Obtaining readperm or writeperm on Fields

In this scenario, you want to perform an operation on a field, and the operation requires that you have readperm or writeperm permissions on that field. How you obtain either permission depends on whether the field is in the default column family or a non-default column family.

If the field is in the default column family

In the following document, you want to perform an operation on field c, which is in the default column family. The operation requires you to have readperm or writeperm on field c.

Figure 1. Schematic diagram of an JSON document in which all fields are in the default column family
Case 1: You have the same permission (readperm or writeperm) on the default column family
In this case, field c inherits the permission, assuming that the permission was not denied on field a or b.

If you do not have readperm or writeperm on field a or b, you need traverseperm on the field that denied you the permission that you need. You also need readperm or writeperm explicitly granted to you on field c.

Example commands to grant these permissions:

/opt/mapr/bin/maprcli table cf colperm set -path <path to JSON table> -cfname 
default -name a.b -traverseperm u:<user ID> | <existing ACE for this field>

The next example command grants readperm:

/opt/mapr/bin/maprcli table cf colperm set -path <path to JSON table> -cfname 
default -name a.b.c -readperm u:<user ID> | <existing ACE for this field>
Case 2: You do not have the same permission (readperm or writeperm) on the default column family
In this case, you need the traverseperm permission on the default column family. You also need readperm or writeperm explicitly granted to you on field c.

Example commands to grant these permissions:

/opt/mapr/bin/maprcli table cf edit -path <path to JSON table> -cfname cf1 
-traverseperm u:<user ID> | <existing ACE for this field>

This next example command grants readperm:

/opt/mapr/bin/maprcli table cf colperm set -path <path to JSON table> -cfname cf1 
-name a.b.c -readperm u:<user ID> | <existing ACE for this field> 

If the field is in a non-default column family

NOTE Non-default column families are an advanced feature of MapR Database's native JSON support. For information about them, see Column Families in JSON Tables.

In the following document, you want to perform an operation on field c, which is in the column family that is defined at field b with the path a.b. The operation requires you to have readperm or writeperm on field c.

Figure 2. Schematic diagram of an JSON document in which fields b and c are in a column family that has the path a.b
Case 1: You do not have the permission you need (readperm or writeperm) on field b
You need traverseperm on field b, and you need readperm or writeperm granted to you explicitly on field c.

Example commands to grant these permissions:

/opt/mapr/bin/maprcli table cf edit -path <path to JSON table> -cfname cf1 
-traverseperm u:<user ID> | <existing ACE for this field>
maprcli table cf colperm set -path <path to JSON table> -cfname cf1 
-name a.b.c -readperm u:<user ID> | <existing ACE for this field> 
Case 2: You do have the permission you need (readperm or writeperm) on field b
You do not need any further permissions. Field c inherits your readperm and writeperm permissions from field b.