Multiple get user authorization requests during a table scan

[Tianlai Dong <dt...@gmail.com>]

Hi,

I am using Accumulo 1.7.2 and I create a table with 31 splits. When I do a
table scan via Accumulo shell (scan -st -t mytable), I see 33 requests to
get authorizations for the user doing the scan. My understanding is there
will be an initial request to fetch current user's authorizations, the
default value. Then for each tablet, there will be a authorization
validation.

Then I pass authorizations to the command. i.e., scan -st -t mytabe -s 1. I
still see 33 requests while I expect 32 as there is no need to get current
user's authorizations first. So it seems there is something wrong with my
assumptions.

Why do I see multiple requests for user authorizations? Does it relate to
the number of tablets?

Thanks,
Sky

Re: Multiple get user authorization requests during a table scan

[Tianlai Dong <dt...@gmail.com>]

Hi Josh,

I am trying to understand how Accumulo security is enforced to solve our
challenge.

We customized Accumulo Authorizor to support ABAC (including time of
access) and we need to cache authorizations due to the complexity (thanks
for confirming our observation). Initially we cache the authorizations in
Zookeeper and quicky discovered the authorizations exceed the max size
limit. You mentioned Accumulo caches authorizations. Is the default cache
implementation using Zookeeper? Any suggestions on the cache implementation
for our challenge?

Thanks,
Sky

On Wed, Jun 12, 2019 at 6:48 AM Josh Elser <el...@apache.org> wrote:

> Sky,
>
> Yes, every request to a Tablet needs to be authorized. The rabbit hole
> (complexity) goes a bit further which, I believe, could result in this
> value being even higher than this.
>
> This in mind: what is your end goal? What are you trying to figure out?
>
> Authorizations are cached by Accumulo which greatly reduce any
> performance impact of Accumulo having to do checks like these in the
> face of parallelism.
>
> On 6/11/19 8:31 PM, Tianlai Dong wrote:
> > Hi,
> >
> > I am using Accumulo 1.7.2 and I create a table with 31 splits. When I do
> > a table scan via Accumulo shell (scan -st -t mytable), I see 33 requests
> > to get authorizations for the user doing the scan. My understanding is
> > there will be an initial request to fetch current user's authorizations,
> > the default value. Then for each tablet, there will be a authorization
> > validation.
> >
> > Then I pass authorizations to the command. i.e., scan -st -t mytabe -s
> > 1. I still see 33 requests while I expect 32 as there is no need to get
> > current user's authorizations first. So it seems there is something
> > wrong with my assumptions.
> >
> > Why do I see multiple requests for user authorizations? Does it relate
> > to the number of tablets?
> >
> > Thanks,
> > Sky
>

Re: Multiple get user authorization requests during a table scan

[Josh Elser <el...@apache.org>]

Sky,

Yes, every request to a Tablet needs to be authorized. The rabbit hole 
(complexity) goes a bit further which, I believe, could result in this 
value being even higher than this.

This in mind: what is your end goal? What are you trying to figure out?

Authorizations are cached by Accumulo which greatly reduce any 
performance impact of Accumulo having to do checks like these in the 
face of parallelism.

On 6/11/19 8:31 PM, Tianlai Dong wrote:
> Hi,
> 
> I am using Accumulo 1.7.2 and I create a table with 31 splits. When I do 
> a table scan via Accumulo shell (scan -st -t mytable), I see 33 requests 
> to get authorizations for the user doing the scan. My understanding is 
> there will be an initial request to fetch current user's authorizations, 
> the default value. Then for each tablet, there will be a authorization 
> validation.
> 
> Then I pass authorizations to the command. i.e., scan -st -t mytabe -s 
> 1. I still see 33 requests while I expect 32 as there is no need to get 
> current user's authorizations first. So it seems there is something 
> wrong with my assumptions.
> 
> Why do I see multiple requests for user authorizations? Does it relate 
> to the number of tablets?
> 
> Thanks,
> Sky