6.13. Authorizations¶
When performing a query using the Accumulo or HBase datastore, GeoMesa delegates the retrieval of authorizations to
service providers
that implement the following interface:
package org.locationtech.geomesa.security;
public interface AuthorizationsProvider {
public static final String AUTH_PROVIDER_SYS_PROPERTY = "geomesa.auth.provider.impl";
/**
* Gets the authorizations for the current context. This may change over time
* (e.g. in a multi-user environment), so the result should not be cached.
*
* @return
*/
public List<String> getAuthorizations();
/**
* Configures this instance with parameters passed into the DataStoreFinder
*
* @param params
*/
public void configure(Map<String, Serializable> params);
}
When a GeoMesa data store is instantiated, it will scan for available service providers via Java SPI. Third-party implementations can be enabled by placing them on the classpath and including a special service descriptor file. See the Oracle Javadoc for details on implementing a service provider.
The GeoMesa data store will call configure()
on the AuthorizationsProvider
implementation, passing in the parameter map from the call to DataStoreFinder.getDataStore(Map params)
.
This allows the AuthorizationsProvider
to configure itself based on the environment.
To ensure that the correct AuthorizationsProvider
is used, GeoMesa will throw an exception if multiple
third-party service providers are found on the classpath. In this scenario, the particular service
provider class to use can be specified by the following system property:
// equivalent to "geomesa.auth.provider.impl"
org.locationtech.geomesa.security.AuthorizationsProvider.AUTH_PROVIDER_SYS_PROPERTY
For simple scenarios, the set of authorizations to apply to all queries can be specified when creating
the GeoMesa data store by using the geomesa.security.auths
configuration parameter. This will use a
default AuthorizationsProvider
implementation provided by GeoMesa.
// create a map containing initialization data for the GeoMesa data store
Map<String, String> configuration = ...
configuration.put("geomesa.security.auths", "user,admin");
DataStore dataStore = DataStoreFinder.getDataStore(configuration);
If there are no AuthorizationsProvider
implementations found on the classpath, and the geomesa.security.auths
parameter is not set, GeoMesa will default to using the authorizations associated with the underlying Accumulo or HBase
connection (i.e. the accumulo.user
configuration value).
Warning
This is not a recommended approach for a production system.
In addition, please note that the authorizations used in any scenario cannot exceed the authorizations of the underlying Accumulo or HBase connection.
For examples on implementing an AuthorizationsProvider
see the Security tutorials.