Accumulo's authorizations are designed to be a whitelist, so you cannot define "max credentials" in the authorization layer.
I faced a problem similar to yours, and I went with the custom Authorizor approach. You can use the custom Authorizor to call out to your third party service/database to obtain authorizations for end users like Josh suggested. On Wed, Feb 18, 2015 at 10:58 PM, Josh Elser <josh.el...@gmail.com> wrote: > buttercream wrote: >> >> I'm working on a system where there are many users and the users >> credentials >> and information are stored in a third party system. I was thinking the >> best >> approach would be to have my default Accumulo user have the superset of >> all >> permissions and then when a query is performed, proxy in the specific user >> credential that may be a subset. But, this seems a bit cumbersome to have >> to >> up front define all available credentials, especially if new >> authorizations >> are added without our knowledge. > > > Yeah, this is the pain point. The approach works, but you have to assume a > lot of security testing in your "proxy". You have to certify your software > to get a full picture on the security of the system. > >> Any thoughts on an alternative approach? >> I'd like to just be able to proxy through credentials and not have to >> worry >> about whether my Accumulo-defined user that I'm proxying through already >> has >> them. Is there a way to just let that Accumulo-defined user have max >> credentials and not have to specifically call them out? Thanks. > > > Another approach could be writing your own Accumulo Authorizor and > Authenticator. You could directly contact the third-party system to > determine if a user can be authenticated with Accumulo. Assuming you can > extrapolate the Authorizations for each user from that system as well, the > Authorizor can be done in the same fashion. > > http://accumulo.apache.org/1.6/accumulo_user_manual.html#_pluggable_security > > >> >> >> >> -- >> View this message in context: >> http://apache-accumulo.1065345.n5.nabble.com/Authorizations-for-complex-user-management-tp13294.html >> Sent from the Users mailing list archive at Nabble.com.
