Accumulo controls access to data in its tables in a number of ways: authentication, permissions, and authorizations.
These can be thought of as applying at two levels: authentication and permissions at the higher application and table level, and authorizations—which are used along with column visibilities—at the lower, key-value–pair level. Authentication relates to Accumulo users and how a user confirms its identity to Accumulo. Permissions control what operations Accumulo users are allowed to perform. Authorizations control which key-value pairs Accumulo users are allowed to see.
Accumulo provides the ability to create accounts, grant permissions, and grant authorizations. All of these mechanisms are pluggable, with their defaults being to store and retrieve user information in ZooKeeper. Custom security mechanisms are discussed in “Custom Authentication, Permissions, and Authorization”.
High-level security-related operations such as creating users and granting permissions and authorizations are carried out via the
SecurityOperations object, obtained from a
Security operations can be logged to an audit log if Accumulo is configured to do so (see “Auditing Security Operations”).
Low-level key-value–pair security occurs naturally whenever
Authorizations objects are used when reading and writing data.
For any given set of security mechanisms, there are essentially ...