This document specifies the format of an Apache Accumulo AccessExpression. An AccessExpression is an encoding of a boolean expression that defines the attributes an entity requires to access specific data.
The formal definition of the AccessExpression UTF-8 string representation is provided by the following ABNF:
access-expression = [expression] ; empty string is a valid access expression expression = (access-token / paren-expression) [and-expression / or-expression] paren-expression = "(" expression ")" and-expression = "&" (access-token / paren-expression) [and-expression] or-expression = "|" (access-token / paren-expression) [or-expression] access-token = 1*( ALPHA / DIGIT / "_" / "-" / "." / ":" / slash ) access-token =/ DQUOTE 1*(utf8-subset / escaped) DQUOTE utf8-subset = %x20-21 / %x23-5B / %x5D-7E / unicode-beyond-ascii ; utf8 minus '"' and '\' unicode-beyond-ascii = %x0080-D7FF / %xE000-10FFFF escaped = "\" DQUOTE / "\\" slash = "/"
BLUERED&BLUERED&BLUE&GREEN(RED&BLUE)|(GREEN&(PINK|PURPLE))&BLUE : Must start with an access token or a paren expression.(RED&BLUE)| : An access token or paren expression must follow a |.RED&BLUE|GREEN : Once a & is seen, then can only have & and not |, unless using parenthesis.RED|BLUE&GREEN : Once a | is seen, then can only have |and not &, unless using parenthesis.An AccessExpression is a UTF-8 string. It can be serialized using a byte array as long as it can be deserialized back into the same UTF-8 string.
The evaluation process combines set existence checks with boolean algebra. Specifically, AccessExpressions use:
& for logical conjunction (∧ in boolean algebra).| for logical disjunction (∨ in boolean algebra).When evaluating an AccessExpression, existence checks are done against an entities Authorizations. The following is the algorithm for evaluation of an AccessExpression.
true if it exists in the set and false otherwise.The following is an example of evaluating the AccessExpression RED&(BLUE|GREEN) using boolean algebra for an entity with the Authorizations {RED,GREEN}. In the example below RED ∈ {RED,GREEN} translates to does RED exist in the set {RED,GREEN} which it does, so it is true.
Since true ∧ ( false ∨ true ) is true then the entity with Authorizations of {RED,GREEN} can access data labeled with the AccessExpression RED&(BLUE|GREEN). The AccessExpression (RED&BLUE)|(GREEN&PINK) is an example of an AccessExpression that is false for an entity with Authorizations of {RED,GREEN} and it would look like the following using boolean algebra.
An entity with empty Authorizations can only access data associated with an empty access expression. This is because an empty AccessExpression always evaluates to true.
Access tokens can only contain alphanumeric characters or the characters _,-,.,:, or / unless quoted using ". Within quotes, the characters " and \ must escaped by prefixing them with \. For example, to use abc\xyz as an access-token, it would need to be quoted and escaped like "abc\\xyz". When checking if an access-token exists in the entities Authorizations, it must be unquoted and unescaped.
Evaluating "abc!12"&"abc\\xyz"&GHI for an entity with Authorizations of {abc\xyz,abc!12} looks like the following in boolean algebra which evaluates to false.
It's important to note that when verifying the existence of “abc\xyz” in the set of authorizations within the Authorizations object, the token is unquoted, and the \ character is unescaped.