Skip to content

Modified VisibilityFilter to handle multiple Authorizations objects#6402

Open
dlmarion wants to merge 2 commits into
apache:mainfrom
dlmarion:multi-auth-vis-filter
Open

Modified VisibilityFilter to handle multiple Authorizations objects#6402
dlmarion wants to merge 2 commits into
apache:mainfrom
dlmarion:multi-auth-vis-filter

Conversation

@dlmarion

@dlmarion dlmarion commented May 29, 2026

Copy link
Copy Markdown
Contributor

Accumulo Access provides an AccessEvaluator
that accepts a Collection of Sets of Strings (effectively
Collection<Authorizations>). Modified the existing user
VisibilityFilter to accept a set of Authorizations and
use the new AccessEvaluator.

Accumulo Access provides an AccessEvaluator that accepts
a Collection of Sets of Strings (effectively
Collection<Authorizations>). The existing user
VisibilityFilter only accepts a single Authorizations
object. This new visibility filter accepts a set of
Authorizations in a single filter.
@dlmarion dlmarion added this to the 4.0.0 milestone May 29, 2026
@dlmarion dlmarion requested review from ctubbsii and keith-turner May 29, 2026 17:03
@dlmarion dlmarion self-assigned this May 29, 2026
@dlmarion dlmarion changed the title Added MultiAuthVisibilityFilter to user iterator package Modified VisibilityFilter to handle multiple Authorizations objects Jun 8, 2026
Comment on lines -139 to -141
io.addNamedOption(AUTHS,
"the serialized set of authorizations to filter against (default: empty"
+ " string, accepts only entries visible by all)");

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can't remove this option. The configuration parameter is the main API for this class. Removing or renaming it breaks it.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, I can add it back. I didn't consider the case where someone has this configured on a table prior to a 4.0 upgrade.

Comment on lines +160 to +163
io.addNamedOption(NUM_AUTHS,
"The number of serialized authorizations to filter against (default 0)");
io.addUnnamedOption(AUTH_PREFIX
+ "N, where the value is a serialized set of authorizations. N must be between zero and NUM_AUTHS.");

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure these descriptions really communicate how these are used. Is the idea that you specify some config like:

numAuths = 3
auth_0 = a,b,c
auth_1 = c,b,d
auth_2 = a,c,z

And then it does something like:

if (entry.evaluateUsing(auth_0) && entry..evaluateUsing(auth_1) && entry..evaluateUsing(auth_2)) {
  return entry;
}

Is the idea to replace multiple executions of the iterator with a single one?

Instead, I think it might make sense to have a config that preserves the existing behavior, and extends the existing config:

auths = a,b,c;c,b,d;a,c,z

This is simpler, and backwards compatible. The description can be extended to say: "if multiple serialized sets are configured, separated by semi-colons, then entries are accepted only if they would be accepted by each of the sets independently"

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure these descriptions really communicate how these are used. Is the idea that you specify some config like:

numAuths = 3
auth_0 = a,b,c
auth_1 = c,b,d
auth_2 = a,c,z

Yes

And then it does something like:

if (entry.evaluateUsing(auth_0) && entry..evaluateUsing(auth_1) && entry..evaluateUsing(auth_2)) {
  return entry;
}

Is the idea to replace multiple executions of the iterator with a single one?

Yes

Instead, I think it might make sense to have a config that preserves the existing behavior, and extends the existing config:

auths = a,b,c;c,b,d;a,c,z

This is simpler, and backwards compatible. The description can be extended to say: "if multiple serialized sets are configured, separated by semi-colons, then entries are accepted only if they would be accepted by each of the sets independently"

I don't think we should do this. The semi-colon can be used in a quoted authorization.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants