.impl.ScannerIterator.hasNext(ScannerIterator.java:186)
at accumulo.ClaimsBroker.main(ClaimsBroker.java:56)
Caused by: org.apache.accumulo.core.client.AccumuloSecurityException:
Error BAD_AUTHORIZATIONS - The user does not have the specified
authorizations assigned
at org.apache.accumulo.core.client.impl.ThriftScanner.scan(ThriftScanner.java:470)
at org.apache.accumulo.core.client.impl.ThriftScanner.scan(ThriftScanner.java:295)
at org.apache.accumulo.core.client.impl.ScannerIterator$Reader.run(ScannerIterator.java:94)
at org.apache.accumulo.core.client.impl.ScannerIterator.hasNext(ScannerIterator.java:176)
... 1 more
Caused by: ThriftSecurityException(user:root, code:BAD_AUTHORIZATIONS)
at org.apache.accumulo.core.tabletserver.thrift.TabletClientService$startScan_result.read(TabletClientService.java:4657)
at org.apache.accumulo.core.tabletserver.thrift.TabletClientService$Client.recv_startScan(TabletClientService.java:192)
at org.apache.accumulo.core.tabletserver.thrift.TabletClientService$Client.startScan(TabletClientService.java:157)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.accumulo.cloudtrace.instrument.thrift.TraceWrap$2.invoke(TraceWrap.java:84)
at $Proxy1.startScan(Unknown Source)
at org.apache.accumulo.core.client.impl.ThriftScanner.scan(ThriftScanner.java:415)
... 4 more
from a table in Accumulo (code attached).
When I run the code I get the exception printed below. I suspect that
I am getting this because user (root) who inserted this data might not
have permissions to read it.
I would like to know what is the proper way to:
A. Assign these authorizations and how
B. What are the best practices in Accumulo for assign privileges as my
next step will be to create hierarchies of user authorizations.
I want to at the minimum reflect the HIPAA domain where usually only
owner of the private data and some, narrow group can actually see all
of the data, but
many can see some de-identified fragments of it.
Exception
------------------------------------------------------------------
12/08/03 09:27:28 INFO zookeeper.ClientCnxn: Socket connection
established to localhost/127.0.0.1:2181, initiating session
12/08/03 09:27:28 INFO zookeeper.ClientCnxn: Session establishment
complete on server localhost/127.0.0.1:2181, sessionid 0x138d87a3657fbfc, negotiated timeout = 30000
Exception in thread "main" java.lang.RuntimeException:
org.apache.accumulo.core.client.AccumuloSecurityException: Error
BAD_AUTHORIZATIONS - The user does not have the specified
authorizations assigned
at org.apache.accumulo.core.client.impl.ScannerIterator.hasNext(ScannerIterator.java:186)
at accumulo.ClaimsBroker.main(ClaimsBroker.java:56)
Caused by: org.apache.accumulo.core.client.AccumuloSecurityException:
Error BAD_AUTHORIZATIONS - The user does not have the specified
authorizations assigned
at org.apache.accumulo.core.client.impl.ThriftScanner.scan(ThriftScanner.java:470)
at org.apache.accumulo.core.client.impl.ThriftScanner.scan(ThriftScanner.java:295)
at org.apache.accumulo.core.client.impl.ScannerIterator$Reader.run(ScannerIterator.java:94)
at org.apache.accumulo.core.client.impl.ScannerIterator.hasNext(ScannerIterator.java:176)
... 1 more
Caused by: ThriftSecurityException(user:root, code:BAD_AUTHORIZATIONS)
at org.apache.accumulo.core.tabletserver.thrift.TabletClientService$startScan_result.read(TabletClientService.java:4657)
at org.apache.accumulo.core.tabletserver.thrift.TabletClientService$Client.recv_startScan(TabletClientService.java:192)
at org.apache.accumulo.core.tabletserver.thrift.TabletClientService$Client.startScan(TabletClientService.java:157)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.accumulo.cloudtrace.instrument.thrift.TraceWrap$2.invoke(TraceWrap.java:84)
at $Proxy1.startScan(Unknown Source)
at org.apache.accumulo.core.client.impl.ThriftScanner.scan(ThriftScanner.java:415)
... 4 more
-
Re: Setting appropriate user authorizations - how and what are the best practicesKeith Turner 2012-08-06, 14:43
On Mon, Aug 6, 2012 at 9:25 AM, Edmon Begoli <[EMAIL PROTECTED]> wrote:
> I implemented a simple example for writing and then reading a data
> from a table in Accumulo (code attached).
>
> When I run the code I get the exception printed below. I suspect that
> I am getting this because user (root) who inserted this data might not
> have permissions to read it.
>
> I would like to know what is the proper way to:
>
> A. Assign these authorizations and how
You can use setauths command in the shell.
FYI, you may find the following of interest.
https://issues.apache.org/jira/browse/ACCUMULO-246
>
> B. What are the best practices in Accumulo for assign privileges as my
> next step will be to create hierarchies of user authorizations.
> I want to at the minimum reflect the HIPAA domain where usually only
> owner of the private data and some, narrow group can actually see all
> of the data, but
> many can see some de-identified fragments of it.
>
> Exception
> ------------------------------------------------------------------
>
>
> 12/08/03 09:27:28 INFO zookeeper.ClientCnxn: Socket connection
> established to localhost/127.0.0.1:2181, initiating session
> 12/08/03 09:27:28 INFO zookeeper.ClientCnxn: Session establishment
> complete on server localhost/127.0.0.1:2181, sessionid > 0x138d87a3657fbfc, negotiated timeout = 30000
> Exception in thread "main" java.lang.RuntimeException:
> org.apache.accumulo.core.client.AccumuloSecurityException: Error
> BAD_AUTHORIZATIONS - The user does not have the specified
> authorizations assigned
> at org.apache.accumulo.core.client.impl.ScannerIterator.hasNext(ScannerIterator.java:186)
> at accumulo.ClaimsBroker.main(ClaimsBroker.java:56)
> Caused by: org.apache.accumulo.core.client.AccumuloSecurityException:
> Error BAD_AUTHORIZATIONS - The user does not have the specified
> authorizations assigned
> at org.apache.accumulo.core.client.impl.ThriftScanner.scan(ThriftScanner.java:470)
> at org.apache.accumulo.core.client.impl.ThriftScanner.scan(ThriftScanner.java:295)
> at org.apache.accumulo.core.client.impl.ScannerIterator$Reader.run(ScannerIterator.java:94)
> at org.apache.accumulo.core.client.impl.ScannerIterator.hasNext(ScannerIterator.java:176)
> ... 1 more
> Caused by: ThriftSecurityException(user:root, code:BAD_AUTHORIZATIONS)
> at org.apache.accumulo.core.tabletserver.thrift.TabletClientService$startScan_result.read(TabletClientService.java:4657)
> at org.apache.accumulo.core.tabletserver.thrift.TabletClientService$Client.recv_startScan(TabletClientService.java:192)
> at org.apache.accumulo.core.tabletserver.thrift.TabletClientService$Client.startScan(TabletClientService.java:157)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:616)
> at org.apache.accumulo.cloudtrace.instrument.thrift.TraceWrap$2.invoke(TraceWrap.java:84)
> at $Proxy1.startScan(Unknown Source)
> at org.apache.accumulo.core.client.impl.ThriftScanner.scan(ThriftScanner.java:415)
> ... 4 more
> I implemented a simple example for writing and then reading a data
> from a table in Accumulo (code attached).
>
> When I run the code I get the exception printed below. I suspect that
> I am getting this because user (root) who inserted this data might not
> have permissions to read it.
>
> I would like to know what is the proper way to:
>
> A. Assign these authorizations and how
You can use setauths command in the shell.
FYI, you may find the following of interest.
https://issues.apache.org/jira/browse/ACCUMULO-246
>
> B. What are the best practices in Accumulo for assign privileges as my
> next step will be to create hierarchies of user authorizations.
> I want to at the minimum reflect the HIPAA domain where usually only
> owner of the private data and some, narrow group can actually see all
> of the data, but
> many can see some de-identified fragments of it.
>
> Exception
> ------------------------------------------------------------------
>
>
> 12/08/03 09:27:28 INFO zookeeper.ClientCnxn: Socket connection
> established to localhost/127.0.0.1:2181, initiating session
> 12/08/03 09:27:28 INFO zookeeper.ClientCnxn: Session establishment
> complete on server localhost/127.0.0.1:2181, sessionid > 0x138d87a3657fbfc, negotiated timeout = 30000
> Exception in thread "main" java.lang.RuntimeException:
> org.apache.accumulo.core.client.AccumuloSecurityException: Error
> BAD_AUTHORIZATIONS - The user does not have the specified
> authorizations assigned
> at org.apache.accumulo.core.client.impl.ScannerIterator.hasNext(ScannerIterator.java:186)
> at accumulo.ClaimsBroker.main(ClaimsBroker.java:56)
> Caused by: org.apache.accumulo.core.client.AccumuloSecurityException:
> Error BAD_AUTHORIZATIONS - The user does not have the specified
> authorizations assigned
> at org.apache.accumulo.core.client.impl.ThriftScanner.scan(ThriftScanner.java:470)
> at org.apache.accumulo.core.client.impl.ThriftScanner.scan(ThriftScanner.java:295)
> at org.apache.accumulo.core.client.impl.ScannerIterator$Reader.run(ScannerIterator.java:94)
> at org.apache.accumulo.core.client.impl.ScannerIterator.hasNext(ScannerIterator.java:176)
> ... 1 more
> Caused by: ThriftSecurityException(user:root, code:BAD_AUTHORIZATIONS)
> at org.apache.accumulo.core.tabletserver.thrift.TabletClientService$startScan_result.read(TabletClientService.java:4657)
> at org.apache.accumulo.core.tabletserver.thrift.TabletClientService$Client.recv_startScan(TabletClientService.java:192)
> at org.apache.accumulo.core.tabletserver.thrift.TabletClientService$Client.startScan(TabletClientService.java:157)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:616)
> at org.apache.accumulo.cloudtrace.instrument.thrift.TraceWrap$2.invoke(TraceWrap.java:84)
> at $Proxy1.startScan(Unknown Source)
> at org.apache.accumulo.core.client.impl.ThriftScanner.scan(ThriftScanner.java:415)
> ... 4 more
-
Re: Setting appropriate user authorizations - how and what are the best practicesJohn Vines 2012-08-06, 14:45
That error occurs when a user tried to do a scan with an authorization they
do not have granted to them. Make sure that the user has the authorizations
they are trying to scan with (if this is an unintended error). Otherwise,
it's working as intended.
2. There will be coming changes to how authorizations are handled in 1.5 to
better support a stricter way to handle authorization realms. accumulo-667
has the discussion in it.
John
On Mon, Aug 6, 2012 at 9:25 AM, Edmon Begoli <[EMAIL PROTECTED]> wrote:
> I implemented a simple example for writing and then reading a data
> from a table in Accumulo (code attached).
>
> When I run the code I get the exception printed below. I suspect that
> I am getting this because user (root) who inserted this data might not
> have permissions to read it.
>
> I would like to know what is the proper way to:
>
> A. Assign these authorizations and how
>
> B. What are the best practices in Accumulo for assign privileges as my
> next step will be to create hierarchies of user authorizations.
> I want to at the minimum reflect the HIPAA domain where usually only
> owner of the private data and some, narrow group can actually see all
> of the data, but
> many can see some de-identified fragments of it.
>
> Exception
> ------------------------------------------------------------------
>
>
> 12/08/03 09:27:28 INFO zookeeper.ClientCnxn: Socket connection
> established to localhost/127.0.0.1:2181, initiating session
> 12/08/03 09:27:28 INFO zookeeper.ClientCnxn: Session establishment
> complete on server localhost/127.0.0.1:2181, sessionid > 0x138d87a3657fbfc, negotiated timeout = 30000
> Exception in thread "main" java.lang.RuntimeException:
> org.apache.accumulo.core.client.AccumuloSecurityException: Error
> BAD_AUTHORIZATIONS - The user does not have the specified
> authorizations assigned
> at
> org.apache.accumulo.core.client.impl.ScannerIterator.hasNext(ScannerIterator.java:186)
> at accumulo.ClaimsBroker.main(ClaimsBroker.java:56)
> Caused by: org.apache.accumulo.core.client.AccumuloSecurityException:
> Error BAD_AUTHORIZATIONS - The user does not have the specified
> authorizations assigned
> at
> org.apache.accumulo.core.client.impl.ThriftScanner.scan(ThriftScanner.java:470)
> at
> org.apache.accumulo.core.client.impl.ThriftScanner.scan(ThriftScanner.java:295)
> at
> org.apache.accumulo.core.client.impl.ScannerIterator$Reader.run(ScannerIterator.java:94)
> at
> org.apache.accumulo.core.client.impl.ScannerIterator.hasNext(ScannerIterator.java:176)
> ... 1 more
> Caused by: ThriftSecurityException(user:root, code:BAD_AUTHORIZATIONS)
> at
> org.apache.accumulo.core.tabletserver.thrift.TabletClientService$startScan_result.read(TabletClientService.java:4657)
> at
> org.apache.accumulo.core.tabletserver.thrift.TabletClientService$Client.recv_startScan(TabletClientService.java:192)
> at
> org.apache.accumulo.core.tabletserver.thrift.TabletClientService$Client.startScan(TabletClientService.java:157)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:616)
> at
> org.apache.accumulo.cloudtrace.instrument.thrift.TraceWrap$2.invoke(TraceWrap.java:84)
> at $Proxy1.startScan(Unknown Source)
> at
> org.apache.accumulo.core.client.impl.ThriftScanner.scan(ThriftScanner.java:415)
> ... 4 more
>
do not have granted to them. Make sure that the user has the authorizations
they are trying to scan with (if this is an unintended error). Otherwise,
it's working as intended.
2. There will be coming changes to how authorizations are handled in 1.5 to
better support a stricter way to handle authorization realms. accumulo-667
has the discussion in it.
John
On Mon, Aug 6, 2012 at 9:25 AM, Edmon Begoli <[EMAIL PROTECTED]> wrote:
> I implemented a simple example for writing and then reading a data
> from a table in Accumulo (code attached).
>
> When I run the code I get the exception printed below. I suspect that
> I am getting this because user (root) who inserted this data might not
> have permissions to read it.
>
> I would like to know what is the proper way to:
>
> A. Assign these authorizations and how
>
> B. What are the best practices in Accumulo for assign privileges as my
> next step will be to create hierarchies of user authorizations.
> I want to at the minimum reflect the HIPAA domain where usually only
> owner of the private data and some, narrow group can actually see all
> of the data, but
> many can see some de-identified fragments of it.
>
> Exception
> ------------------------------------------------------------------
>
>
> 12/08/03 09:27:28 INFO zookeeper.ClientCnxn: Socket connection
> established to localhost/127.0.0.1:2181, initiating session
> 12/08/03 09:27:28 INFO zookeeper.ClientCnxn: Session establishment
> complete on server localhost/127.0.0.1:2181, sessionid > 0x138d87a3657fbfc, negotiated timeout = 30000
> Exception in thread "main" java.lang.RuntimeException:
> org.apache.accumulo.core.client.AccumuloSecurityException: Error
> BAD_AUTHORIZATIONS - The user does not have the specified
> authorizations assigned
> at
> org.apache.accumulo.core.client.impl.ScannerIterator.hasNext(ScannerIterator.java:186)
> at accumulo.ClaimsBroker.main(ClaimsBroker.java:56)
> Caused by: org.apache.accumulo.core.client.AccumuloSecurityException:
> Error BAD_AUTHORIZATIONS - The user does not have the specified
> authorizations assigned
> at
> org.apache.accumulo.core.client.impl.ThriftScanner.scan(ThriftScanner.java:470)
> at
> org.apache.accumulo.core.client.impl.ThriftScanner.scan(ThriftScanner.java:295)
> at
> org.apache.accumulo.core.client.impl.ScannerIterator$Reader.run(ScannerIterator.java:94)
> at
> org.apache.accumulo.core.client.impl.ScannerIterator.hasNext(ScannerIterator.java:176)
> ... 1 more
> Caused by: ThriftSecurityException(user:root, code:BAD_AUTHORIZATIONS)
> at
> org.apache.accumulo.core.tabletserver.thrift.TabletClientService$startScan_result.read(TabletClientService.java:4657)
> at
> org.apache.accumulo.core.tabletserver.thrift.TabletClientService$Client.recv_startScan(TabletClientService.java:192)
> at
> org.apache.accumulo.core.tabletserver.thrift.TabletClientService$Client.startScan(TabletClientService.java:157)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:616)
> at
> org.apache.accumulo.cloudtrace.instrument.thrift.TraceWrap$2.invoke(TraceWrap.java:84)
> at $Proxy1.startScan(Unknown Source)
> at
> org.apache.accumulo.core.client.impl.ThriftScanner.scan(ThriftScanner.java:415)
> ... 4 more
>
-
Re: Setting appropriate user authorizations - how and what are the best practicesJohn Armstrong 2012-08-06, 14:49
On 08/06/2012 10:45 AM, John Vines wrote:
> That error occurs when a user tried to do a scan with an authorization
> they do not have granted to them. Make sure that the user has the
> authorizations they are trying to scan with (if this is an unintended
> error). Otherwise, it's working as intended.
I ran into that myself, and it's easy enough (for me) to make sure users
only ever request authorizations they've been granted, but it did make
me wonder why throw an exception there? Why not only apply the
intersection of granted+requested authorizations and log a warning to
note that an ungranted authorization was requested and ignored?
> That error occurs when a user tried to do a scan with an authorization
> they do not have granted to them. Make sure that the user has the
> authorizations they are trying to scan with (if this is an unintended
> error). Otherwise, it's working as intended.
I ran into that myself, and it's easy enough (for me) to make sure users
only ever request authorizations they've been granted, but it did make
me wonder why throw an exception there? Why not only apply the
intersection of granted+requested authorizations and log a warning to
note that an ungranted authorization was requested and ignored?
-
Re: Setting appropriate user authorizations - how and what are the best practicesKeith Turner 2012-08-06, 15:02
On Mon, Aug 6, 2012 at 10:49 AM, John Armstrong <[EMAIL PROTECTED]> wrote:
> On 08/06/2012 10:45 AM, John Vines wrote:
>>
>> That error occurs when a user tried to do a scan with an authorization
>> they do not have granted to them. Make sure that the user has the
>> authorizations they are trying to scan with (if this is an unintended
>> error). Otherwise, it's working as intended.
>
>
> I ran into that myself, and it's easy enough (for me) to make sure users
> only ever request authorizations they've been granted, but it did make me
> wonder why throw an exception there? Why not only apply the intersection of
> granted+requested authorizations and log a warning to note that an ungranted
> authorization was requested and ignored?
We used to intersect. But users would not get data back, and not know
why. Can't assume that a user will ever see a log message, like when
a webs server is doing the scan.
Also, the silent intersection could hide data from the user that they
would want to see without them knowing it. I see the intersection
behavior as similar to a file system that returns a zero length file
when you do not have permission to read instead of an error.
> On 08/06/2012 10:45 AM, John Vines wrote:
>>
>> That error occurs when a user tried to do a scan with an authorization
>> they do not have granted to them. Make sure that the user has the
>> authorizations they are trying to scan with (if this is an unintended
>> error). Otherwise, it's working as intended.
>
>
> I ran into that myself, and it's easy enough (for me) to make sure users
> only ever request authorizations they've been granted, but it did make me
> wonder why throw an exception there? Why not only apply the intersection of
> granted+requested authorizations and log a warning to note that an ungranted
> authorization was requested and ignored?
We used to intersect. But users would not get data back, and not know
why. Can't assume that a user will ever see a log message, like when
a webs server is doing the scan.
Also, the silent intersection could hide data from the user that they
would want to see without them knowing it. I see the intersection
behavior as similar to a file system that returns a zero length file
when you do not have permission to read instead of an error.
-
Re: Setting appropriate user authorizations - how and what are the best practicesKeith Turner 2012-08-06, 15:07
On Mon, Aug 6, 2012 at 10:49 AM, John Armstrong <[EMAIL PROTECTED]> wrote:
> On 08/06/2012 10:45 AM, John Vines wrote:
>>
>> That error occurs when a user tried to do a scan with an authorization
>> they do not have granted to them. Make sure that the user has the
>> authorizations they are trying to scan with (if this is an unintended
>> error). Otherwise, it's working as intended.
>
>
> I ran into that myself, and it's easy enough (for me) to make sure users
> only ever request authorizations they've been granted, but it did make me
> wonder why throw an exception there? Why not only apply the intersection of
> granted+requested authorizations and log a warning to note that an ungranted
> authorization was requested and ignored?
I will work on ACCUMULO-246 for 1.5.0 so that you can have the
behavior you want.
> On 08/06/2012 10:45 AM, John Vines wrote:
>>
>> That error occurs when a user tried to do a scan with an authorization
>> they do not have granted to them. Make sure that the user has the
>> authorizations they are trying to scan with (if this is an unintended
>> error). Otherwise, it's working as intended.
>
>
> I ran into that myself, and it's easy enough (for me) to make sure users
> only ever request authorizations they've been granted, but it did make me
> wonder why throw an exception there? Why not only apply the intersection of
> granted+requested authorizations and log a warning to note that an ungranted
> authorization was requested and ignored?
I will work on ACCUMULO-246 for 1.5.0 so that you can have the
behavior you want.
-
Re: Setting appropriate user authorizations - how and what are the best practicesJohn Armstrong 2012-08-06, 15:09
On 08/06/2012 11:07 AM, Keith Turner wrote:
> I will work on ACCUMULO-246 for 1.5.0 so that you can have the
> behavior you want.
Oh, not that big a deal; I was just curious. I can see the logic behind
wanting to make a bigger deal out of it.
> I will work on ACCUMULO-246 for 1.5.0 so that you can have the
> behavior you want.
Oh, not that big a deal; I was just curious. I can see the logic behind
wanting to make a bigger deal out of it.
-
Re: Setting appropriate user authorizations - how and what are the best practicesEdmon Begoli 2012-08-06, 15:27
Just for the archiving purposes (and maybe we should add something
like this to the manual):
I was successful at running a scan by adding authorizations to my user
from the accumulo shell (execute $ $ACCUMULO_HOME/bin/accumulo/shell
-u myroot ):
>myroot@myinstance setauths -u myuser -s LEVEL1,GROUP1
Regards,
Edmon
On Mon, Aug 6, 2012 at 11:07 AM, Keith Turner <[EMAIL PROTECTED]> wrote:
> On Mon, Aug 6, 2012 at 10:49 AM, John Armstrong <[EMAIL PROTECTED]> wrote:
>> On 08/06/2012 10:45 AM, John Vines wrote:
>>>
>>> That error occurs when a user tried to do a scan with an authorization
>>> they do not have granted to them. Make sure that the user has the
>>> authorizations they are trying to scan with (if this is an unintended
>>> error). Otherwise, it's working as intended.
>>
>>
>> I ran into that myself, and it's easy enough (for me) to make sure users
>> only ever request authorizations they've been granted, but it did make me
>> wonder why throw an exception there? Why not only apply the intersection of
>> granted+requested authorizations and log a warning to note that an ungranted
>> authorization was requested and ignored?
>
> I will work on ACCUMULO-246 for 1.5.0 so that you can have the
> behavior you want.
like this to the manual):
I was successful at running a scan by adding authorizations to my user
from the accumulo shell (execute $ $ACCUMULO_HOME/bin/accumulo/shell
-u myroot ):
>myroot@myinstance setauths -u myuser -s LEVEL1,GROUP1
Regards,
Edmon
On Mon, Aug 6, 2012 at 11:07 AM, Keith Turner <[EMAIL PROTECTED]> wrote:
> On Mon, Aug 6, 2012 at 10:49 AM, John Armstrong <[EMAIL PROTECTED]> wrote:
>> On 08/06/2012 10:45 AM, John Vines wrote:
>>>
>>> That error occurs when a user tried to do a scan with an authorization
>>> they do not have granted to them. Make sure that the user has the
>>> authorizations they are trying to scan with (if this is an unintended
>>> error). Otherwise, it's working as intended.
>>
>>
>> I ran into that myself, and it's easy enough (for me) to make sure users
>> only ever request authorizations they've been granted, but it did make me
>> wonder why throw an exception there? Why not only apply the intersection of
>> granted+requested authorizations and log a warning to note that an ungranted
>> authorization was requested and ignored?
>
> I will work on ACCUMULO-246 for 1.5.0 so that you can have the
> behavior you want.
-
Re: Setting appropriate user authorizations - how and what are the best practicesDavid Medinets 2012-08-06, 17:34
Does https://github.com/apache/accumulo/blob/trunk/docs/examples/README.visibility
cover this subject in sufficient detail? If not, how can it be
improved?
On Mon, Aug 6, 2012 at 11:27 AM, Edmon Begoli <[EMAIL PROTECTED]> wrote:
> Just for the archiving purposes (and maybe we should add something
> like this to the manual):
>
> I was successful at running a scan by adding authorizations to my user
> from the accumulo shell (execute $ $ACCUMULO_HOME/bin/accumulo/shell
> -u myroot ):
>
>>myroot@myinstance setauths -u myuser -s LEVEL1,GROUP1
cover this subject in sufficient detail? If not, how can it be
improved?
On Mon, Aug 6, 2012 at 11:27 AM, Edmon Begoli <[EMAIL PROTECTED]> wrote:
> Just for the archiving purposes (and maybe we should add something
> like this to the manual):
>
> I was successful at running a scan by adding authorizations to my user
> from the accumulo shell (execute $ $ACCUMULO_HOME/bin/accumulo/shell
> -u myroot ):
>
>>myroot@myinstance setauths -u myuser -s LEVEL1,GROUP1
