Apache Accumulo Visibility, Authorizations, and Permissions Example
Creating a new user¶
root@instance> createuser username Enter new password for 'username': ******** Please confirm new password for 'username': ******** root@instance> user username Enter password for user username: ******** username@instance> createtable vistest 06 10:48:47,931 [shell.Shell] ERROR: org.apache.accumulo.core.client.AccumuloSecurityException: Error PERMISSION_DENIED - User does not have permission to perform this action username@instance> userpermissions System permissions: Table permissions (!METADATA): Table.READ username@instance>
A user does not by default have permission to create a table.
Granting permissions to a user¶
username@instance> user root Enter password for user root: ******** root@instance> grant -s System.CREATE_TABLE -u username root@instance> user username Enter password for user username: ******** username@instance> createtable vistest username@instance> userpermissions System permissions: System.CREATE_TABLE Table permissions (!METADATA): Table.READ Table permissions (vistest): Table.READ, Table.WRITE, Table.BULK_IMPORT, Table.ALTER_TABLE, Table.GRANT, Table.DROP_TABLE username@instance vistest>
Inserting data with visibilities¶
Visibilities are boolean AND (&) and OR (|) combinations of authorization tokens. Authorization tokens are arbitrary strings taken from a restricted ASCII character set. Parentheses are required to specify order of operations in visibilities.
username@instance vistest> insert row f1 q1 v1 -l A username@instance vistest> insert row f2 q2 v2 -l A&B username@instance vistest> insert row f3 q3 v3 -l apple&carrot|broccoli|spinach 06 11:19:01,432 [shell.Shell] ERROR: org.apache.accumulo.core.util.BadArgumentException: cannot mix | and & near index 12 apple&carrot|broccoli|spinach ^ username@instance vistest> insert row f3 q3 v3 -l (apple&carrot)|broccoli|spinach username@instance vistest>
Scanning with authorizations¶
Authorizations are sets of authorization tokens. Each Accumulo user has authorizations and each Accumulo scan has authorizations. Scan authorizations are only allowed to be a subset of the user's authorizations. By default, a user's authorizations set is empty.
username@instance vistest> scan username@instance vistest> scan -s A 06 11:43:14,951 [shell.Shell] ERROR: java.lang.RuntimeException: org.apache.accumulo.core.client.AccumuloSecurityException: Error BAD_AUTHORIZATIONS - The user does not have the specified authorizations assigned username@instance vistest>
Setting authorizations for a user¶
username@instance vistest> setauths -s A 06 11:53:42,056 [shell.Shell] ERROR: org.apache.accumulo.core.client.AccumuloSecurityException: Error PERMISSION_DENIED - User does not have permission to perform this action username@instance vistest>
A user cannot set authorizations unless the user has the System.ALTER_USER permission. The root user has this permission.
username@instance vistest> user root Enter password for user root: ******** root@instance vistest> setauths -s A -u username root@instance vistest> user username Enter password for user username: ******** username@instance vistest> scan -s A row f1:q1 [A] v1 username@instance vistest> scan row f1:q1 [A] v1 username@instance vistest>
The default authorizations for a scan are the user's entire set of authorizations.
username@instance vistest> user root Enter password for user root: ******** root@instance vistest> setauths -s A,B,broccoli -u username root@instance vistest> user username Enter password for user username: ******** username@instance vistest> scan row f1:q1 [A] v1 row f2:q2 [A&B] v2 row f3:q3 [(apple&carrot)|broccoli|spinach] v3 username@instance vistest> scan -s B username@instance vistest>
If you want, you can limit a user to only be able to insert data which they can read themselves. It can be set with the following constraint.
username@instance vistest> user root Enter password for user root: ****** root@instance vistest> config -t vistest -s table.constraint.1=org.apache.accumulo.core.security.VisibilityConstraint root@instance vistest> user username Enter password for user username: ******** username@instance vistest> insert row f4 q4 v4 -l spinach Constraint Failures: ConstraintViolationSummary(constrainClass:org.apache.accumulo.core.security.VisibilityConstraint, violationCode:2, violationDescription:User does not have authorization on column visibility, numberOfViolatingMutations:1) username@instance vistest> insert row f4 q4 v4 -l spinach|broccoli username@instance vistest> scan row f1:q1 [A] v1 row f2:q2 [A&B] v2 row f3:q3 [(apple&carrot)|broccoli|spinach] v3 row f4:q4 [spinach|broccoli] v4 username@instance vistest>