MapR 5.0 Documentation : Enabling Table Authorizations with Access Control Expressions

Permissions for MapR tables, column families, and columns are defined by Access Control Expressions (ACEs). You can set permissions for tables when you create or edit tables. You can set default permissions for column families when you create or edit tables, and you can override these defaults when you create column families. 

For the syntax to use when creating Access Control Expressions, see Syntax of Access Control Expressions.

When a user, group, or role requests to read data from, write data to, or append data to a column, MapR-DB checks whether that user, group, or role has read or write permission for the column family AND read or write permission for the column. By default, columns allow read and write access to all users; in such cases, only the read or write permission for the column family matters. 

However, suppose that a table contains columns col1 and col2 in column family cf1, and these columns grant read and write permission only to the table creator. A different user tries to write data to these columns. MapR-DB checks whether this user has write permission on cf1 AND col1 AND col2. If the user does not have all three permissions, MapR-DB returns an error that says access for the write is denied.

If this user were to try to read from the same two columns, MapR-DB would simply not return the data. If the user tried to read from those two columns and additional columns on which he had read permissions, the results would contain the data for those additional columns but exclude the data for col1 and col2.

Defining ACEs with the MCS by using the Expression Builder

  1. To define an ACE for an existing table, click Edit Table Permissions from the table's pane in the MCS to display the Permissions pane.
  2. Click the arrow at the right side of any field to display the Expression Builder for that field.
  3. Use the + button to add a condition to the expression. Note that you cannot mix AND and OR without using subexpressions.

You can also type expressions directly into the field. The MCS validates expressions when focus leaves the field. The field is colored yellow for a warning and red for an error. Hover the cursor on the field to display the error or warning message.

Defining ACEs by using maprcli commands

You can set ACEs with the following commands: