Modified VisibilityFilter to handle multiple Authorizations objects#6402
Modified VisibilityFilter to handle multiple Authorizations objects#6402dlmarion wants to merge 2 commits into
Conversation
Accumulo Access provides an AccessEvaluator that accepts a Collection of Sets of Strings (effectively Collection<Authorizations>). The existing user VisibilityFilter only accepts a single Authorizations object. This new visibility filter accepts a set of Authorizations in a single filter.
| io.addNamedOption(AUTHS, | ||
| "the serialized set of authorizations to filter against (default: empty" | ||
| + " string, accepts only entries visible by all)"); |
There was a problem hiding this comment.
Can't remove this option. The configuration parameter is the main API for this class. Removing or renaming it breaks it.
| io.addNamedOption(NUM_AUTHS, | ||
| "The number of serialized authorizations to filter against (default 0)"); | ||
| io.addUnnamedOption(AUTH_PREFIX | ||
| + "N, where the value is a serialized set of authorizations. N must be between zero and NUM_AUTHS."); |
There was a problem hiding this comment.
I'm not sure these descriptions really communicate how these are used. Is the idea that you specify some config like:
numAuths = 3
auth_0 = a,b,c
auth_1 = c,b,d
auth_2 = a,c,z
And then it does something like:
if (entry.evaluateUsing(auth_0) && entry..evaluateUsing(auth_1) && entry..evaluateUsing(auth_2)) {
return entry;
}
Is the idea to replace multiple executions of the iterator with a single one?
Instead, I think it might make sense to have a config that preserves the existing behavior, and extends the existing config:
auths = a,b,c;c,b,d;a,c,z
This is simpler, and backwards compatible. The description can be extended to say: "if multiple serialized sets are configured, separated by semi-colons, then entries are accepted only if they would be accepted by each of the sets independently"
| List<byte[]> bytesAuths = auths.getAuthorizations(); | ||
| Set<String> stringAuths = new HashSet<>(bytesAuths.size()); | ||
| for (var auth : bytesAuths) { | ||
| stringAuths.add(new String(auth, ISO_8859_1)); |
There was a problem hiding this comment.
A comment is warranted here to explain why ISO-8859-1 is used.
Accumulo Access provides an AccessEvaluator
that accepts a Collection of Sets of Strings (effectively
Collection<Authorizations>). Modified the existing userVisibilityFilter to accept a set of Authorizations and
use the new AccessEvaluator.