This is an automated email from the ASF dual-hosted git repository.
mwalch pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/accumulo-website.git
The following commit(s) were added to refs/heads/asf-site by this push:
new e345f11 Jekyll build from master:fe236f5
e345f11 is described below
commit e345f110af0345751bfa0713a8caa0d8e4f18237
Author: Mike Walch <mwa...@apache.org>
AuthorDate: Wed Nov 14 17:36:40 2018 -0500
Jekyll build from master:fe236f5
Merge pull request #129 from mikewalch/security
Updated Security documentation
---
docs/2.x/administration/caching.html | 6 +-
docs/2.x/administration/fate.html | 6 +-
docs/2.x/administration/in-depth-install.html | 6 +-
docs/2.x/administration/monitoring-metrics.html | 6 +-
docs/2.x/administration/multivolume.html | 6 +-
docs/2.x/administration/replication.html | 6 +-
docs/2.x/administration/scan-executors.html | 6 +-
docs/2.x/administration/upgrading.html | 6 +-
docs/2.x/configuration/client-properties.html | 6 +-
docs/2.x/configuration/overview.html | 6 +-
docs/2.x/configuration/server-properties.html | 6 +-
docs/2.x/development/development_tools.html | 6 +-
docs/2.x/development/high_speed_ingest.html | 6 +-
docs/2.x/development/iterators.html | 6 +-
docs/2.x/development/mapreduce.html | 14 ++-
docs/2.x/development/proxy.html | 6 +-
docs/2.x/development/sampling.html | 6 +-
docs/2.x/development/summaries.html | 6 +-
docs/2.x/getting-started/clients.html | 19 +--
docs/2.x/getting-started/design.html | 6 +-
docs/2.x/getting-started/features.html | 8 +-
docs/2.x/getting-started/glossary.html | 6 +-
docs/2.x/getting-started/quick-install.html | 6 +-
docs/2.x/getting-started/shell.html | 6 +-
docs/2.x/getting-started/table_configuration.html | 8 +-
docs/2.x/getting-started/table_design.html | 8 +-
.../{overview.html => authentication.html} | 135 +++++++++++++--------
.../security/{labels.html => authorizations.html} | 71 +++++++----
docs/2.x/security/kerberos.html | 58 ++++-----
docs/2.x/security/on-disk-encryption.html | 6 +-
docs/2.x/security/overview.html | 66 ++++------
.../security/{overview.html => permissions.html} | 97 ++++++++-------
docs/2.x/security/wire-encryption.html | 6 +-
docs/2.x/troubleshooting/advanced.html | 6 +-
docs/2.x/troubleshooting/basic.html | 6 +-
docs/2.x/troubleshooting/performance.html | 6 +-
.../troubleshooting/system-metadata-tables.html | 6 +-
docs/2.x/troubleshooting/tools.html | 6 +-
docs/2.x/troubleshooting/tracing.html | 6 +-
feed.xml | 4 +-
redirects.json | 2 +-
search_data.json | 40 ++++--
42 files changed, 452 insertions(+), 252 deletions(-)
diff --git a/docs/2.x/administration/caching.html
b/docs/2.x/administration/caching.html
index 2d7a6bd..058eed4 100644
--- a/docs/2.x/administration/caching.html
+++ b/docs/2.x/administration/caching.html
@@ -268,7 +268,11 @@
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/overview">Security Overview</a></div>
- <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/labels">Security Labels</a></div>
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authentication">Authentication</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/permissions">Permissions</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authorizations">Authorizations</a></div>
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/on-disk-encryption">On Disk Encryption</a></div>
diff --git a/docs/2.x/administration/fate.html
b/docs/2.x/administration/fate.html
index e276780..a578245 100644
--- a/docs/2.x/administration/fate.html
+++ b/docs/2.x/administration/fate.html
@@ -268,7 +268,11 @@
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/overview">Security Overview</a></div>
- <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/labels">Security Labels</a></div>
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authentication">Authentication</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/permissions">Permissions</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authorizations">Authorizations</a></div>
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/on-disk-encryption">On Disk Encryption</a></div>
diff --git a/docs/2.x/administration/in-depth-install.html
b/docs/2.x/administration/in-depth-install.html
index 1af2fa5..8fd8760 100644
--- a/docs/2.x/administration/in-depth-install.html
+++ b/docs/2.x/administration/in-depth-install.html
@@ -268,7 +268,11 @@
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/overview">Security Overview</a></div>
- <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/labels">Security Labels</a></div>
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authentication">Authentication</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/permissions">Permissions</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authorizations">Authorizations</a></div>
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/on-disk-encryption">On Disk Encryption</a></div>
diff --git a/docs/2.x/administration/monitoring-metrics.html
b/docs/2.x/administration/monitoring-metrics.html
index 922fb39..405efd7 100644
--- a/docs/2.x/administration/monitoring-metrics.html
+++ b/docs/2.x/administration/monitoring-metrics.html
@@ -268,7 +268,11 @@
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/overview">Security Overview</a></div>
- <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/labels">Security Labels</a></div>
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authentication">Authentication</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/permissions">Permissions</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authorizations">Authorizations</a></div>
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/on-disk-encryption">On Disk Encryption</a></div>
diff --git a/docs/2.x/administration/multivolume.html
b/docs/2.x/administration/multivolume.html
index fd9d699..10c79b1 100644
--- a/docs/2.x/administration/multivolume.html
+++ b/docs/2.x/administration/multivolume.html
@@ -268,7 +268,11 @@
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/overview">Security Overview</a></div>
- <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/labels">Security Labels</a></div>
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authentication">Authentication</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/permissions">Permissions</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authorizations">Authorizations</a></div>
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/on-disk-encryption">On Disk Encryption</a></div>
diff --git a/docs/2.x/administration/replication.html
b/docs/2.x/administration/replication.html
index f2ea870..f7eba4b 100644
--- a/docs/2.x/administration/replication.html
+++ b/docs/2.x/administration/replication.html
@@ -268,7 +268,11 @@
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/overview">Security Overview</a></div>
- <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/labels">Security Labels</a></div>
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authentication">Authentication</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/permissions">Permissions</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authorizations">Authorizations</a></div>
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/on-disk-encryption">On Disk Encryption</a></div>
diff --git a/docs/2.x/administration/scan-executors.html
b/docs/2.x/administration/scan-executors.html
index 391d998..e8df1e0 100644
--- a/docs/2.x/administration/scan-executors.html
+++ b/docs/2.x/administration/scan-executors.html
@@ -268,7 +268,11 @@
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/overview">Security Overview</a></div>
- <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/labels">Security Labels</a></div>
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authentication">Authentication</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/permissions">Permissions</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authorizations">Authorizations</a></div>
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/on-disk-encryption">On Disk Encryption</a></div>
diff --git a/docs/2.x/administration/upgrading.html
b/docs/2.x/administration/upgrading.html
index 0debcbb..af23c61 100644
--- a/docs/2.x/administration/upgrading.html
+++ b/docs/2.x/administration/upgrading.html
@@ -268,7 +268,11 @@
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/overview">Security Overview</a></div>
- <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/labels">Security Labels</a></div>
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authentication">Authentication</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/permissions">Permissions</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authorizations">Authorizations</a></div>
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/on-disk-encryption">On Disk Encryption</a></div>
diff --git a/docs/2.x/configuration/client-properties.html
b/docs/2.x/configuration/client-properties.html
index dc232cc..13daa4d 100644
--- a/docs/2.x/configuration/client-properties.html
+++ b/docs/2.x/configuration/client-properties.html
@@ -268,7 +268,11 @@
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/overview">Security Overview</a></div>
- <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/labels">Security Labels</a></div>
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authentication">Authentication</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/permissions">Permissions</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authorizations">Authorizations</a></div>
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/on-disk-encryption">On Disk Encryption</a></div>
diff --git a/docs/2.x/configuration/overview.html
b/docs/2.x/configuration/overview.html
index 8689e9c..9e3df31 100644
--- a/docs/2.x/configuration/overview.html
+++ b/docs/2.x/configuration/overview.html
@@ -268,7 +268,11 @@
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/overview">Security Overview</a></div>
- <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/labels">Security Labels</a></div>
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authentication">Authentication</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/permissions">Permissions</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authorizations">Authorizations</a></div>
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/on-disk-encryption">On Disk Encryption</a></div>
diff --git a/docs/2.x/configuration/server-properties.html
b/docs/2.x/configuration/server-properties.html
index 41600ee..ca74062 100644
--- a/docs/2.x/configuration/server-properties.html
+++ b/docs/2.x/configuration/server-properties.html
@@ -268,7 +268,11 @@
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/overview">Security Overview</a></div>
- <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/labels">Security Labels</a></div>
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authentication">Authentication</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/permissions">Permissions</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authorizations">Authorizations</a></div>
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/on-disk-encryption">On Disk Encryption</a></div>
diff --git a/docs/2.x/development/development_tools.html
b/docs/2.x/development/development_tools.html
index 76879e4..91d6528 100644
--- a/docs/2.x/development/development_tools.html
+++ b/docs/2.x/development/development_tools.html
@@ -268,7 +268,11 @@
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/overview">Security Overview</a></div>
- <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/labels">Security Labels</a></div>
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authentication">Authentication</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/permissions">Permissions</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authorizations">Authorizations</a></div>
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/on-disk-encryption">On Disk Encryption</a></div>
diff --git a/docs/2.x/development/high_speed_ingest.html
b/docs/2.x/development/high_speed_ingest.html
index 5edf92a..6b51ac6 100644
--- a/docs/2.x/development/high_speed_ingest.html
+++ b/docs/2.x/development/high_speed_ingest.html
@@ -268,7 +268,11 @@
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/overview">Security Overview</a></div>
- <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/labels">Security Labels</a></div>
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authentication">Authentication</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/permissions">Permissions</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authorizations">Authorizations</a></div>
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/on-disk-encryption">On Disk Encryption</a></div>
diff --git a/docs/2.x/development/iterators.html
b/docs/2.x/development/iterators.html
index 8676132..23b3fe9 100644
--- a/docs/2.x/development/iterators.html
+++ b/docs/2.x/development/iterators.html
@@ -268,7 +268,11 @@
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/overview">Security Overview</a></div>
- <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/labels">Security Labels</a></div>
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authentication">Authentication</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/permissions">Permissions</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authorizations">Authorizations</a></div>
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/on-disk-encryption">On Disk Encryption</a></div>
diff --git a/docs/2.x/development/mapreduce.html
b/docs/2.x/development/mapreduce.html
index 76b06cf..3f971d2 100644
--- a/docs/2.x/development/mapreduce.html
+++ b/docs/2.x/development/mapreduce.html
@@ -268,7 +268,11 @@
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/overview">Security Overview</a></div>
- <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/labels">Security Labels</a></div>
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authentication">Authentication</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/permissions">Permissions</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authorizations">Authorizations</a></div>
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/on-disk-encryption">On Disk Encryption</a></div>
@@ -471,8 +475,8 @@ options.</p>
<p>The following code shows how to set up Accumulo</p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="n">Job</span> <span class="n">job</span>
<span class="o">=</span> <span class="k">new</span> <span
class="n">Job</span><span class="o">(</span><span class="n">getConf</span><span
class="o">());</span>
-<span class="n">ClientInfo</span> <span class="n">info</span> <span
class="o">=</span> <span class="n">Accumulo</span><span class="o">.</span><span
class="na">newClient</span><span class="o">().</span><span
class="na">forInstance</span><span class="o">(</span><span
class="s">"myinstance"</span><span class="o">,</span><span
class="s">"zoo1,zoo2"</span><span class="o">)</span>
- <span class="o">.</span><span
class="na">usingPassword</span><span class="o">(</span><span
class="s">"user"</span><span class="o">,</span> <span
class="s">"passwd"</span><span class="o">).</span><span
class="na">info</span><span class="o">()</span>
+<span class="n">ClientInfo</span> <span class="n">info</span> <span
class="o">=</span> <span class="n">Accumulo</span><span class="o">.</span><span
class="na">newClient</span><span class="o">().</span><span
class="na">to</span><span class="o">(</span><span
class="s">"myinstance"</span><span class="o">,</span><span
class="s">"zoo1,zoo2"</span><span class="o">)</span>
+ <span class="o">.</span><span
class="na">as</span><span class="o">(</span><span class="s">"user"</span><span
class="o">,</span> <span class="s">"passwd"</span><span
class="o">).</span><span class="na">info</span><span class="o">()</span>
<span class="n">AccumuloInputFormat</span><span class="o">.</span><span
class="na">setClientInfo</span><span class="o">(</span><span
class="n">job</span><span class="o">,</span> <span class="n">info</span><span
class="o">);</span>
<span class="n">AccumuloInputFormat</span><span class="o">.</span><span
class="na">setInputTableName</span><span class="o">(</span><span
class="n">job</span><span class="o">,</span> <span class="n">table</span><span
class="o">);</span>
<span class="n">AccumuloInputFormat</span><span class="o">.</span><span
class="na">setScanAuthorizations</span><span class="o">(</span><span
class="n">job</span><span class="o">,</span> <span class="k">new</span> <span
class="n">Authorizations</span><span class="o">());</span>
@@ -561,8 +565,8 @@ used for each table.</p>
<h2 id="accumulooutputformat-options">AccumuloOutputFormat options</h2>
-<div class="language-java highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="n">ClientInfo</span> <span
class="n">info</span> <span class="o">=</span> <span
class="n">Accumulo</span><span class="o">.</span><span
class="na">newClient</span><span class="o">().</span><span
class="na">forInstance</span><span class="o">(</span><span
class="s">"myinstance"</span><span class="o">,</span><span
class="s">"zoo1,zoo2"</span><span class="o">)</span>
- <span class="o">.</span><span
class="na">usingPassword</span><span class="o">(</span><span
class="s">"user"</span><span class="o">,</span> <span
class="s">"passwd"</span><span class="o">).</span><span
class="na">info</span><span class="o">()</span>
+<div class="language-java highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="n">ClientInfo</span> <span
class="n">info</span> <span class="o">=</span> <span
class="n">Accumulo</span><span class="o">.</span><span
class="na">newClient</span><span class="o">().</span><span
class="na">to</span><span class="o">(</span><span
class="s">"myinstance"</span><span class="o">,</span><span
class="s">"zoo1,zoo2"</span><span class="o">)</span>
+ <span class="o">.</span><span
class="na">as</span><span class="o">(</span><span class="s">"user"</span><span
class="o">,</span> <span class="s">"passwd"</span><span
class="o">).</span><span class="na">info</span><span class="o">()</span>
<span class="n">AccumuloOutputFormat</span><span class="o">.</span><span
class="na">setClientInfo</span><span class="o">(</span><span
class="n">job</span><span class="o">,</span> <span class="n">info</span><span
class="o">);</span>
<span class="n">AccumuloOutputFormat</span><span class="o">.</span><span
class="na">setDefaultTableName</span><span class="o">(</span><span
class="n">job</span><span class="o">,</span> <span
class="s">"mytable"</span><span class="o">);</span>
</code></pre></div></div>
diff --git a/docs/2.x/development/proxy.html b/docs/2.x/development/proxy.html
index 6b90089..4ba007a 100644
--- a/docs/2.x/development/proxy.html
+++ b/docs/2.x/development/proxy.html
@@ -268,7 +268,11 @@
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/overview">Security Overview</a></div>
- <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/labels">Security Labels</a></div>
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authentication">Authentication</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/permissions">Permissions</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authorizations">Authorizations</a></div>
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/on-disk-encryption">On Disk Encryption</a></div>
diff --git a/docs/2.x/development/sampling.html
b/docs/2.x/development/sampling.html
index d4b9d61..bfbd6c9 100644
--- a/docs/2.x/development/sampling.html
+++ b/docs/2.x/development/sampling.html
@@ -268,7 +268,11 @@
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/overview">Security Overview</a></div>
- <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/labels">Security Labels</a></div>
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authentication">Authentication</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/permissions">Permissions</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authorizations">Authorizations</a></div>
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/on-disk-encryption">On Disk Encryption</a></div>
diff --git a/docs/2.x/development/summaries.html
b/docs/2.x/development/summaries.html
index cb41925..5c86a50 100644
--- a/docs/2.x/development/summaries.html
+++ b/docs/2.x/development/summaries.html
@@ -268,7 +268,11 @@
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/overview">Security Overview</a></div>
- <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/labels">Security Labels</a></div>
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authentication">Authentication</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/permissions">Permissions</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authorizations">Authorizations</a></div>
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/on-disk-encryption">On Disk Encryption</a></div>
diff --git a/docs/2.x/getting-started/clients.html
b/docs/2.x/getting-started/clients.html
index 87251d2..35c21f7 100644
--- a/docs/2.x/getting-started/clients.html
+++ b/docs/2.x/getting-started/clients.html
@@ -268,7 +268,11 @@
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/overview">Security Overview</a></div>
- <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/labels">Security Labels</a></div>
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authentication">Authentication</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/permissions">Permissions</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authorizations">Authorizations</a></div>
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/on-disk-encryption">On Disk Encryption</a></div>
@@ -454,13 +458,13 @@ of the following methods:</p>
<li>Using the <code
class="highlighter-rouge">accumulo-client.properties</code> file (a template
can be found in the <code class="highlighter-rouge">conf/</code> directory
of the tarball distribution):
<div class="language-java highlighter-rouge"><div class="highlight"><pre
class="highlight"><code> <span class="n">AccumuloClient</span> <span
class="n">client</span> <span class="o">=</span> <span
class="n">Accumulo</span><span class="o">.</span><span
class="na">newClient</span><span class="o">()</span>
- <span class="o">.</span><span
class="na">usingProperties</span><span class="o">(</span><span
class="s">"/path/to/accumulo-client.properties"</span><span
class="o">).</span><span class="na">build</span><span class="o">();</span>
+ <span class="o">.</span><span
class="na">from</span><span class="o">(</span><span
class="s">"/path/to/accumulo-client.properties"</span><span
class="o">).</span><span class="na">build</span><span class="o">();</span>
</code></pre></div> </div>
</li>
<li>Using the builder methods of <a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/2.0.0-alpha-1/org/apache/accumulo/core/client/AccumuloClient.html";>AccumuloClient</a>:
<div class="language-java highlighter-rouge"><div class="highlight"><pre
class="highlight"><code> <span class="n">AccumuloClient</span> <span
class="n">client</span> <span class="o">=</span> <span
class="n">Accumulo</span><span class="o">.</span><span
class="na">newClient</span><span class="o">()</span>
- <span class="o">.</span><span
class="na">forInstance</span><span class="o">(</span><span
class="s">"myinstance"</span><span class="o">,</span> <span
class="s">"zookeeper1,zookeeper2"</span><span class="o">)</span>
- <span class="o">.</span><span
class="na">usingPassword</span><span class="o">(</span><span
class="s">"myuser"</span><span class="o">,</span> <span
class="s">"mypassword"</span><span class="o">).</span><span
class="na">build</span><span class="o">();</span>
+ <span class="o">.</span><span
class="na">to</span><span class="o">(</span><span
class="s">"myinstance"</span><span class="o">,</span> <span
class="s">"zookeeper1,zookeeper2"</span><span class="o">)</span>
+ <span class="o">.</span><span
class="na">as</span><span class="o">(</span><span
class="s">"myuser"</span><span class="o">,</span> <span
class="s">"mypassword"</span><span class="o">).</span><span
class="na">build</span><span class="o">();</span>
</code></pre></div> </div>
</li>
<li>Using a Java Properties object.
@@ -470,7 +474,7 @@ of the tarball distribution):
<span class="n">props</span><span class="o">.</span><span
class="na">put</span><span class="o">(</span><span
class="s">"auth.type"</span><span class="o">,</span> <span
class="s">"password"</span><span class="o">)</span>
<span class="n">props</span><span class="o">.</span><span
class="na">put</span><span class="o">(</span><span
class="s">"auth.principal"</span><span class="o">,</span> <span
class="s">"myuser"</span><span class="o">)</span>
<span class="n">props</span><span class="o">.</span><span
class="na">put</span><span class="o">(</span><span
class="s">"auth.token"</span><span class="o">,</span> <span
class="s">"mypassword"</span><span class="o">)</span>
- <span class="n">AccumuloClient</span> <span class="n">client</span> <span
class="o">=</span> <span class="n">Accumulo</span><span class="o">.</span><span
class="na">newClient</span><span class="o">().</span><span
class="na">usingProperties</span><span class="o">(</span><span
class="n">props</span><span class="o">).</span><span
class="na">build</span><span class="o">();</span>
+ <span class="n">AccumuloClient</span> <span class="n">client</span> <span
class="o">=</span> <span class="n">Accumulo</span><span class="o">.</span><span
class="na">newClient</span><span class="o">().</span><span
class="na">from</span><span class="o">(</span><span class="n">props</span><span
class="o">).</span><span class="na">build</span><span class="o">();</span>
</code></pre></div> </div>
</li>
</ol>
@@ -541,9 +545,8 @@ requires external setup and additional configuration, but
provides a single poin
through HDFS, YARN and ZooKeeper and allowing for password-less authentication
with Accumulo.</p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre
class="highlight"><code> <span class="n">KerberosToken</span> <span
class="n">token</span> <span class="o">=</span> <span class="k">new</span>
<span class="n">KerberosToken</span><span class="o">();</span>
- <span class="n">AccumuloClient</span> <span class="n">client</span> <span
class="o">=</span> <span class="n">Accumulo</span><span class="o">.</span><span
class="na">newClient</span><span class="o">()</span>
- <span class="o">.</span><span
class="na">forInstance</span><span class="o">(</span><span
class="s">"myinstance"</span><span class="o">,</span> <span
class="s">"zookeeper1,zookeper2"</span><span class="o">)</span>
- <span class="o">.</span><span
class="na">usingToken</span><span class="o">(</span><span
class="n">token</span><span class="o">.</span><span
class="na">getPrincipal</span><span class="o">(),</span> <span
class="n">token</span><span class="o">).</span><span
class="na">build</span><span class="o">();</span>
+ <span class="n">AccumuloClient</span> <span class="n">client</span> <span
class="o">=</span> <span class="n">Accumulo</span><span class="o">.</span><span
class="na">newClient</span><span class="o">().</span><span
class="na">to</span><span class="o">(</span><span
class="s">"myinstance"</span><span class="o">,</span> <span
class="s">"zookeeper1,zookeper2"</span><span class="o">)</span>
+ <span class="o">.</span><span
class="na">as</span><span class="o">(</span><span class="n">token</span><span
class="o">.</span><span class="na">getPrincipal</span><span
class="o">(),</span> <span class="n">token</span><span class="o">).</span><span
class="na">build</span><span class="o">();</span>
</code></pre></div> </div>
</li>
</ol>
diff --git a/docs/2.x/getting-started/design.html
b/docs/2.x/getting-started/design.html
index 2dde00c..f4f46e8 100644
--- a/docs/2.x/getting-started/design.html
+++ b/docs/2.x/getting-started/design.html
@@ -268,7 +268,11 @@
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/overview">Security Overview</a></div>
- <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/labels">Security Labels</a></div>
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authentication">Authentication</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/permissions">Permissions</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authorizations">Authorizations</a></div>
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/on-disk-encryption">On Disk Encryption</a></div>
diff --git a/docs/2.x/getting-started/features.html
b/docs/2.x/getting-started/features.html
index 80ba903..2a8dc1d 100644
--- a/docs/2.x/getting-started/features.html
+++ b/docs/2.x/getting-started/features.html
@@ -268,7 +268,11 @@
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/overview">Security Overview</a></div>
- <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/labels">Security Labels</a></div>
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authentication">Authentication</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/permissions">Permissions</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authorizations">Authorizations</a></div>
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/on-disk-encryption">On Disk Encryption</a></div>
@@ -445,7 +449,7 @@ written to disk) that happen in the tablet server.</p>
<h3 id="security-labels">Security labels</h3>
-<p>Accumulo Keys can contain a <a href="/docs/2.x/security/labels">security
label</a>
+<p>Accumulo Keys can contain a <a
href="/docs/2.x/security/authorizations#security-labels">security label</a>
(called a Column Visibility) that enables expressive cell-level access control.
Authorizations are passed with each query to control what data is returned to
the user.
Column visibilities support boolean <code class="highlighter-rouge">AND</code>
and <code class="highlighter-rouge">OR</code> combinations of arbitrary strings
(such
diff --git a/docs/2.x/getting-started/glossary.html
b/docs/2.x/getting-started/glossary.html
index f0e8bf3..a15922c 100644
--- a/docs/2.x/getting-started/glossary.html
+++ b/docs/2.x/getting-started/glossary.html
@@ -268,7 +268,11 @@
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/overview">Security Overview</a></div>
- <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/labels">Security Labels</a></div>
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authentication">Authentication</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/permissions">Permissions</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authorizations">Authorizations</a></div>
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/on-disk-encryption">On Disk Encryption</a></div>
diff --git a/docs/2.x/getting-started/quick-install.html
b/docs/2.x/getting-started/quick-install.html
index d970ef4..4377376 100644
--- a/docs/2.x/getting-started/quick-install.html
+++ b/docs/2.x/getting-started/quick-install.html
@@ -268,7 +268,11 @@
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/overview">Security Overview</a></div>
- <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/labels">Security Labels</a></div>
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authentication">Authentication</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/permissions">Permissions</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authorizations">Authorizations</a></div>
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/on-disk-encryption">On Disk Encryption</a></div>
diff --git a/docs/2.x/getting-started/shell.html
b/docs/2.x/getting-started/shell.html
index 369106e..80fc959 100644
--- a/docs/2.x/getting-started/shell.html
+++ b/docs/2.x/getting-started/shell.html
@@ -268,7 +268,11 @@
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/overview">Security Overview</a></div>
- <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/labels">Security Labels</a></div>
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authentication">Authentication</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/permissions">Permissions</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authorizations">Authorizations</a></div>
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/on-disk-encryption">On Disk Encryption</a></div>
diff --git a/docs/2.x/getting-started/table_configuration.html
b/docs/2.x/getting-started/table_configuration.html
index 7b449c3..ec624be 100644
--- a/docs/2.x/getting-started/table_configuration.html
+++ b/docs/2.x/getting-started/table_configuration.html
@@ -268,7 +268,11 @@
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/overview">Security Overview</a></div>
- <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/labels">Security Labels</a></div>
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authentication">Authentication</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/permissions">Permissions</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authorizations">Authorizations</a></div>
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/on-disk-encryption">On Disk Encryption</a></div>
@@ -453,7 +457,7 @@ user@myinstance mytable> getgroups -t mytable
<h3 id="managing-locality-groups-via-the-client-api">Managing Locality Groups
via the Client API</h3>
<div class="language-java highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="n">AccumuloClient</span> <span
class="n">client</span> <span class="o">=</span> <span
class="n">Accumulo</span><span class="o">.</span><span
class="na">newClient</span><span class="o">()</span>
- <span class="o">.</span><span
class="na">usingProperties</span><span class="o">(</span><span
class="s">"/path/to/accumulo-client.properties"</span><span
class="o">).</span><span class="na">build</span><span class="o">();</span>
+ <span class="o">.</span><span
class="na">from</span><span class="o">(</span><span
class="s">"/path/to/accumulo-client.properties"</span><span
class="o">).</span><span class="na">build</span><span class="o">();</span>
<span class="n">HashMap</span><span class="o"><</span><span
class="n">String</span><span class="o">,</span><span class="n">Set</span><span
class="o"><</span><span class="n">Text</span><span class="o">>></span>
<span class="n">localityGroups</span> <span class="o">=</span> <span
class="k">new</span> <span class="n">HashMap</span><span
class="o"><</span><span class="n">String</span><span class="o">,</span>
<span class="n">Set</span><span class="o"><</span><span class="n"> [...]
diff --git a/docs/2.x/getting-started/table_design.html
b/docs/2.x/getting-started/table_design.html
index 67bfdca..0d1e3a5 100644
--- a/docs/2.x/getting-started/table_design.html
+++ b/docs/2.x/getting-started/table_design.html
@@ -268,7 +268,11 @@
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/overview">Security Overview</a></div>
- <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/labels">Security Labels</a></div>
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authentication">Authentication</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/permissions">Permissions</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authorizations">Authorizations</a></div>
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/on-disk-encryption">On Disk Encryption</a></div>
@@ -451,7 +455,7 @@ name in the column family, and a blank column qualifier:</p>
userid as the range of a scanner and fetching specific columns:</p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="n">AccumuloClient</span> <span
class="n">client</span> <span class="o">=</span> <span
class="n">Accumulo</span><span class="o">.</span><span
class="na">newClient</span><span class="o">()</span>
- <span class="o">.</span><span
class="na">usingProperties</span><span class="o">(</span><span
class="s">"/path/to/accumulo-client.properties"</span><span
class="o">).</span><span class="na">build</span><span class="o">();</span>
+ <span class="o">.</span><span
class="na">from</span><span class="o">(</span><span
class="s">"/path/to/accumulo-client.properties"</span><span
class="o">).</span><span class="na">build</span><span class="o">();</span>
<span class="n">Range</span> <span class="n">r</span> <span class="o">=</span>
<span class="k">new</span> <span class="n">Range</span><span
class="o">(</span><span class="n">userid</span><span class="o">,</span> <span
class="n">userid</span><span class="o">);</span> <span class="c1">// single
row</span>
<span class="n">Scanner</span> <span class="n">s</span> <span
class="o">=</span> <span class="n">client</span><span class="o">.</span><span
class="na">createScanner</span><span class="o">(</span><span
class="s">"userdata"</span><span class="o">,</span> <span
class="n">auths</span><span class="o">);</span>
<span class="n">s</span><span class="o">.</span><span
class="na">setRange</span><span class="o">(</span><span class="n">r</span><span
class="o">);</span>
diff --git a/docs/2.x/security/overview.html
b/docs/2.x/security/authentication.html
similarity index 74%
copy from docs/2.x/security/overview.html
copy to docs/2.x/security/authentication.html
index d97c5ff..27fa8c1 100644
--- a/docs/2.x/security/overview.html
+++ b/docs/2.x/security/authentication.html
@@ -25,7 +25,7 @@
<link rel="stylesheet" type="text/css"
href="https://cdn.datatables.net/v/bs/jq-2.2.3/dt-1.10.12/datatables.min.css";>
<link href="/css/accumulo.css" rel="stylesheet" type="text/css">
-<title>Accumulo Documentation - Security Overview</title>
+<title>Accumulo Documentation - Authentication</title>
<script
src="https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js";></script>
<script
src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js";
integrity="sha384-Tc5IQib027qvyjSMfHjOMaLkfuWVxZxUPnCJA7l2mCWNIpG9mGCD8wGNIcPD7Txa"
crossorigin="anonymous"></script>
@@ -268,7 +268,11 @@
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/overview">Security Overview</a></div>
- <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/labels">Security Labels</a></div>
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authentication">Authentication</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/permissions">Permissions</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authorizations">Authorizations</a></div>
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/on-disk-encryption">On Disk Encryption</a></div>
@@ -412,76 +416,111 @@
</div>
<div class="col-md-9">
- <p>Accumulo 2.x Documentation >> Security
>> Security Overview</p>
+ <p>Accumulo 2.x Documentation >> Security
>> Authentication</p>
<div class="alert alert-danger" style="margin-bottom: 0px;"
role="alert">This documentation is for a future release of Accumulo! <a
href="/1.9/accumulo_user_manual.html">View documentation for the latest
release</a>.</div>
<div class="row">
- <div class="col-md-10"><h1>Security Overview</h1></div>
- <div class="col-md-2"><a class="pull-right" style="margin-top: 25px;"
href="https://github.com/apache/accumulo-website/edit/master/_docs-2/security/overview.md";
role="button"><i class="glyphicon glyphicon-pencil"></i> <small>Edit this
page</small></a></div>
+ <div class="col-md-10"><h1>Authentication</h1></div>
+ <div class="col-md-2"><a class="pull-right" style="margin-top: 25px;"
href="https://github.com/apache/accumulo-website/edit/master/_docs-2/security/authentication.md";
role="button"><i class="glyphicon glyphicon-pencil"></i> <small>Edit this
page</small></a></div>
</div>
- <p>This page provides an overview of Accumulo’s security features.</p>
+ <p>Accumulo has authentication to verify the identity of users.</p>
+
+<h2 id="configuration">Configuration</h2>
+
+<p>Accumulo can be configured to use different authentication methods:</p>
-<p>A few Accumulo security features have on their own documentation page:</p>
+<table>
+ <thead>
+ <tr>
+ <th>Method</th>
+ <th>Setting for <a
href="/docs/2.x/configuration/server-properties#instance_security_authenticator">instance.security.authenticator</a></th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td>Password <strong>(default)</strong></td>
+ <td><a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-server-base/2.0.0-alpha-1/org/apache/accumulo/server/security/handler/ZKAuthenticator.html";>org.apache.accumulo.server.security.handler.ZKAuthenticator</a></td>
+ </tr>
+ <tr>
+ <td><a href="/docs/2.x/security/kerberos">Kerberos</a></td>
+ <td><a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-server-base/2.0.0-alpha-1/org/apache/accumulo/server/security/handler/KerberosAuthenticator.html";>org.apache.accumulo.server.security.handler.KerberosAuthenticator</a></td>
+ </tr>
+ </tbody>
+</table>
-<ul>
- <li><a href="/docs/2.x/security/labels">Security Labels</a></li>
- <li><a href="/docs/2.x/security/on-disk-encryption">On Disk
Encryption</a></li>
- <li><a href="/docs/2.x/security/wire-encryption">Wire Encryption</a></li>
- <li><a href="/docs/2.x/security/kerberos">Kerberos</a></li>
-</ul>
+<p>All authentication methods implement <a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-server-base/2.0.0-alpha-1/org/apache/accumulo/server/security/handler/Authenticator.html";>Authenticator</a>.
The default (password-based) implementation method is described in this
document.</p>
-<h2 id="pluggable-security">Pluggable Security</h2>
+<h2 id="root-user">Root user</h2>
-<p>Accumulo has a pluggable security mechanism. It can be broken into three
actions: authentication,
-authorization, and permission handling.</p>
+<p>When <a
href="/docs/2.x/getting-started/quick-install#initialization">Accumulo is
initialized</a>, a <code class="highlighter-rouge">root</code> user is created
and given
+a password. This <code class="highlighter-rouge">root</code> user is used to
create other users.</p>
-<p>Authentication verifies the identity of a user. In Accumulo, authentication
occurs when
-the <code class="highlighter-rouge">usingToken'</code> method of the <a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/2.0.0-alpha-1/org/apache/accumulo/core/client/AccumuloClient.html";>AccumuloClient</a>
builder is called with a principal (i.e username)
-and an <a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/2.0.0-alpha-1/org/apache/accumulo/core/client/security/tokens/AuthenticationToken.html";>AuthenticationToken</a>
which is an interface with multiple implementations. The most
-common implementation is <a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/2.0.0-alpha-1/org/apache/accumulo/core/client/security/tokens/PasswordToken.html";>PasswordToken</a>
which is the default authentication method for Accumulo
-out of the box.</p>
+<h2 id="creating-users">Creating users</h2>
-<div class="language-java highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="n">AccumuloClient</span> <span
class="n">client</span> <span class="o">=</span> <span
class="n">Accumulo</span><span class="o">.</span><span
class="na">newClient</span><span class="o">()</span>
- <span class="o">.</span><span
class="na">forInstance</span><span class="o">(</span><span
class="s">"myinstance"</span><span class="o">,</span> <span
class="s">"zookeeper1,zookeper2"</span><span class="o">)</span>
- <span class="o">.</span><span
class="na">usingToken</span><span class="o">(</span><span
class="s">"user"</span><span class="o">,</span> <span class="k">new</span>
<span class="n">PasswordToken</span><span class="o">(</span><span
class="s">"passwd"</span><span class="o">)).</span><span
class="na">build</span><span class="o">();</span>
+<p>Users can be created in the shell:</p>
+
+<div class="highlighter-rouge"><div class="highlight"><pre
class="highlight"><code>root@uno> createuser bob
+Enter new password for 'bob': ****
+Please confirm new password for 'bob': ****
</code></pre></div></div>
-<p>Once a user is authenticated by the Authenticator, the user has access to
the other actions within
-Accumulo. All actions in Accumulo are ACLed, and this ACL check is handled by
the Permission
-Handler. This is what manages all of the permissions, which are divided in
system and per table
-level. From there, if a user is doing an action which requires authorizations,
the Authorizor is
-queried to determine what authorizations the user has.</p>
+<p>In the Java API using <a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/2.0.0-alpha-1/org/apache/accumulo/core/client/admin/SecurityOperations.html";>SecurityOperations</a>:</p>
+
+<div class="language-java highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="n">client</span><span
class="o">.</span><span class="na">securityOperations</span><span
class="o">().</span><span class="na">createLocalUser</span><span
class="o">(</span><span class="s">"bob"</span><span class="o">,</span> <span
class="k">new</span> <span class="n">PasswordToken</span><span
class="o">(</span><span class="s">"pass"</span><span class="o">));</span>
+</code></pre></div></div>
-<p>This setup allows a variety of different mechanisms to be used for handling
different aspects of
-Accumulo’s security. A system like Kerberos can be used for authentication,
then a system like LDAP
-could be used to determine if a user has a specific permission, and then it
may default back to the
-default ZookeeperAuthorizor to determine what Authorizations a user is
ultimately allowed to use.
-This is a pluggable system so custom components can be created depending on
your need.</p>
+<h2 id="authenticating-users">Authenticating users</h2>
-<h2 id="secure-authorizations-handling">Secure Authorizations Handling</h2>
+<p>Users are authenticated when they <a
href="/docs/2.x/getting-started/clients#creating-an-accumulo-client">create an
Accumulo client</a>
+or when the log in to the <a href="/docs/2.x/getting-started/shell">Accumulo
shell</a>.</p>
+
+<p>Authentication can also be tested in the shell:</p>
+
+<div class="highlighter-rouge"><div class="highlight"><pre
class="highlight"><code>root@myinstance mytable> authenticate bob
+Enter current password for 'bob': ****
+Valid
+</code></pre></div></div>
+
+<p>In the Java API using <a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/2.0.0-alpha-1/org/apache/accumulo/core/client/admin/SecurityOperations.html";>SecurityOperations</a>:</p>
+
+<div class="language-java highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="kt">boolean</span> <span
class="n">valid</span> <span class="o">=</span> <span
class="n">client</span><span class="o">.</span><span
class="na">securityOperations</span><span class="o">().</span><span
class="na">authenticateUser</span><span class="o">(</span><span
class="s">"bob"</span><span class="o">,</span> <span class="k">new</span> <span
class="n">PasswordToken</span><span cl [...]
+</code></pre></div></div>
-<p>For applications serving many users, it is not expected that an Accumulo
user
-will be created for each application user. In this case an Accumulo user with
-all authorizations needed by any of the applications users must be created. To
-service queries, the application should create a scanner with the application
-user’s authorizations. These authorizations could be obtained from a trusted
3rd
-party.</p>
+<h2 id="changing-user-passwords">Changing user passwords</h2>
-<p>Often production systems will integrate with Public-Key Infrastructure
(PKI) and
-designate client code within the query layer to negotiate with PKI servers in
order
-to authenticate users and retrieve their authorization tokens (credentials).
This
-requires users to specify only the information necessary to authenticate
themselves
-to the system. Once user identity is established, their credentials can be
accessed by
-the client code and passed to Accumulo outside of the reach of the user.</p>
+<p>A user’s password can changed be in the shell:</p>
+
+<div class="highlighter-rouge"><div class="highlight"><pre
class="highlight"><code>root@uno> passwd -u bob
+Enter current password for 'root': ******
+Enter new password for 'bob': ***
+</code></pre></div></div>
+
+<p>In the Java API using <a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/2.0.0-alpha-1/org/apache/accumulo/core/client/admin/SecurityOperations.html";>SecurityOperations</a>:</p>
+
+<div class="language-java highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="n">client</span><span
class="o">.</span><span class="na">securityOperations</span><span
class="o">().</span><span class="na">changeLocalUserPassword</span><span
class="o">(</span><span class="s">"bob"</span><span class="o">,</span> <span
class="k">new</span> <span class="n">PasswordToken</span><span
class="o">(</span><span class="s">"pass"</span><span class="o">));</span>
+</code></pre></div></div>
+
+<h2 id="removing-users">Removing users</h2>
+
+<p>Users can be removed in the shell:</p>
+
+<div class="highlighter-rouge"><div class="highlight"><pre
class="highlight"><code>root@uno> dropuser bob
+dropuser { bob } (yes|no)? yes
+</code></pre></div></div>
+
+<p>In the Java API using <a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/2.0.0-alpha-1/org/apache/accumulo/core/client/admin/SecurityOperations.html";>SecurityOperations</a>:</p>
+
+<div class="language-java highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="n">client</span><span
class="o">.</span><span class="na">securityOperations</span><span
class="o">().</span><span class="na">dropLocalUser</span><span
class="o">(</span><span class="s">"bob"</span><span class="o">);</span>
+</code></pre></div></div>
<div class="row" style="margin-top: 20px;">
<div class="col-md-10"><strong>Find documentation for all releases in
the <a href="/docs-archive">archive</strong></div>
- <div class="col-md-2"><a class="pull-right"
href="https://github.com/apache/accumulo-website/edit/master/_docs-2/security/overview.md";
role="button"><i class="glyphicon glyphicon-pencil"></i> <small>Edit this
page</small></a></div>
+ <div class="col-md-2"><a class="pull-right"
href="https://github.com/apache/accumulo-website/edit/master/_docs-2/security/authentication.md";
role="button"><i class="glyphicon glyphicon-pencil"></i> <small>Edit this
page</small></a></div>
</div>
</div>
</div>
diff --git a/docs/2.x/security/labels.html
b/docs/2.x/security/authorizations.html
similarity index 82%
rename from docs/2.x/security/labels.html
rename to docs/2.x/security/authorizations.html
index 3e531bb..84fd196 100644
--- a/docs/2.x/security/labels.html
+++ b/docs/2.x/security/authorizations.html
@@ -25,7 +25,7 @@
<link rel="stylesheet" type="text/css"
href="https://cdn.datatables.net/v/bs/jq-2.2.3/dt-1.10.12/datatables.min.css";>
<link href="/css/accumulo.css" rel="stylesheet" type="text/css">
-<title>Accumulo Documentation - Security Labels</title>
+<title>Accumulo Documentation - Authorizations</title>
<script
src="https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js";></script>
<script
src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js";
integrity="sha384-Tc5IQib027qvyjSMfHjOMaLkfuWVxZxUPnCJA7l2mCWNIpG9mGCD8wGNIcPD7Txa"
crossorigin="anonymous"></script>
@@ -268,7 +268,11 @@
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/overview">Security Overview</a></div>
- <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/labels">Security Labels</a></div>
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authentication">Authentication</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/permissions">Permissions</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authorizations">Authorizations</a></div>
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/on-disk-encryption">On Disk Encryption</a></div>
@@ -412,41 +416,46 @@
</div>
<div class="col-md-9">
- <p>Accumulo 2.x Documentation >> Security
>> Security Labels</p>
+ <p>Accumulo 2.x Documentation >> Security
>> Authorizations</p>
<div class="alert alert-danger" style="margin-bottom: 0px;"
role="alert">This documentation is for a future release of Accumulo! <a
href="/1.9/accumulo_user_manual.html">View documentation for the latest
release</a>.</div>
<div class="row">
- <div class="col-md-10"><h1>Security Labels</h1></div>
- <div class="col-md-2"><a class="pull-right" style="margin-top: 25px;"
href="https://github.com/apache/accumulo-website/edit/master/_docs-2/security/labels.md";
role="button"><i class="glyphicon glyphicon-pencil"></i> <small>Edit this
page</small></a></div>
+ <div class="col-md-10"><h1>Authorizations</h1></div>
+ <div class="col-md-2"><a class="pull-right" style="margin-top: 25px;"
href="https://github.com/apache/accumulo-website/edit/master/_docs-2/security/authorizations.md";
role="button"><i class="glyphicon glyphicon-pencil"></i> <small>Edit this
page</small></a></div>
</div>
- <p>Every <a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/2.0.0-alpha-1/org/apache/accumulo/core/data/Key.html";>Key</a>-<a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/2.0.0-alpha-1/org/apache/accumulo/core/data/Value.html";>Value</a>
pair in Accumulo has its own security label, stored under the column visibility
+ <p>In Accumulo, data is written with <a
href="/docs/2.x/security/authorizations#security-labels">security labels</a>
that limit access to only users with the proper
+<a
href="/docs/2.x/security/authorizations#authorizations">authorizations</a>.</p>
+
+<h2 id="configuration">Configuration</h2>
+
+<p>Accumulo’s <a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-server-base/2.0.0-alpha-1/org/apache/accumulo/server/security/handler/Authorizor.html";>Authorizor</a>
is configured by setting <a
href="/docs/2.x/configuration/server-properties#instance_security_authorizer">instance.security.authorizer</a>.
The default
+authorizor is described below.</p>
+
+<h2 id="security-labels">Security Labels</h2>
+
+<p>Every <a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/2.0.0-alpha-1/org/apache/accumulo/core/data/Key.html";>Key</a>-<a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/2.0.0-alpha-1/org/apache/accumulo/core/data/Value.html";>Value</a>
pair in Accumulo has its own security label, stored under the column visibility
element of the key, which is used to determine whether a given user meets the
security
requirements to read the value. This enables data of various security levels
to be stored
within the same row, and users of varying degrees of access to query the same
table, while
preserving data confidentiality.</p>
-<h2 id="security-label-expressions">Security Label Expressions</h2>
+<h3 id="writing-labeled-data">Writing labeled data</h3>
-<p>When mutations are applied, users can specify a security label for each
value. This is
-done as the <a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/2.0.0-alpha-1/org/apache/accumulo/core/data/Mutation.html";>Mutation</a>
is created by passing a <a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/2.0.0-alpha-1/org/apache/accumulo/core/security/ColumnVisibility.html";>ColumnVisibility</a>
object to the put()
-method:</p>
+<p>When <a href="/docs/2.x/getting-started/clients#writing-data">writing data
to Accumulo</a>, users can
+specify a security label for each value by passing a [ColumnVisibilty] to the
<a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/2.0.0-alpha-1/org/apache/accumulo/core/data/Mutation.html";>Mutation</a>.</p>
-<div class="language-java highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="n">Text</span> <span
class="n">rowID</span> <span class="o">=</span> <span class="k">new</span>
<span class="n">Text</span><span class="o">(</span><span
class="s">"row1"</span><span class="o">);</span>
-<span class="n">Text</span> <span class="n">colFam</span> <span
class="o">=</span> <span class="k">new</span> <span class="n">Text</span><span
class="o">(</span><span class="s">"myColFam"</span><span class="o">);</span>
-<span class="n">Text</span> <span class="n">colQual</span> <span
class="o">=</span> <span class="k">new</span> <span class="n">Text</span><span
class="o">(</span><span class="s">"myColQual"</span><span class="o">);</span>
-<span class="n">ColumnVisibility</span> <span class="n">colVis</span> <span
class="o">=</span> <span class="k">new</span> <span
class="n">ColumnVisibility</span><span class="o">(</span><span
class="s">"public"</span><span class="o">);</span>
-<span class="kt">long</span> <span class="n">timestamp</span> <span
class="o">=</span> <span class="n">System</span><span class="o">.</span><span
class="na">currentTimeMillis</span><span class="o">();</span>
-
-<span class="n">Value</span> <span class="n">value</span> <span
class="o">=</span> <span class="k">new</span> <span class="n">Value</span><span
class="o">(</span><span class="s">"myValue"</span><span class="o">);</span>
-
-<span class="n">Mutation</span> <span class="n">mutation</span> <span
class="o">=</span> <span class="k">new</span> <span
class="n">Mutation</span><span class="o">(</span><span
class="n">rowID</span><span class="o">);</span>
-<span class="n">mutation</span><span class="o">.</span><span
class="na">put</span><span class="o">(</span><span class="n">colFam</span><span
class="o">,</span> <span class="n">colQual</span><span class="o">,</span> <span
class="n">colVis</span><span class="o">,</span> <span
class="n">timestamp</span><span class="o">,</span> <span
class="n">value</span><span class="o">);</span>
+<div class="language-java highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="k">try</span> <span
class="o">(</span><span class="n">BatchWriter</span> <span
class="n">writer</span> <span class="o">=</span> <span
class="n">client</span><span class="o">.</span><span
class="na">createBatchWriter</span><span class="o">(</span><span
class="s">"employees"</span><span class="o">))</span> <span class="o">{</span>
+ <span class="n">Mutation</span> <span class="n">mut</span> <span
class="o">=</span> <span class="k">new</span> <span
class="n">Mutation</span><span class="o">(</span><span
class="s">"employee1"</span><span class="o">);</span>
+ <span class="n">mut</span><span class="o">.</span><span
class="na">at</span><span class="o">().</span><span
class="na">family</span><span class="o">(</span><span
class="s">"pay"</span><span class="o">).</span><span
class="na">qualifier</span><span class="o">(</span><span
class="s">"salary"</span><span class="o">).</span><span
class="na">visibility</span><span class="o">(</span><span
class="s">"payroll"</span><span class="o">).</span><span
class="na">value</span><span class="o">(</span> [...]
+ <span class="n">mut</span><span class="o">.</span><span
class="na">at</span><span class="o">().</span><span
class="na">family</span><span class="o">(</span><span
class="s">"pay"</span><span class="o">).</span><span
class="na">qualifier</span><span class="o">(</span><span
class="s">"period"</span><span class="o">).</span><span
class="na">visibility</span><span class="o">(</span><span
class="s">"public"</span><span class="o">).</span><span
class="na">value</span><span class="o">(</span>< [...]
+ <span class="n">writer</span><span class="o">.</span><span
class="na">addMutation</span><span class="o">(</span><span
class="n">mut</span><span class="o">)</span>
+<span class="o">}</span>
</code></pre></div></div>
-<h2 id="security-label-expression-syntax">Security Label Expression Syntax</h2>
+<h3 id="security-label-expression-syntax">Security Label Expression Syntax</h3>
<p>Security labels consist of a set of user-defined tokens that are required
to read the
value the label is associated with. The set of tokens required can be
specified using
@@ -501,7 +510,7 @@ results sent back to the client.</p>
<span class="n">Scanner</span> <span class="n">s</span> <span
class="o">=</span> <span class="n">client</span><span class="o">.</span><span
class="na">createScanner</span><span class="o">(</span><span
class="s">"table"</span><span class="o">,</span> <span
class="n">auths</span><span class="o">);</span>
</code></pre></div></div>
-<h2 id="user-authorizations">User Authorizations</h2>
+<h3 id="user-authorizations">User Authorizations</h3>
<p>Each Accumulo user has a set of associated security labels. To manipulate
these in
the <a href="/docs/2.x/getting-started/shell">Accumulo shell</a>, use the
<code class="highlighter-rouge">setuaths</code> and <code
class="highlighter-rouge">getauths</code> commands. They can be
@@ -525,11 +534,27 @@ conflict with any existing constraints.</p>
This constraint is not applied to bulk imported data, if this a concern then
disable the bulk import permission.</p>
+<h3 id="advanced-authorizations-handling">Advanced Authorizations Handling</h3>
+
+<p>For applications serving many users, it is not expected that an Accumulo
user
+will be created for each application user. In this case an Accumulo user with
+all authorizations needed by any of the applications users must be created. To
+service queries, the application should create a scanner with the application
+user’s authorizations. These authorizations could be obtained from a trusted
3rd
+party.</p>
+
+<p>Often production systems will integrate with Public-Key Infrastructure
(PKI) and
+designate client code within the query layer to negotiate with PKI servers in
order
+to authenticate users and retrieve their authorization tokens (credentials).
This
+requires users to specify only the information necessary to authenticate
themselves
+to the system. Once user identity is established, their credentials can be
accessed by
+the client code and passed to Accumulo outside of the reach of the user.</p>
+
<div class="row" style="margin-top: 20px;">
<div class="col-md-10"><strong>Find documentation for all releases in
the <a href="/docs-archive">archive</strong></div>
- <div class="col-md-2"><a class="pull-right"
href="https://github.com/apache/accumulo-website/edit/master/_docs-2/security/labels.md";
role="button"><i class="glyphicon glyphicon-pencil"></i> <small>Edit this
page</small></a></div>
+ <div class="col-md-2"><a class="pull-right"
href="https://github.com/apache/accumulo-website/edit/master/_docs-2/security/authorizations.md";
role="button"><i class="glyphicon glyphicon-pencil"></i> <small>Edit this
page</small></a></div>
</div>
</div>
</div>
diff --git a/docs/2.x/security/kerberos.html b/docs/2.x/security/kerberos.html
index 2b5fa15..a0f9bf3 100644
--- a/docs/2.x/security/kerberos.html
+++ b/docs/2.x/security/kerberos.html
@@ -268,7 +268,11 @@
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/overview">Security Overview</a></div>
- <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/labels">Security Labels</a></div>
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authentication">Authentication</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/permissions">Permissions</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authorizations">Authorizations</a></div>
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/on-disk-encryption">On Disk Encryption</a></div>
@@ -558,55 +562,55 @@ in <code
class="highlighter-rouge">accumulo.properties</code>.</p>
<thead>
<tr>
<th>Key</th>
- <th>Default Value</th>
+ <th>Suggested Value</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
- <td>general.kerberos.keytab</td>
+ <td><a
href="/docs/2.x/configuration/server-properties#general_kerberos_keytab">general.kerberos.keytab</a></td>
<td>/etc/security/keytabs/accumulo.service.keytab</td>
<td>The path to the keytab for Accumulo on local filesystem. Change the
value to the actual path on your system.</td>
</tr>
<tr>
- <td>general.kerberos.principal</td>
+ <td><a
href="/docs/2.x/configuration/server-properties#general_kerberos_principal">general.kerberos.principal</a></td>
<td>accumulo/_HOST@REALM</td>
<td>The Kerberos principal for Accumulo, needs to match the keytab.
“_HOST” can be used instead of the actual hostname in the principal and will be
automatically expanded to the current FQDN which reduces the configuration file
burden.</td>
</tr>
<tr>
- <td>instance.rpc.sasl.enabled</td>
+ <td><a
href="/docs/2.x/configuration/server-properties#instance_rpc_sasl_enabled">instance.rpc.sasl.enabled</a></td>
<td>true</td>
<td>Enables SASL for the Thrift Servers (supports GSSAPI)</td>
</tr>
<tr>
- <td>rpc.sasl.qop</td>
+ <td><a
href="/docs/2.x/configuration/server-properties#rpc_sasl_qop">rpc.sasl.qop</a></td>
<td>auth</td>
<td>One of “auth”, “auth-int”, or “auth-conf”. These map to the SASL
defined properties for quality of protection. “auth” is authentication only.
“auth-int” is authentication and data integrity. “auth-conf” is authentication,
data integrity and confidentiality.</td>
</tr>
<tr>
- <td>instance.security.authenticator</td>
-
<td>org.apache.accumulo.server.security.handler.KerberosAuthenticator</td>
+ <td><a
href="/docs/2.x/configuration/server-properties#instance_security_authenticator">instance.security.authenticator</a></td>
+ <td><a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-server-base/2.0.0-alpha-1/org/apache/accumulo/server/security/handler/KerberosAuthenticator.html";>org.apache.accumulo.server.security.handler.KerberosAuthenticator</a></td>
<td>Configures Accumulo to use the Kerberos principal as the Accumulo
username/principal</td>
</tr>
<tr>
- <td>instance.security.authorizor</td>
- <td>org.apache.accumulo.server.security.handler.KerberosAuthorizor</td>
+ <td><a
href="/docs/2.x/configuration/server-properties#instance_security_authorizor">instance.security.authorizor</a></td>
+ <td><a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-server-base/2.0.0-alpha-1/org/apache/accumulo/server/security/handler/KerberosAuthorizor.html";>org.apache.accumulo.server.security.handler.KerberosAuthorizor</a></td>
<td>Configures Accumulo to use the Kerberos principal for authorization
purposes</td>
</tr>
<tr>
- <td>instance.security.permissionHandler</td>
-
<td>org.apache.accumulo.server.security.handler.KerberosPermissionHandler</td>
+ <td><a
href="/docs/2.x/configuration/server-properties#instance_security_permissionHandler">instance.security.permissionHandler</a></td>
+ <td><a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-server-base/2.0.0-alpha-1/org/apache/accumulo/server/security/handler/KerberosPermissionHandler.html";>org.apache.accumulo.server.security.handler.KerberosPermissionHandler</a></td>
<td>Configures Accumulo to use the Kerberos principal for permission
purposes</td>
</tr>
<tr>
- <td>trace.token.type</td>
- <td>org.apache.accumulo.core.client.security.tokens.KerberosToken</td>
- <td>Configures the Accumulo Tracer to use the KerberosToken for
authentication when serializing traces to the trace table.</td>
+ <td><a
href="/docs/2.x/configuration/server-properties#trace_token_type">trace.token.type</a></td>
+ <td><a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/2.0.0-alpha-1/org/apache/accumulo/core/client/security/tokens/KerberosToken.html";>org.apache.accumulo.core.client.security.tokens.KerberosToken</a></td>
+ <td>Configures the Accumulo Tracer to use the <a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/2.0.0-alpha-1/org/apache/accumulo/core/client/security/tokens/KerberosToken.html";>KerberosToken</a>
for authentication when serializing traces to the trace table.</td>
</tr>
<tr>
- <td>trace.user</td>
+ <td><a
href="/docs/2.x/configuration/server-properties#trace_user">trace.user</a></td>
<td>accumulo/_HOST@REALM</td>
- <td>The tracer process needs valid credentials to serialize traces to
Accumulo. While the other server processes are creating a SystemToken from the
provided keytab and principal, we can still use a normal KerberosToken and the
same keytab/principal to serialize traces. Like non-Kerberized instances, the
table must be created and permissions granted to the trace.user. The same <code
class="highlighter-rouge">_HOST</code> replacement is performed on this value,
substituted the FQDN [...]
+ <td>The tracer process needs valid credentials to serialize traces to
Accumulo. While the other server processes are creating a SystemToken from the
provided keytab and principal, we can still use a normal <a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/2.0.0-alpha-1/org/apache/accumulo/core/client/security/tokens/KerberosToken.html";>KerberosToken</a>
and the same keytab/principal to serialize traces. Like non-Kerberized
instances, the table must be created and [...]
</tr>
<tr>
<td>trace.token.property.keytab</td>
@@ -614,12 +618,12 @@ in <code
class="highlighter-rouge">accumulo.properties</code>.</p>
<td>You can optionally specify the path to a keytab file for the
principal given in the <code class="highlighter-rouge">trace.user</code>
property. If you don’t set this path, it will default to the value given in
<code class="highlighter-rouge">general.kerberos.principal</code>.</td>
</tr>
<tr>
- <td>general.delegation.token.lifetime</td>
+ <td><a
href="/docs/2.x/configuration/server-properties#general_delegation_token_lifetime">general.delegation.token.lifetime</a></td>
<td>7d</td>
<td>The length of time that the server-side secret used to create
delegation tokens is valid. After a server-side secret expires, a delegation
token created with that secret is no longer valid.</td>
</tr>
<tr>
- <td>general.delegation.token.update.interval</td>
+ <td><a
href="/docs/2.x/configuration/server-properties#general_delegation_token_update_interval">general.delegation.token.update.interval</a></td>
<td>1d</td>
<td>The frequency in which new server-side secrets should be generated
to create delegation tokens for clients. Generating new secrets reduces the
likelihood of cryptographic attacks.</td>
</tr>
@@ -640,7 +644,7 @@ by adding the JVM system property <code
class="highlighter-rouge">-Djava.securit
<h4 id="kerberosauthenticator">KerberosAuthenticator</h4>
-<p>The <code class="highlighter-rouge">KerberosAuthenticator</code> is an
implementation of the pluggable security interfaces
+<p>The <a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-server-base/2.0.0-alpha-1/org/apache/accumulo/server/security/handler/KerberosAuthenticator.html";>KerberosAuthenticator</a>
is an implementation of the pluggable security interfaces
that Accumulo provides. It builds on top of what the default ZooKeeper-based
implementation,
but removes the need to create user accounts with passwords in Accumulo for
clients. As
long as a client has a valid Kerberos identity, they can connect to and
interact with
@@ -846,16 +850,16 @@ accumulo_ad...@example.com@MYACCUMULO> quit
<h4 id="delegationtokens-with-mapreduce">DelegationTokens with MapReduce</h4>
-<p>To use DelegationTokens in a custom MapReduce job, the user should create
an <code class="highlighter-rouge">AccumuloClient</code>
-using a <code class="highlighter-rouge">KerberosToken</code> and use it to
call <code
class="highlighter-rouge">SecurityOperations.getDelegationToken</code>. The
-<code class="highlighter-rouge">DelegationToken</code> that is created can
then be used to create a new client using this
-delegation token. The <code class="highlighter-rouge">ClientInfo</code>
object from this client can be passed into the MapReduce
+<p>To use DelegationTokens in a custom MapReduce job, the user should create
an <a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/2.0.0-alpha-1/org/apache/accumulo/core/client/AccumuloClient.html";>AccumuloClient</a>
+using a <a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/2.0.0-alpha-1/org/apache/accumulo/core/client/security/tokens/KerberosToken.html";>KerberosToken</a>
and use it to call <code
class="highlighter-rouge">SecurityOperations.getDelegationToken</code>. The
+<a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/2.0.0-alpha-1/org/apache/accumulo/core/client/security/tokens/DelegationToken.html";>DelegationToken</a>
that is created can then be used to create a new client using this
+delegation token. The <a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/2.0.0-alpha-1/org/apache/accumulo/core/client/ClientInfo.html";>ClientInfo</a>
object from this client can be passed into the MapReduce
job. It is expected that the user launching the MapReduce job is already
logged in via Kerberos
via a keytab or via a locally-cached Kerberos ticket-granting-ticket (TGT).</p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="n">KerberosToken</span> <span
class="n">kt</span> <span class="o">=</span> <span class="k">new</span> <span
class="n">KerberosToken</span><span class="o">();</span>
-<span class="n">AccumuloClient</span> <span class="n">client</span> <span
class="o">=</span> <span class="n">Accumulo</span><span class="o">.</span><span
class="na">newClient</span><span class="o">().</span><span
class="na">forInstance</span><span class="o">(</span><span
class="s">"myinstance"</span><span class="o">,</span> <span
class="s">"zoo1,zoo2"</span><span class="o">)</span>
- <span class="o">.</span><span
class="na">usingToken</span><span class="o">(</span><span
class="n">principal</span><span class="o">,</span> <span
class="n">kt</span><span class="o">).</span><span class="na">build</span><span
class="o">();</span>
+<span class="n">AccumuloClient</span> <span class="n">client</span> <span
class="o">=</span> <span class="n">Accumulo</span><span class="o">.</span><span
class="na">newClient</span><span class="o">().</span><span
class="na">to</span><span class="o">(</span><span
class="s">"myinstance"</span><span class="o">,</span> <span
class="s">"zoo1,zoo2"</span><span class="o">)</span>
+ <span class="o">.</span><span
class="na">as</span><span class="o">(</span><span
class="n">principal</span><span class="o">,</span> <span
class="n">kt</span><span class="o">).</span><span class="na">build</span><span
class="o">();</span>
<span class="n">DelegationToken</span> <span class="n">dt</span> <span
class="o">=</span> <span class="n">client</span><span class="o">.</span><span
class="na">securityOperations</span><span class="o">().</span><span
class="na">getDelegationToken</span><span class="o">();</span>
<span class="n">AccumuloClient</span> <span class="n">client2</span> <span
class="o">=</span> <span class="n">client</span><span class="o">.</span><span
class="na">changeUser</span><span class="o">(</span><span
class="n">principal</span><span class="o">,</span> <span
class="n">dt</span><span class="o">);</span>
<span class="n">ClientInfo</span> <span class="n">info2</span> <span
class="o">=</span> <span class="n">client2</span><span class="o">.</span><span
class="na">info</span><span class="o">();</span>
@@ -871,7 +875,7 @@ via a keytab or via a locally-cached Kerberos
ticket-granting-ticket (TGT).</p>
method. The obtained delegation token is only valid for the requesting user
for a period
of time dependent on Accumulo’s configuration (<code
class="highlighter-rouge">general.delegation.token.lifetime</code>).</p>
-<p>For the duration of validity of the <code
class="highlighter-rouge">DelegationToken</code>, the user <em>must</em> take
the necessary precautions
+<p>For the duration of validity of the <a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/2.0.0-alpha-1/org/apache/accumulo/core/client/security/tokens/DelegationToken.html";>DelegationToken</a>,
the user <em>must</em> take the necessary precautions
to protect the <code class="highlighter-rouge">DelegationToken</code> from
prying eyes as it can be used by any user on any host to impersonate
the user who requested the <code
class="highlighter-rouge">DelegationToken</code>. YARN ensures that passing the
delegation token from the client
JVM to each YARN task is secure, even in multi-tenant instances.</p>
diff --git a/docs/2.x/security/on-disk-encryption.html
b/docs/2.x/security/on-disk-encryption.html
index 0048562..e5d426e 100644
--- a/docs/2.x/security/on-disk-encryption.html
+++ b/docs/2.x/security/on-disk-encryption.html
@@ -268,7 +268,11 @@
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/overview">Security Overview</a></div>
- <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/labels">Security Labels</a></div>
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authentication">Authentication</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/permissions">Permissions</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authorizations">Authorizations</a></div>
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/on-disk-encryption">On Disk Encryption</a></div>
diff --git a/docs/2.x/security/overview.html b/docs/2.x/security/overview.html
index d97c5ff..2ac1cd2 100644
--- a/docs/2.x/security/overview.html
+++ b/docs/2.x/security/overview.html
@@ -268,7 +268,11 @@
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/overview">Security Overview</a></div>
- <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/labels">Security Labels</a></div>
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authentication">Authentication</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/permissions">Permissions</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authorizations">Authorizations</a></div>
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/on-disk-encryption">On Disk Encryption</a></div>
@@ -422,61 +426,35 @@
<div class="col-md-2"><a class="pull-right" style="margin-top: 25px;"
href="https://github.com/apache/accumulo-website/edit/master/_docs-2/security/overview.md";
role="button"><i class="glyphicon glyphicon-pencil"></i> <small>Edit this
page</small></a></div>
</div>
- <p>This page provides an overview of Accumulo’s security features.</p>
-
-<p>A few Accumulo security features have on their own documentation page:</p>
+ <p>Accumulo has the following security features:</p>
<ul>
- <li><a href="/docs/2.x/security/labels">Security Labels</a></li>
- <li><a href="/docs/2.x/security/on-disk-encryption">On Disk
Encryption</a></li>
- <li><a href="/docs/2.x/security/wire-encryption">Wire Encryption</a></li>
- <li><a href="/docs/2.x/security/kerberos">Kerberos</a></li>
+ <li>Only <a href="/docs/2.x/security/authentication">authenticated</a> users
can access Accumulo.
+ <ul>
+ <li><a href="/docs/2.x/security/kerberos">Kerberos</a> can be enabled to
replace Accumulo’s default, password-based authentication</li>
+ </ul>
+ </li>
+ <li>Users can only perform actions if they are given <a
href="/docs/2.x/security/permissions">permission</a>.</li>
+ <li>Users can only view <a
href="/docs/2.x/security/authorizations#security-labels">labeled data</a> that
they are <a href="/docs/2.x/security/authorizations">authorized</a> to see.</li>
+ <li>Data can be encrypted <a href="/docs/2.x/security/on-disk-encryption">on
disk</a> and <a href="/docs/2.x/security/wire-encryption">over-the-wire</a></li>
</ul>
-<h2 id="pluggable-security">Pluggable Security</h2>
+<h2 id="implementation">Implementation</h2>
-<p>Accumulo has a pluggable security mechanism. It can be broken into three
actions: authentication,
-authorization, and permission handling.</p>
+<p>Below is a description of how security is implemented in Accumulo.</p>
-<p>Authentication verifies the identity of a user. In Accumulo, authentication
occurs when
-the <code class="highlighter-rouge">usingToken'</code> method of the <a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/2.0.0-alpha-1/org/apache/accumulo/core/client/AccumuloClient.html";>AccumuloClient</a>
builder is called with a principal (i.e username)
-and an <a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/2.0.0-alpha-1/org/apache/accumulo/core/client/security/tokens/AuthenticationToken.html";>AuthenticationToken</a>
which is an interface with multiple implementations. The most
-common implementation is <a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/2.0.0-alpha-1/org/apache/accumulo/core/client/security/tokens/PasswordToken.html";>PasswordToken</a>
which is the default authentication method for Accumulo
-out of the box.</p>
-
-<div class="language-java highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="n">AccumuloClient</span> <span
class="n">client</span> <span class="o">=</span> <span
class="n">Accumulo</span><span class="o">.</span><span
class="na">newClient</span><span class="o">()</span>
- <span class="o">.</span><span
class="na">forInstance</span><span class="o">(</span><span
class="s">"myinstance"</span><span class="o">,</span> <span
class="s">"zookeeper1,zookeper2"</span><span class="o">)</span>
- <span class="o">.</span><span
class="na">usingToken</span><span class="o">(</span><span
class="s">"user"</span><span class="o">,</span> <span class="k">new</span>
<span class="n">PasswordToken</span><span class="o">(</span><span
class="s">"passwd"</span><span class="o">)).</span><span
class="na">build</span><span class="o">();</span>
-</code></pre></div></div>
-
-<p>Once a user is authenticated by the Authenticator, the user has access to
the other actions within
-Accumulo. All actions in Accumulo are ACLed, and this ACL check is handled by
the Permission
-Handler. This is what manages all of the permissions, which are divided in
system and per table
-level. From there, if a user is doing an action which requires authorizations,
the Authorizor is
+<p>Once a user is authenticated by the <a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-server-base/2.0.0-alpha-1/org/apache/accumulo/server/security/handler/Authenticator.html";>Authenticator</a>,
the user has access to the other actions within
+Accumulo. All actions in Accumulo are ACLed, and this ACL check is handled by
the <a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-server-base/2.0.0-alpha-1/org/apache/accumulo/server/security/handler/PermissionHandler.html";>PermissionHandler</a>.
+This is what manages all of the <a
href="/docs/2.x/security/permissions">permissions</a>, which are divided in
system and per table
+level. From there, if a user is doing an action which requires authorizations,
the <a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-server-base/2.0.0-alpha-1/org/apache/accumulo/server/security/handler/Authorizor.html";>Authorizor</a>
is
queried to determine what authorizations the user has.</p>
<p>This setup allows a variety of different mechanisms to be used for handling
different aspects of
-Accumulo’s security. A system like Kerberos can be used for authentication,
then a system like LDAP
+Accumulo’s security. A system like <a
href="/docs/2.x/security/kerberos">Kerberos</a> can be used for <a
href="/docs/2.x/security/authentication">authentication</a>, then a system like
LDAP
could be used to determine if a user has a specific permission, and then it
may default back to the
-default ZookeeperAuthorizor to determine what Authorizations a user is
ultimately allowed to use.
+default <a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-server-base/2.0.0-alpha-1/org/apache/accumulo/server/security/handler/Authorizor.html";>Authorizor</a>
to determine what Authorizations a user is ultimately allowed to use.
This is a pluggable system so custom components can be created depending on
your need.</p>
-<h2 id="secure-authorizations-handling">Secure Authorizations Handling</h2>
-
-<p>For applications serving many users, it is not expected that an Accumulo
user
-will be created for each application user. In this case an Accumulo user with
-all authorizations needed by any of the applications users must be created. To
-service queries, the application should create a scanner with the application
-user’s authorizations. These authorizations could be obtained from a trusted
3rd
-party.</p>
-
-<p>Often production systems will integrate with Public-Key Infrastructure
(PKI) and
-designate client code within the query layer to negotiate with PKI servers in
order
-to authenticate users and retrieve their authorization tokens (credentials).
This
-requires users to specify only the information necessary to authenticate
themselves
-to the system. Once user identity is established, their credentials can be
accessed by
-the client code and passed to Accumulo outside of the reach of the user.</p>
-
<div class="row" style="margin-top: 20px;">
diff --git a/docs/2.x/security/overview.html
b/docs/2.x/security/permissions.html
similarity index 79%
copy from docs/2.x/security/overview.html
copy to docs/2.x/security/permissions.html
index d97c5ff..b0600f4 100644
--- a/docs/2.x/security/overview.html
+++ b/docs/2.x/security/permissions.html
@@ -25,7 +25,7 @@
<link rel="stylesheet" type="text/css"
href="https://cdn.datatables.net/v/bs/jq-2.2.3/dt-1.10.12/datatables.min.css";>
<link href="/css/accumulo.css" rel="stylesheet" type="text/css">
-<title>Accumulo Documentation - Security Overview</title>
+<title>Accumulo Documentation - Permissions</title>
<script
src="https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js";></script>
<script
src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js";
integrity="sha384-Tc5IQib027qvyjSMfHjOMaLkfuWVxZxUPnCJA7l2mCWNIpG9mGCD8wGNIcPD7Txa"
crossorigin="anonymous"></script>
@@ -268,7 +268,11 @@
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/overview">Security Overview</a></div>
- <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/labels">Security Labels</a></div>
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authentication">Authentication</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/permissions">Permissions</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authorizations">Authorizations</a></div>
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/on-disk-encryption">On Disk Encryption</a></div>
@@ -412,76 +416,77 @@
</div>
<div class="col-md-9">
- <p>Accumulo 2.x Documentation >> Security
>> Security Overview</p>
+ <p>Accumulo 2.x Documentation >> Security
>> Permissions</p>
<div class="alert alert-danger" style="margin-bottom: 0px;"
role="alert">This documentation is for a future release of Accumulo! <a
href="/1.9/accumulo_user_manual.html">View documentation for the latest
release</a>.</div>
<div class="row">
- <div class="col-md-10"><h1>Security Overview</h1></div>
- <div class="col-md-2"><a class="pull-right" style="margin-top: 25px;"
href="https://github.com/apache/accumulo-website/edit/master/_docs-2/security/overview.md";
role="button"><i class="glyphicon glyphicon-pencil"></i> <small>Edit this
page</small></a></div>
+ <div class="col-md-10"><h1>Permissions</h1></div>
+ <div class="col-md-2"><a class="pull-right" style="margin-top: 25px;"
href="https://github.com/apache/accumulo-website/edit/master/_docs-2/security/permissions.md";
role="button"><i class="glyphicon glyphicon-pencil"></i> <small>Edit this
page</small></a></div>
</div>
- <p>This page provides an overview of Accumulo’s security features.</p>
+ <p>Accumulo users can only perform actions if they are given
permission.</p>
-<p>A few Accumulo security features have on their own documentation page:</p>
+<p>Accumulo has three types of permissions:</p>
<ul>
- <li><a href="/docs/2.x/security/labels">Security Labels</a></li>
- <li><a href="/docs/2.x/security/on-disk-encryption">On Disk
Encryption</a></li>
- <li><a href="/docs/2.x/security/wire-encryption">Wire Encryption</a></li>
- <li><a href="/docs/2.x/security/kerberos">Kerberos</a></li>
+ <li><a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/2.0.0-alpha-1/org/apache/accumulo/core/security/SystemPermission.html";>SystemPermission</a></li>
+ <li><a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/2.0.0-alpha-1/org/apache/accumulo/core/security/NamespacePermission.html";>NamespacePermission</a></li>
+ <li><a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/2.0.0-alpha-1/org/apache/accumulo/core/security/TablePermission.html";>TablePermission</a></li>
</ul>
-<h2 id="pluggable-security">Pluggable Security</h2>
+<p>These permissions are managed by <a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/2.0.0-alpha-1/org/apache/accumulo/core/client/admin/SecurityOperations.html";>SecurityOperations</a>
in Java API or the <a href="/docs/2.x/getting-started/shell">Accumulo
shell</a>.</p>
+
+<h2 id="configuration">Configuration</h2>
+
+<p>Accumulo’s <a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-server-base/2.0.0-alpha-1/org/apache/accumulo/server/security/handler/PermissionHandler.html";>PermissionHandler</a>
is configured by setting <a
href="/docs/2.x/configuration/server-properties#instance_security_permissionHandler">instance.security.permissionHandler</a>.</p>
+
+<p>The default permission handler is described below.</p>
+
+<h2 id="granting-permission">Granting permission</h2>
+
+<p>Users can be granted permissions in the shell:</p>
+
+<div class="highlighter-rouge"><div class="highlight"><pre
class="highlight"><code>root@uno> grant System.CREATE_TABLE -s -u bob
+</code></pre></div></div>
+
+<p>Or in the Java API using <a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/2.0.0-alpha-1/org/apache/accumulo/core/client/admin/SecurityOperations.html";>SecurityOperations</a>:</p>
+
+<div class="language-java highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="n">client</span><span
class="o">.</span><span class="na">securityOperations</span><span
class="o">().</span><span class="na">grantSystem</span><span
class="o">(</span><span class="s">"bob"</span><span class="o">,</span> <span
class="n">SystemPermission</span><span class="o">.</span><span
class="na">CREATE_TABLE</span><span class="o">);</span>
+</code></pre></div></div>
-<p>Accumulo has a pluggable security mechanism. It can be broken into three
actions: authentication,
-authorization, and permission handling.</p>
+<h2 id="view-permissions">View permissions</h2>
-<p>Authentication verifies the identity of a user. In Accumulo, authentication
occurs when
-the <code class="highlighter-rouge">usingToken'</code> method of the <a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/2.0.0-alpha-1/org/apache/accumulo/core/client/AccumuloClient.html";>AccumuloClient</a>
builder is called with a principal (i.e username)
-and an <a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/2.0.0-alpha-1/org/apache/accumulo/core/client/security/tokens/AuthenticationToken.html";>AuthenticationToken</a>
which is an interface with multiple implementations. The most
-common implementation is <a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/2.0.0-alpha-1/org/apache/accumulo/core/client/security/tokens/PasswordToken.html";>PasswordToken</a>
which is the default authentication method for Accumulo
-out of the box.</p>
+<p>Permissions can be listed for a user in the shell:</p>
-<div class="language-java highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="n">AccumuloClient</span> <span
class="n">client</span> <span class="o">=</span> <span
class="n">Accumulo</span><span class="o">.</span><span
class="na">newClient</span><span class="o">()</span>
- <span class="o">.</span><span
class="na">forInstance</span><span class="o">(</span><span
class="s">"myinstance"</span><span class="o">,</span> <span
class="s">"zookeeper1,zookeper2"</span><span class="o">)</span>
- <span class="o">.</span><span
class="na">usingToken</span><span class="o">(</span><span
class="s">"user"</span><span class="o">,</span> <span class="k">new</span>
<span class="n">PasswordToken</span><span class="o">(</span><span
class="s">"passwd"</span><span class="o">)).</span><span
class="na">build</span><span class="o">();</span>
+<div class="highlighter-rouge"><div class="highlight"><pre
class="highlight"><code>root@uno> userpermissions -u bob
+System permissions: System.CREATE_TABLE, System.DROP_TABLE
+
+Namespace permissions (accumulo): Namespace.READ
+
+Table permissions (accumulo.metadata): Table.READ
+Table permissions (accumulo.replication): Table.READ
+Table permissions (accumulo.root): Table.READ
</code></pre></div></div>
-<p>Once a user is authenticated by the Authenticator, the user has access to
the other actions within
-Accumulo. All actions in Accumulo are ACLed, and this ACL check is handled by
the Permission
-Handler. This is what manages all of the permissions, which are divided in
system and per table
-level. From there, if a user is doing an action which requires authorizations,
the Authorizor is
-queried to determine what authorizations the user has.</p>
+<h2 id="revoking-permissions">Revoking permissions</h2>
-<p>This setup allows a variety of different mechanisms to be used for handling
different aspects of
-Accumulo’s security. A system like Kerberos can be used for authentication,
then a system like LDAP
-could be used to determine if a user has a specific permission, and then it
may default back to the
-default ZookeeperAuthorizor to determine what Authorizations a user is
ultimately allowed to use.
-This is a pluggable system so custom components can be created depending on
your need.</p>
+<p>Permissions can be revoked for a user in the shell</p>
-<h2 id="secure-authorizations-handling">Secure Authorizations Handling</h2>
+<div class="highlighter-rouge"><div class="highlight"><pre
class="highlight"><code>root@uno> revoke System.CREATE_TABLE -s -u bob
+</code></pre></div></div>
-<p>For applications serving many users, it is not expected that an Accumulo
user
-will be created for each application user. In this case an Accumulo user with
-all authorizations needed by any of the applications users must be created. To
-service queries, the application should create a scanner with the application
-user’s authorizations. These authorizations could be obtained from a trusted
3rd
-party.</p>
+<p>Or in the Java API using <a
href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/2.0.0-alpha-1/org/apache/accumulo/core/client/admin/SecurityOperations.html";>SecurityOperations</a>:</p>
-<p>Often production systems will integrate with Public-Key Infrastructure
(PKI) and
-designate client code within the query layer to negotiate with PKI servers in
order
-to authenticate users and retrieve their authorization tokens (credentials).
This
-requires users to specify only the information necessary to authenticate
themselves
-to the system. Once user identity is established, their credentials can be
accessed by
-the client code and passed to Accumulo outside of the reach of the user.</p>
+<div class="language-java highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="n">client</span><span
class="o">.</span><span class="na">securityOperations</span><span
class="o">().</span><span class="na">revokeSystemPermission</span><span
class="o">(</span><span class="s">"bob"</span><span class="o">,</span> <span
class="n">SystemPermission</span><span class="o">.</span><span
class="na">CREATE_TABLE</span><span class="o">);</span>
+</code></pre></div></div>
<div class="row" style="margin-top: 20px;">
<div class="col-md-10"><strong>Find documentation for all releases in
the <a href="/docs-archive">archive</strong></div>
- <div class="col-md-2"><a class="pull-right"
href="https://github.com/apache/accumulo-website/edit/master/_docs-2/security/overview.md";
role="button"><i class="glyphicon glyphicon-pencil"></i> <small>Edit this
page</small></a></div>
+ <div class="col-md-2"><a class="pull-right"
href="https://github.com/apache/accumulo-website/edit/master/_docs-2/security/permissions.md";
role="button"><i class="glyphicon glyphicon-pencil"></i> <small>Edit this
page</small></a></div>
</div>
</div>
</div>
diff --git a/docs/2.x/security/wire-encryption.html
b/docs/2.x/security/wire-encryption.html
index 539ecb4..8864f8a 100644
--- a/docs/2.x/security/wire-encryption.html
+++ b/docs/2.x/security/wire-encryption.html
@@ -268,7 +268,11 @@
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/overview">Security Overview</a></div>
- <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/labels">Security Labels</a></div>
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authentication">Authentication</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/permissions">Permissions</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authorizations">Authorizations</a></div>
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/on-disk-encryption">On Disk Encryption</a></div>
diff --git a/docs/2.x/troubleshooting/advanced.html
b/docs/2.x/troubleshooting/advanced.html
index b21bbe0..2492630 100644
--- a/docs/2.x/troubleshooting/advanced.html
+++ b/docs/2.x/troubleshooting/advanced.html
@@ -268,7 +268,11 @@
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/overview">Security Overview</a></div>
- <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/labels">Security Labels</a></div>
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authentication">Authentication</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/permissions">Permissions</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authorizations">Authorizations</a></div>
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/on-disk-encryption">On Disk Encryption</a></div>
diff --git a/docs/2.x/troubleshooting/basic.html
b/docs/2.x/troubleshooting/basic.html
index 0cfb5d3..715e7fc 100644
--- a/docs/2.x/troubleshooting/basic.html
+++ b/docs/2.x/troubleshooting/basic.html
@@ -268,7 +268,11 @@
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/overview">Security Overview</a></div>
- <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/labels">Security Labels</a></div>
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authentication">Authentication</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/permissions">Permissions</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authorizations">Authorizations</a></div>
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/on-disk-encryption">On Disk Encryption</a></div>
diff --git a/docs/2.x/troubleshooting/performance.html
b/docs/2.x/troubleshooting/performance.html
index ff045da..c57fffc 100644
--- a/docs/2.x/troubleshooting/performance.html
+++ b/docs/2.x/troubleshooting/performance.html
@@ -268,7 +268,11 @@
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/overview">Security Overview</a></div>
- <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/labels">Security Labels</a></div>
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authentication">Authentication</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/permissions">Permissions</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authorizations">Authorizations</a></div>
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/on-disk-encryption">On Disk Encryption</a></div>
diff --git a/docs/2.x/troubleshooting/system-metadata-tables.html
b/docs/2.x/troubleshooting/system-metadata-tables.html
index 623ce4f..6f2d206 100644
--- a/docs/2.x/troubleshooting/system-metadata-tables.html
+++ b/docs/2.x/troubleshooting/system-metadata-tables.html
@@ -268,7 +268,11 @@
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/overview">Security Overview</a></div>
- <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/labels">Security Labels</a></div>
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authentication">Authentication</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/permissions">Permissions</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authorizations">Authorizations</a></div>
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/on-disk-encryption">On Disk Encryption</a></div>
diff --git a/docs/2.x/troubleshooting/tools.html
b/docs/2.x/troubleshooting/tools.html
index 2e7a82e..db3d4de 100644
--- a/docs/2.x/troubleshooting/tools.html
+++ b/docs/2.x/troubleshooting/tools.html
@@ -268,7 +268,11 @@
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/overview">Security Overview</a></div>
- <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/labels">Security Labels</a></div>
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authentication">Authentication</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/permissions">Permissions</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authorizations">Authorizations</a></div>
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/on-disk-encryption">On Disk Encryption</a></div>
diff --git a/docs/2.x/troubleshooting/tracing.html
b/docs/2.x/troubleshooting/tracing.html
index b83bcaa..25a66cc 100644
--- a/docs/2.x/troubleshooting/tracing.html
+++ b/docs/2.x/troubleshooting/tracing.html
@@ -268,7 +268,11 @@
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/overview">Security Overview</a></div>
- <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/labels">Security Labels</a></div>
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authentication">Authentication</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/permissions">Permissions</a></div>
+
+ <div class="row doc-sidebar-link"><a
href="/docs/2.x/security/authorizations">Authorizations</a></div>
<div class="row doc-sidebar-link"><a
href="/docs/2.x/security/on-disk-encryption">On Disk Encryption</a></div>
diff --git a/feed.xml b/feed.xml
index 97dc4fe..8eee5eb 100644
--- a/feed.xml
+++ b/feed.xml
@@ -6,8 +6,8 @@
</description>
<link>https://accumulo.apache.org/</link>
<atom:link href="https://accumulo.apache.org/feed.xml"; rel="self"
type="application/rss+xml"/>
- <pubDate>Thu, 01 Nov 2018 14:42:31 -0400</pubDate>
- <lastBuildDate>Thu, 01 Nov 2018 14:42:31 -0400</lastBuildDate>
+ <pubDate>Wed, 14 Nov 2018 17:36:32 -0500</pubDate>
+ <lastBuildDate>Wed, 14 Nov 2018 17:36:32 -0500</lastBuildDate>
<generator>Jekyll v3.7.3</generator>
diff --git a/redirects.json b/redirects.json
index 38538e9..87ee136 100644
--- a/redirects.json
+++ b/redirects.json
@@ -1 +1 @@
-{"/release_notes/1.5.1.html":"https://accumulo.apache.org/release/accumulo-1.5.1/","/release_notes/1.6.0.html":"https://accumulo.apache.org/release/accumulo-1.6.0/","/release_notes/1.6.1.html":"https://accumulo.apache.org/release/accumulo-1.6.1/","/release_notes/1.6.2.html":"https://accumulo.apache.org/release/accumulo-1.6.2/","/release_notes/1.7.0.html":"https://accumulo.apache.org/release/accumulo-1.7.0/","/release_notes/1.5.3.html":"https://accumulo.apache.org/release/accumulo-1.5.3/";
[...]
\ No newline at end of file
+{"/release_notes/1.5.1.html":"https://accumulo.apache.org/release/accumulo-1.5.1/","/release_notes/1.6.0.html":"https://accumulo.apache.org/release/accumulo-1.6.0/","/release_notes/1.6.1.html":"https://accumulo.apache.org/release/accumulo-1.6.1/","/release_notes/1.6.2.html":"https://accumulo.apache.org/release/accumulo-1.6.2/","/release_notes/1.7.0.html":"https://accumulo.apache.org/release/accumulo-1.7.0/","/release_notes/1.5.3.html":"https://accumulo.apache.org/release/accumulo-1.5.3/";
[...]
\ No newline at end of file
diff --git a/search_data.json b/search_data.json
index 1beb1a4..048f412 100644
--- a/search_data.json
+++ b/search_data.json
@@ -100,7 +100,7 @@
"docs-2-x-development-mapreduce": {
"title": "MapReduce",
- "content" : "Accumulo tables can be used as the source and
destination of MapReduce jobs. Touse an Accumulo table with a MapReduce job,
configure the job parameters to usethe AccumuloInputFormat and
AccumuloOutputFormat. Accumulo specific parameterscan be set via these two
format classes to do the following: Authenticate and provide user credentials
for the input Restrict the scan to a range of rows Restrict the input to a
subset of available columnsMapper and Reducer classesTo [...]
+ "content" : "Accumulo tables can be used as the source and
destination of MapReduce jobs. Touse an Accumulo table with a MapReduce job,
configure the job parameters to usethe AccumuloInputFormat and
AccumuloOutputFormat. Accumulo specific parameterscan be set via these two
format classes to do the following: Authenticate and provide user credentials
for the input Restrict the scan to a range of rows Restrict the input to a
subset of available columnsMapper and Reducer classesTo [...]
"url": " /docs/2.x/development/mapreduce",
"categories": "development"
},
@@ -128,7 +128,7 @@
"docs-2-x-getting-started-clients": {
"title": "Accumulo Clients",
- "content" : "Creating Client CodeIf you are using Maven to
create Accumulo client code, add the following dependency to your
pom:&lt;dependency&gt;
&lt;groupId&gt;org.apache.accumulo&lt;/groupId&gt;
&lt;artifactId&gt;accumulo-core&lt;/artifactId&gt;
&lt;version&gt;2.0.0-alpha-1&lt;/version&gt;&lt;/dependency&gt;When
writing code that uses Accumulo, only use the Accumulo Public API.The
accumulo-core artifact include [...]
+ "content" : "Creating Client CodeIf you are using Maven to
create Accumulo client code, add the following dependency to your
pom:&lt;dependency&gt;
&lt;groupId&gt;org.apache.accumulo&lt;/groupId&gt;
&lt;artifactId&gt;accumulo-core&lt;/artifactId&gt;
&lt;version&gt;2.0.0-alpha-1&lt;/version&gt;&lt;/dependency&gt;When
writing code that uses Accumulo, only use the Accumulo Public API.The
accumulo-core artifact include [...]
"url": " /docs/2.x/getting-started/clients",
"categories": "getting-started"
},
@@ -170,14 +170,14 @@
"docs-2-x-getting-started-table-configuration": {
"title": "Table Configuration",
- "content" : "Accumulo tables have a few options that can be
configured to alter the defaultbehavior of Accumulo as well as improve
performance based on the data stored.These include locality groups,
constraints, bloom filters, iterators, and blockcache. See the configuration
properties documentation fora complete list of available configuration
options.Locality GroupsAccumulo supports storing sets of column families
separately on disk to allowclients to efficiently scan over colu [...]
+ "content" : "Accumulo tables have a few options that can be
configured to alter the defaultbehavior of Accumulo as well as improve
performance based on the data stored.These include locality groups,
constraints, bloom filters, iterators, and blockcache. See the configuration
properties documentation fora complete list of available configuration
options.Locality GroupsAccumulo supports storing sets of column families
separately on disk to allowclients to efficiently scan over colu [...]
"url": " /docs/2.x/getting-started/table_configuration",
"categories": "getting-started"
},
"docs-2-x-getting-started-table-design": {
"title": "Table Design",
- "content" : "Basic TableSince Accumulo tables are sorted by row
ID, each table can be thought of as beingindexed by the row ID. Lookups
performed by row ID can be executed quickly, by doinga binary search, first
across the tablets, and then within a tablet. Clients shouldchoose a row ID
carefully in order to support their desired application. A simple ruleis to
select a unique identifier as the row ID for each entity to be stored and
assignall the other attributes to be tracked to [...]
+ "content" : "Basic TableSince Accumulo tables are sorted by row
ID, each table can be thought of as beingindexed by the row ID. Lookups
performed by row ID can be executed quickly, by doinga binary search, first
across the tablets, and then within a tablet. Clients shouldchoose a row ID
carefully in order to support their desired application. A simple ruleis to
select a unique identifier as the row ID for each entity to be stored and
assignall the other attributes to be tracked to [...]
"url": " /docs/2.x/getting-started/table_design",
"categories": "getting-started"
},
@@ -189,17 +189,24 @@
"categories": ""
},
- "docs-2-x-security-kerberos": {
- "title": "Kerberos",
- "content" : "OverviewKerberos is a network authentication
protocol that provides a secure way forpeers to prove their identity over an
unsecure network in a client-server model.A centralized key-distribution center
(KDC) is the service that coordinatesauthentication between a client and a
server. Clients and servers use “tickets”,obtained from the KDC via a password
or a special file called a “keytab”, tocommunicate with the KDC and prove their
identity. A KDC administrator mustcr [...]
- "url": " /docs/2.x/security/kerberos",
+ "docs-2-x-security-authentication": {
+ "title": "Authentication",
+ "content" : "Accumulo has authentication to verify the identity
of users.ConfigurationAccumulo can be configured to use different
authentication methods: Method Setting for
instance.security.authenticator Password (default)
org.apache.accumulo.server.security.handler.ZKAuthenticator
Kerberos org.apache.accumulo.server.security.handler.KerberosAuthenticator
All authentication methods implement Authenticator. The default ( [...]
+ "url": " /docs/2.x/security/authentication",
+ "categories": "security"
+ },
+
+ "docs-2-x-security-authorizations": {
+ "title": "Authorizations",
+ "content" : "In Accumulo, data is written with security labels
that limit access to only users with the
properauthorizations.ConfigurationAccumulo’s Authorizor is configured by
setting instance.security.authorizer. The defaultauthorizor is described
below.Security LabelsEvery Key-Value pair in Accumulo has its own security
label, stored under the column visibilityelement of the key, which is used to
determine whether a given user meets the securityrequirements to read the
value. T [...]
+ "url": " /docs/2.x/security/authorizations",
"categories": "security"
},
- "docs-2-x-security-labels": {
- "title": "Security Labels",
- "content" : "Every Key-Value pair in Accumulo has its own
security label, stored under the column visibilityelement of the key, which is
used to determine whether a given user meets the securityrequirements to read
the value. This enables data of various security levels to be storedwithin the
same row, and users of varying degrees of access to query the same table,
whilepreserving data confidentiality.Security Label ExpressionsWhen mutations
are applied, users can specify a securi [...]
- "url": " /docs/2.x/security/labels",
+ "docs-2-x-security-kerberos": {
+ "title": "Kerberos",
+ "content" : "OverviewKerberos is a network authentication
protocol that provides a secure way forpeers to prove their identity over an
unsecure network in a client-server model.A centralized key-distribution center
(KDC) is the service that coordinatesauthentication between a client and a
server. Clients and servers use “tickets”,obtained from the KDC via a password
or a special file called a “keytab”, tocommunicate with the KDC and prove their
identity. A KDC administrator mustcr [...]
+ "url": " /docs/2.x/security/kerberos",
"categories": "security"
},
@@ -212,11 +219,18 @@
"docs-2-x-security-overview": {
"title": "Security Overview",
- "content" : "This page provides an overview of Accumulo’s
security features.A few Accumulo security features have on their own
documentation page: Security Labels On Disk Encryption Wire Encryption
KerberosPluggable SecurityAccumulo has a pluggable security mechanism. It can
be broken into three actions: authentication, authorization, and permission
handling.Authentication verifies the identity of a user. In Accumulo,
authentication occurs whenthe usingToken' method of the [...]
+ "content" : "Accumulo has the following security features: Only
authenticated users can access Accumulo. Kerberos can be enabled to
replace Accumulo’s default, password-based authentication Users can only
perform actions if they are given permission. Users can only view labeled data
that they are authorized to see. Data can be encrypted on disk and
over-the-wireImplementationBelow is a description of how security is
implemented in Accumulo.Once a user is authent [...]
"url": " /docs/2.x/security/overview",
"categories": "security"
},
+ "docs-2-x-security-permissions": {
+ "title": "Permissions",
+ "content" : "Accumulo users can only perform actions if they are
given permission.Accumulo has three types of permissions: SystemPermission
NamespacePermission TablePermissionThese permissions are managed by
SecurityOperations in Java API or the Accumulo shell.ConfigurationAccumulo’s
PermissionHandler is configured by setting
instance.security.permissionHandler.The default permission handler is described
below.Granting permissionUsers can be granted permissions in the shell:roo [...]
+ "url": " /docs/2.x/security/permissions",
+ "categories": "security"
+ },
+
"docs-2-x-security-wire-encryption": {
"title": "Wire Encryption",
"content" : "Accumulo, through Thrift’s TSSLTransport, provides
the ability to encryptwire communication between Accumulo servers and clients
using securesockets layer (SSL). SSL certificates signed by the same
certificate authoritycontrol the “circle of trust” in which a secure connection
can be established.Typically, each host running Accumulo processes would be
given a certificatewhich identifies itself.Clients can optionally also be given
a certificate, when client-auth is ena [...]
