Hi Josh, I am trying to understand how Accumulo security is enforced to solve our challenge.
We customized Accumulo Authorizor to support ABAC (including time of access) and we need to cache authorizations due to the complexity (thanks for confirming our observation). Initially we cache the authorizations in Zookeeper and quicky discovered the authorizations exceed the max size limit. You mentioned Accumulo caches authorizations. Is the default cache implementation using Zookeeper? Any suggestions on the cache implementation for our challenge? Thanks, Sky On Wed, Jun 12, 2019 at 6:48 AM Josh Elser <els...@apache.org> wrote: > Sky, > > Yes, every request to a Tablet needs to be authorized. The rabbit hole > (complexity) goes a bit further which, I believe, could result in this > value being even higher than this. > > This in mind: what is your end goal? What are you trying to figure out? > > Authorizations are cached by Accumulo which greatly reduce any > performance impact of Accumulo having to do checks like these in the > face of parallelism. > > On 6/11/19 8:31 PM, Tianlai Dong wrote: > > Hi, > > > > I am using Accumulo 1.7.2 and I create a table with 31 splits. When I do > > a table scan via Accumulo shell (scan -st -t mytable), I see 33 requests > > to get authorizations for the user doing the scan. My understanding is > > there will be an initial request to fetch current user's authorizations, > > the default value. Then for each tablet, there will be a authorization > > validation. > > > > Then I pass authorizations to the command. i.e., scan -st -t mytabe -s > > 1. I still see 33 requests while I expect 32 as there is no need to get > > current user's authorizations first. So it seems there is something > > wrong with my assumptions. > > > > Why do I see multiple requests for user authorizations? Does it relate > > to the number of tablets? > > > > Thanks, > > Sky >
