You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@accumulo.apache.org by Edmon Begoli <eb...@gmail.com> on 2012/08/06 15:25:27 UTC
Setting appropriate user authorizations - how and what are the best practices
I implemented a simple example for writing and then reading a data
from a table in Accumulo (code attached).
When I run the code I get the exception printed below. I suspect that
I am getting this because user (root) who inserted this data might not
have permissions to read it.
I would like to know what is the proper way to:
A. Assign these authorizations and how
B. What are the best practices in Accumulo for assign privileges as my
next step will be to create hierarchies of user authorizations.
I want to at the minimum reflect the HIPAA domain where usually only
owner of the private data and some, narrow group can actually see all
of the data, but
many can see some de-identified fragments of it.
Exception
------------------------------------------------------------------
12/08/03 09:27:28 INFO zookeeper.ClientCnxn: Socket connection
established to localhost/127.0.0.1:2181, initiating session
12/08/03 09:27:28 INFO zookeeper.ClientCnxn: Session establishment
complete on server localhost/127.0.0.1:2181, sessionid =
0x138d87a3657fbfc, negotiated timeout = 30000
Exception in thread "main" java.lang.RuntimeException:
org.apache.accumulo.core.client.AccumuloSecurityException: Error
BAD_AUTHORIZATIONS - The user does not have the specified
authorizations assigned
at org.apache.accumulo.core.client.impl.ScannerIterator.hasNext(ScannerIterator.java:186)
at accumulo.ClaimsBroker.main(ClaimsBroker.java:56)
Caused by: org.apache.accumulo.core.client.AccumuloSecurityException:
Error BAD_AUTHORIZATIONS - The user does not have the specified
authorizations assigned
at org.apache.accumulo.core.client.impl.ThriftScanner.scan(ThriftScanner.java:470)
at org.apache.accumulo.core.client.impl.ThriftScanner.scan(ThriftScanner.java:295)
at org.apache.accumulo.core.client.impl.ScannerIterator$Reader.run(ScannerIterator.java:94)
at org.apache.accumulo.core.client.impl.ScannerIterator.hasNext(ScannerIterator.java:176)
... 1 more
Caused by: ThriftSecurityException(user:root, code:BAD_AUTHORIZATIONS)
at org.apache.accumulo.core.tabletserver.thrift.TabletClientService$startScan_result.read(TabletClientService.java:4657)
at org.apache.accumulo.core.tabletserver.thrift.TabletClientService$Client.recv_startScan(TabletClientService.java:192)
at org.apache.accumulo.core.tabletserver.thrift.TabletClientService$Client.startScan(TabletClientService.java:157)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.accumulo.cloudtrace.instrument.thrift.TraceWrap$2.invoke(TraceWrap.java:84)
at $Proxy1.startScan(Unknown Source)
at org.apache.accumulo.core.client.impl.ThriftScanner.scan(ThriftScanner.java:415)
... 4 more
Re: Setting appropriate user authorizations - how and what are the
best practices
Posted by Keith Turner <ke...@deenlo.com>.
On Mon, Aug 6, 2012 at 9:25 AM, Edmon Begoli <eb...@gmail.com> wrote:
> I implemented a simple example for writing and then reading a data
> from a table in Accumulo (code attached).
>
> When I run the code I get the exception printed below. I suspect that
> I am getting this because user (root) who inserted this data might not
> have permissions to read it.
>
> I would like to know what is the proper way to:
>
> A. Assign these authorizations and how
You can use setauths command in the shell.
FYI, you may find the following of interest.
https://issues.apache.org/jira/browse/ACCUMULO-246
>
> B. What are the best practices in Accumulo for assign privileges as my
> next step will be to create hierarchies of user authorizations.
> I want to at the minimum reflect the HIPAA domain where usually only
> owner of the private data and some, narrow group can actually see all
> of the data, but
> many can see some de-identified fragments of it.
>
> Exception
> ------------------------------------------------------------------
>
>
> 12/08/03 09:27:28 INFO zookeeper.ClientCnxn: Socket connection
> established to localhost/127.0.0.1:2181, initiating session
> 12/08/03 09:27:28 INFO zookeeper.ClientCnxn: Session establishment
> complete on server localhost/127.0.0.1:2181, sessionid =
> 0x138d87a3657fbfc, negotiated timeout = 30000
> Exception in thread "main" java.lang.RuntimeException:
> org.apache.accumulo.core.client.AccumuloSecurityException: Error
> BAD_AUTHORIZATIONS - The user does not have the specified
> authorizations assigned
> at org.apache.accumulo.core.client.impl.ScannerIterator.hasNext(ScannerIterator.java:186)
> at accumulo.ClaimsBroker.main(ClaimsBroker.java:56)
> Caused by: org.apache.accumulo.core.client.AccumuloSecurityException:
> Error BAD_AUTHORIZATIONS - The user does not have the specified
> authorizations assigned
> at org.apache.accumulo.core.client.impl.ThriftScanner.scan(ThriftScanner.java:470)
> at org.apache.accumulo.core.client.impl.ThriftScanner.scan(ThriftScanner.java:295)
> at org.apache.accumulo.core.client.impl.ScannerIterator$Reader.run(ScannerIterator.java:94)
> at org.apache.accumulo.core.client.impl.ScannerIterator.hasNext(ScannerIterator.java:176)
> ... 1 more
> Caused by: ThriftSecurityException(user:root, code:BAD_AUTHORIZATIONS)
> at org.apache.accumulo.core.tabletserver.thrift.TabletClientService$startScan_result.read(TabletClientService.java:4657)
> at org.apache.accumulo.core.tabletserver.thrift.TabletClientService$Client.recv_startScan(TabletClientService.java:192)
> at org.apache.accumulo.core.tabletserver.thrift.TabletClientService$Client.startScan(TabletClientService.java:157)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:616)
> at org.apache.accumulo.cloudtrace.instrument.thrift.TraceWrap$2.invoke(TraceWrap.java:84)
> at $Proxy1.startScan(Unknown Source)
> at org.apache.accumulo.core.client.impl.ThriftScanner.scan(ThriftScanner.java:415)
> ... 4 more
Re: Setting appropriate user authorizations - how and what are the
best practices
Posted by Keith Turner <ke...@deenlo.com>.
On Mon, Aug 6, 2012 at 10:49 AM, John Armstrong <jr...@ccri.com> wrote:
> On 08/06/2012 10:45 AM, John Vines wrote:
>>
>> That error occurs when a user tried to do a scan with an authorization
>> they do not have granted to them. Make sure that the user has the
>> authorizations they are trying to scan with (if this is an unintended
>> error). Otherwise, it's working as intended.
>
>
> I ran into that myself, and it's easy enough (for me) to make sure users
> only ever request authorizations they've been granted, but it did make me
> wonder why throw an exception there? Why not only apply the intersection of
> granted+requested authorizations and log a warning to note that an ungranted
> authorization was requested and ignored?
We used to intersect. But users would not get data back, and not know
why. Can't assume that a user will ever see a log message, like when
a webs server is doing the scan.
Also, the silent intersection could hide data from the user that they
would want to see without them knowing it. I see the intersection
behavior as similar to a file system that returns a zero length file
when you do not have permission to read instead of an error.
Re: Setting appropriate user authorizations - how and what are the
best practices
Posted by John Armstrong <jr...@ccri.com>.
On 08/06/2012 11:07 AM, Keith Turner wrote:
> I will work on ACCUMULO-246 for 1.5.0 so that you can have the
> behavior you want.
Oh, not that big a deal; I was just curious. I can see the logic behind
wanting to make a bigger deal out of it.
Re: Setting appropriate user authorizations - how and what are the
best practices
Posted by David Medinets <da...@gmail.com>.
Does https://github.com/apache/accumulo/blob/trunk/docs/examples/README.visibility
cover this subject in sufficient detail? If not, how can it be
improved?
On Mon, Aug 6, 2012 at 11:27 AM, Edmon Begoli <eb...@gmail.com> wrote:
> Just for the archiving purposes (and maybe we should add something
> like this to the manual):
>
> I was successful at running a scan by adding authorizations to my user
> from the accumulo shell (execute $ $ACCUMULO_HOME/bin/accumulo/shell
> -u myroot ):
>
>>myroot@myinstance setauths -u myuser -s LEVEL1,GROUP1
Re: Setting appropriate user authorizations - how and what are the
best practices
Posted by Edmon Begoli <eb...@gmail.com>.
Just for the archiving purposes (and maybe we should add something
like this to the manual):
I was successful at running a scan by adding authorizations to my user
from the accumulo shell (execute $ $ACCUMULO_HOME/bin/accumulo/shell
-u myroot ):
>myroot@myinstance setauths -u myuser -s LEVEL1,GROUP1
Regards,
Edmon
On Mon, Aug 6, 2012 at 11:07 AM, Keith Turner <ke...@deenlo.com> wrote:
> On Mon, Aug 6, 2012 at 10:49 AM, John Armstrong <jr...@ccri.com> wrote:
>> On 08/06/2012 10:45 AM, John Vines wrote:
>>>
>>> That error occurs when a user tried to do a scan with an authorization
>>> they do not have granted to them. Make sure that the user has the
>>> authorizations they are trying to scan with (if this is an unintended
>>> error). Otherwise, it's working as intended.
>>
>>
>> I ran into that myself, and it's easy enough (for me) to make sure users
>> only ever request authorizations they've been granted, but it did make me
>> wonder why throw an exception there? Why not only apply the intersection of
>> granted+requested authorizations and log a warning to note that an ungranted
>> authorization was requested and ignored?
>
> I will work on ACCUMULO-246 for 1.5.0 so that you can have the
> behavior you want.
Re: Setting appropriate user authorizations - how and what are the
best practices
Posted by Keith Turner <ke...@deenlo.com>.
On Mon, Aug 6, 2012 at 10:49 AM, John Armstrong <jr...@ccri.com> wrote:
> On 08/06/2012 10:45 AM, John Vines wrote:
>>
>> That error occurs when a user tried to do a scan with an authorization
>> they do not have granted to them. Make sure that the user has the
>> authorizations they are trying to scan with (if this is an unintended
>> error). Otherwise, it's working as intended.
>
>
> I ran into that myself, and it's easy enough (for me) to make sure users
> only ever request authorizations they've been granted, but it did make me
> wonder why throw an exception there? Why not only apply the intersection of
> granted+requested authorizations and log a warning to note that an ungranted
> authorization was requested and ignored?
I will work on ACCUMULO-246 for 1.5.0 so that you can have the
behavior you want.
Re: Setting appropriate user authorizations - how and what are the
best practices
Posted by John Armstrong <jr...@ccri.com>.
On 08/06/2012 10:45 AM, John Vines wrote:
> That error occurs when a user tried to do a scan with an authorization
> they do not have granted to them. Make sure that the user has the
> authorizations they are trying to scan with (if this is an unintended
> error). Otherwise, it's working as intended.
I ran into that myself, and it's easy enough (for me) to make sure users
only ever request authorizations they've been granted, but it did make
me wonder why throw an exception there? Why not only apply the
intersection of granted+requested authorizations and log a warning to
note that an ungranted authorization was requested and ignored?
Re: Setting appropriate user authorizations - how and what are the
best practices
Posted by John Vines <vi...@apache.org>.
That error occurs when a user tried to do a scan with an authorization they
do not have granted to them. Make sure that the user has the authorizations
they are trying to scan with (if this is an unintended error). Otherwise,
it's working as intended.
2. There will be coming changes to how authorizations are handled in 1.5 to
better support a stricter way to handle authorization realms. accumulo-667
has the discussion in it.
John
On Mon, Aug 6, 2012 at 9:25 AM, Edmon Begoli <eb...@gmail.com> wrote:
> I implemented a simple example for writing and then reading a data
> from a table in Accumulo (code attached).
>
> When I run the code I get the exception printed below. I suspect that
> I am getting this because user (root) who inserted this data might not
> have permissions to read it.
>
> I would like to know what is the proper way to:
>
> A. Assign these authorizations and how
>
> B. What are the best practices in Accumulo for assign privileges as my
> next step will be to create hierarchies of user authorizations.
> I want to at the minimum reflect the HIPAA domain where usually only
> owner of the private data and some, narrow group can actually see all
> of the data, but
> many can see some de-identified fragments of it.
>
> Exception
> ------------------------------------------------------------------
>
>
> 12/08/03 09:27:28 INFO zookeeper.ClientCnxn: Socket connection
> established to localhost/127.0.0.1:2181, initiating session
> 12/08/03 09:27:28 INFO zookeeper.ClientCnxn: Session establishment
> complete on server localhost/127.0.0.1:2181, sessionid =
> 0x138d87a3657fbfc, negotiated timeout = 30000
> Exception in thread "main" java.lang.RuntimeException:
> org.apache.accumulo.core.client.AccumuloSecurityException: Error
> BAD_AUTHORIZATIONS - The user does not have the specified
> authorizations assigned
> at
> org.apache.accumulo.core.client.impl.ScannerIterator.hasNext(ScannerIterator.java:186)
> at accumulo.ClaimsBroker.main(ClaimsBroker.java:56)
> Caused by: org.apache.accumulo.core.client.AccumuloSecurityException:
> Error BAD_AUTHORIZATIONS - The user does not have the specified
> authorizations assigned
> at
> org.apache.accumulo.core.client.impl.ThriftScanner.scan(ThriftScanner.java:470)
> at
> org.apache.accumulo.core.client.impl.ThriftScanner.scan(ThriftScanner.java:295)
> at
> org.apache.accumulo.core.client.impl.ScannerIterator$Reader.run(ScannerIterator.java:94)
> at
> org.apache.accumulo.core.client.impl.ScannerIterator.hasNext(ScannerIterator.java:176)
> ... 1 more
> Caused by: ThriftSecurityException(user:root, code:BAD_AUTHORIZATIONS)
> at
> org.apache.accumulo.core.tabletserver.thrift.TabletClientService$startScan_result.read(TabletClientService.java:4657)
> at
> org.apache.accumulo.core.tabletserver.thrift.TabletClientService$Client.recv_startScan(TabletClientService.java:192)
> at
> org.apache.accumulo.core.tabletserver.thrift.TabletClientService$Client.startScan(TabletClientService.java:157)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:616)
> at
> org.apache.accumulo.cloudtrace.instrument.thrift.TraceWrap$2.invoke(TraceWrap.java:84)
> at $Proxy1.startScan(Unknown Source)
> at
> org.apache.accumulo.core.client.impl.ThriftScanner.scan(ThriftScanner.java:415)
> ... 4 more
>