[Authorizations] are a set of Strings that enable a user to read protected data. Users are granted authorizations and choose which ones to use when scanning a table. The chosen authorizations are evaluated against the [ColumnVisibility] of each Accumulo key in the scan. If the boolean expression of the ColumnVisibility evaluates to true, the data will be visible to the user.
For example:
product, sales
sales, employee
row1:family1:qualifier1
has visibility sales && employee
row1:family1:qualifier1
row1:family1:qualifier1
We now want to secure our secret identities of the heroes so that only users with the proper authorizations can read their names.
// Create a "secretId" authorization & visibility final String secretId = "secretId"; Authorizations auths = new Authorizations(secretId); ColumnVisibility colVis = new ColumnVisibility(secretId); // Create a user with the "secretId" authorization and grant him read permissions on our table client.securityOperations().createLocalUser("commissioner", new PasswordToken("gordonrocks")); client.securityOperations().changeUserAuthorizations("commissioner", auths); client.securityOperations().grantTablePermission("commissioner", "GothamPD", TablePermission.READ);
The [Mutation] API allows you to set the secretId
visibility on a column. Find the proper method for setting a column visibility in the Mutation API and modify the code so the colVis
variable created above secures the “name” columns.
Build and run. What data do you see?
secretId
authorization.Authorizations.EMPTY
in the Scanner with the auths
variable created above and run it again.try (AccumuloClient commishClient = Accumulo.newClient().from(client.properties()) .as("commissioner", "gordonrocks").build();
Using the commissioner client, create a Scanner with the authorizations needed to view the secret identities.
Build and run. You should see all the rows in the GothamPD table printed, including these secured key/value pairs:
Key : id0001 hero:name [secretId] 1511900180231 false Value : Bruce Wayne Key : id0002 hero:name [secretId] 1511900180231 false Value : Dick Grayson
[Authorizations]: {% jurl org.apache.accumulo.core.security.Authorizations %} [ColumnVisibility]: {% jurl org.apache.accumulo.core.security.ColumnVisibility %} [Mutation]: {% jurl org.apache.accumulo.core.data.Mutation %} [Accumulo]: {% jurl org.apache.accumulo.core.client.Accumulo %}