Details

    • Type: Sub-task Sub-task
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: 1.1.0
    • Component/s: None
    • Labels:
      None

      Description

      See parent for the whole story.

      Consider a new permission with the semantics "being able to read only granted cells", perhaps called READ_VISIBLE.

      Maybe consider a symmetric new permission for writes.

      The lack of default READ perm should prevent users from launching scanners.

        Activity

        Hide
        Andrew Purtell added a comment - - edited

        Consider a new permission with the semantics "being able to read only granted cells", perhaps called READ_VISIBLE.
        Maybe consider a symmetric new permission for writes.

        Just to clarify, we can claim the current code provides this semantic. With the default cell ACL evaluation strategy, in the absence of a CF or CF:qual grant - let's call this "CF level grant" - then the user will not be authorized to do anything unless the cell has an ACL that grants appropriate permissions. (Note that with cell-first both a cell ACL must exist and authorize and CF level permissions must also authorize.) Or, with the cell-first ACL evaluation strategy, then regardless of CF level grant the cell must have a permission authorizing the action. The parent talks about having an option for an alternative to this behavior. Let's call that READ_INVISIBLE. Perhaps that is a poor name. Anyway, what would this look like? This, if granted at the CF or table level, would allow the user to see any cell without an ACL? That is equivalent to granting READ permission at the CF or table level today. Or maybe the distinction is pushed down such that it makes a behavioral change with respect to the cell-first ACL strategy, in which case it could be cells without any ACLs should grant by default instead of deny.

        The lack of default READ perm should prevent users from launching scanners.

        We don't have this yet.

        Show
        Andrew Purtell added a comment - - edited Consider a new permission with the semantics "being able to read only granted cells", perhaps called READ_VISIBLE. Maybe consider a symmetric new permission for writes. Just to clarify, we can claim the current code provides this semantic. With the default cell ACL evaluation strategy, in the absence of a CF or CF:qual grant - let's call this "CF level grant" - then the user will not be authorized to do anything unless the cell has an ACL that grants appropriate permissions. (Note that with cell-first both a cell ACL must exist and authorize and CF level permissions must also authorize.) Or, with the cell-first ACL evaluation strategy, then regardless of CF level grant the cell must have a permission authorizing the action. The parent talks about having an option for an alternative to this behavior. Let's call that READ_INVISIBLE. Perhaps that is a poor name. Anyway, what would this look like? This, if granted at the CF or table level, would allow the user to see any cell without an ACL? That is equivalent to granting READ permission at the CF or table level today. Or maybe the distinction is pushed down such that it makes a behavioral change with respect to the cell-first ACL strategy, in which case it could be cells without any ACLs should grant by default instead of deny. The lack of default READ perm should prevent users from launching scanners. We don't have this yet.

          People

          • Assignee:
            Unassigned
            Reporter:
            Andrew Purtell
          • Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated:

              Development