> >
> >This seems very complicated and easy for users to get wrong.
> >
> >
>
>I agree that this is adding a significant amount of complexity. One option
>would be to annotate NOT as advisory, or to specify in the docs that it'd
>be up to the application layer to enforce the inclusion of the minimal set.
>(then again, that leaves even more room for erroneous implementations)
>
If we are going to do it, I think we should try to come up with a design
that solves end-to-end use cases. The not op seems useful but also
dangerous, there is a real possibility of unintended data leakage. A
minimal authorization set is a solution. Are there other solutions? Ones
that better translate a users intent into constraints in the system.
Another snippet from HBase writeups that caught my eye was the idea of
supporting both read and write visibilities. What we have right now is
read, with a bit of write visibilities (using the VisibilityConstraint).
The downside is that you can't let someone read data without writing to it.
That might be something else to consider as I can see it being a common
use-case. (although it might merit its own line of work completely)
