Labels in Accumulo provide great power and flexibility. However, nearly everyone makes the same set of mistakes when first applying labels to their data. In this talk, we will follow two data architects as they first come to the labeling system in Accumulo, and see how they work their way out of the pitfalls they create for themselves. Along the way, they'll learn about Accumulo's pluggable security architecture surrounding the core functionality of the labeling system.

1. Securely explore your data
Accumulo Visibility Labels
and
Pluggable Authorization Systems:
A Love Story
John Vines
Engineer
Sqrrl Data, Inc.
john@sqrrl.com

2. WHAT MAKES
ACCUMULO SPECIAL
WHEN IT COMES TO
SECURITY?
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential

3. CELL-LEVEL SECURITY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential

4. CELL-LEVEL SECURITY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential

5. © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
tldr;
visibilities are like ACLs
CELL-LEVEL SECURITY

6. © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
tldr;
visibilities are like ACLs
...sort of
CELL-LEVEL SECURITY

7. THAT’S GREAT!
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
What does it get me?

8. THAT’S GREAT!
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
What does it get me?
Amalgamating data sources that are
segregated

9. THE SCENARIO:
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
I am a first time Accumulo user
I want to use it’s nifty features
I have no idea what I’m doing

10. FIRST TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
Scan without JohnsLabel

11. FIRST TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
Scan without JohnsLabel
*sad trombone*
Scan with JohnsLabel

12. FIRST TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
Scan without JohnsLabel
*sad trombone*
Scan with JohnsLabel
row1 colf1:colq1 JohnsLabel
row1 colf2:colq1 JohnsLabel
row2 colf1:colq3 JohnsLabel
row3 colf1:colq1 JohnsLabel
row4 colf4:colq2 JohnsLabel

13. SECOND TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
row1 colf1:colq1 JohnsApplication
row1 colf2:colq1 JohnsApplication
row2 colf1:colq3 JohnsApplication
row3 colf1:colq1 JohnsApplication
row4 colf4:colq2 JohnsApplication

14. SECOND TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
What does my label even mean?
row1 colf1:colq1 JohnsApplication
row1 colf2:colq1 JohnsApplication
row2 colf1:colq3 JohnsApplication
row3 colf1:colq1 JohnsApplication
row4 colf4:colq2 JohnsApplication

15. THIRD TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
row1 colf1:colq1 application1|application2
row1 colf2:colq1 application1
row2 colf1:colq3 application2
row3 colf1:colq1 application2
row4 colf4:colq2 application3

16. THIRD TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
What about analytic4?
analytic5? 6?
row1 colf1:colq1 application1|application2
row1 colf2:colq1 application1
row2 colf1:colq3 application2
row3 colf1:colq1 application2
row4 colf4:colq2 application3

17. BACK TO THE DRAWING BOARD
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
What am I trying to accomplish?
Why am I segregating my data?

18. FOURTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
row1 colf1:colq1 org1|org2
row1 colf2:colq1 org1
row2 colf1:colq3 org2
row3 colf1:colq1 org2
row4 colf4:colq2 org1&org2

19. FOURTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
Organizations are big!
row1 colf1:colq1 org1|org2
row1 colf2:colq1 org1
row2 colf1:colq3 org2
row3 colf1:colq1 org2
row4 colf4:colq2 org1&org2

20. FIFTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
row1 colf1:colq1 subOrg1|subOrg2
row1 colf2:colq1 subOrg1
row2 colf1:colq3 subOrg2
row3 colf1:colq1 subOrg2
row4 colf4:colq2 subOrg1&subOrg2
What about if subOrgs change?

21. FIFTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
What about if subOrgs change?
Why do these orgs have permission?
row1 colf1:colq1 subOrg1|subOrg2
row1 colf2:colq1 subOrg1
row2 colf1:colq3 subOrg2
row3 colf1:colq1 subOrg2
row4 colf4:colq2 subOrg1&subOrg2

22. SIXTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
row1 colf1:colq1 accountsReceivable|payroll
row1 colf2:colq1 accountsReceivable
row2 colf1:colq3 payroll
row3 colf1:colq1 payroll
row4 colf4:colq2 accountsReceivable&payroll
Looks good!

23. SIXTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
Looks good!
But now I need to manage users!
row1 colf1:colq1 accountsReceivable|payroll
row1 colf2:colq1 accountsReceivable
row2 colf1:colq3 payroll
row3 colf1:colq1 payroll
row4 colf4:colq2 accountsReceivable&payroll

24. PLUGGABLE SECURITY TO THE RESCUE
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential

25. PLUGGABLE SECURITY TO THE RESCUE
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
okay… what is this?

26. PLUGGABLE SECURITY TO THE RESCUE
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
tserver
scan
Pluggable
Authorizor
getAuths()
scan

27. PLUGGABLE SECURITY TO THE RESCUE
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
tserver
scan
Pluggable
Authorizor
getAuths()
scan
Now we can use our existing system!

28. SEVENTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
LDAP’s role-based access says:
User1->HR
User2->InternalConflicts
User3->Payroll
User4->Taxes

29. SEVENTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
One less system to maintain!
LDAP’s role-based access says:
User1->HR
User2->InternalConflicts
User3->Payroll
User4->Taxes

30. SEVENTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
One less system to maintain!
But our orgs are hierarchical!
LDAP’s role-based access says:
User1->HR
User2->InternalConflicts
User3->Payroll
User4->Taxes

31. EIGHTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
Authorizor Says:
InternalConflicts->InternalConflicts,HR
Payroll->Payroll,Finance
Taxes->Finance,AccountsReceivable

32. EIGHTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
But what if I don’t want a certain org to
get a piece of data?
Authorizor Says:
InternalConflicts->InternalConflicts,HR
Payroll->Payroll,Finance
Taxes->Finance,AccountsReceivable

33. © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
What if I don’t want a certain org to get
a piece of data?

34. NINTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
row5 colf1:colq3 designer&!manager

35. NINTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
Accumulo does not support NOTs
row5 colf1:colq3 designer&!manager

36. NINTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
Accumulo does not support NOTs
What are we trying to accomplish?
row5 colf1:colq3 designer&!manager

37. TENTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
row5 colf1:colq3 designer&(worker&contractor)

38. TENTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
But I want others to know some part of
row5 colf1:colq!
row5 colf1:colq3 designer&(worker&contractor)

39. REMEMBER
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential

40. ELEVENTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
row5 colf1:colq3 designer&(worker&contractor)
row5 colf1:colq3 engineer&(worker&contractor)

41. ELEVENTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
row5 colf1:colq3 designer&(worker&contractor)
row5 colf1:colq3 engineer&(worker&contractor)
But I still want the managers to know
that row5 colf1:colq3 exists!

42. TWELTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
row5 colf1:colq3
row5 colf1:colq3 designer&(worker&contractor)
row5 colf1:colq3 engineer&(worker&contractor)

43. TWELTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
How can root look at everything?
row5 colf1:colq3
row5 colf1:colq3 designer&(worker&contractor)
row5 colf1:colq3 engineer&(worker&contractor)

44. THIRTEENTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
row5 colf1:colq3
row5 colf1:colq3
root|(designer&(worker&contractor))
row5 colf1:colq3
root|(engineer&(worker&contractor))

45. THIRTEENTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
I don’t like that...
row5 colf1:colq3
row5 colf1:colq3
root|(designer&(worker&contractor))
row5 colf1:colq3
root|(engineer&(worker&contractor))

46. THIRTEENTH TRY 2
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
Remember the pluggable Authorizor!
LDAP knows all roles
root->all roles

47. THIRTEENTH TRY 2
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
All of my bases are covered!
Except...
Remember the pluggable Authorizor!
LDAP knows all roles
root->all roles

48. GETTING CRAFTY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
What if I want to:
● Allow authorizations based on time
● Allow authorizations based on location
● Make data more available
● Make data less available

49. BEING CRAFTY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
Remember the pluggable Authorizor!
If you have the data available, you can use
it!

50. BEING CRAFTY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
Remember the pluggable Authorizor!
If you have the data available, you can use
it!
Just remember- visibility labels are
filters. They’re not made for restricting
entire tables.

51. FOURTEENTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
Accumulo Tables have Read permissions
for coarse access!

52. FOURTEENTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
Accumulo Tables have Read permissions
for coarse access!
Can we do it to people who are missing
certain labels?

53. PLUGGABLE SECURITY TO THE RESCUE
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential

54. PLUGGABLE SECURITY TO THE RESCUE
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
Looks familiar…
what is this?

55. PLUGGABLE SECURITY TO THE RESCUE
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
tserver
scan
Pluggable PermissionHandler
hasTablePermission()
scan

56. PLUGGABLE SECURITY TO THE RESCUE
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
tserver
scan
Pluggable PermissionHandler
hasTablePermission()
scan
Now we can use our existing system
for coarse access!

57. RECAP
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
● Label for the data, not the users
● Label with the highest granularity
possible
● Let the pluggable security do the rest of
the work
● Need to rely on external services or
special processes for tracking labels
● These can manage users authorizations
and general access

58. RECAP
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
Cell level security boils down to two
separate components
● Data labels
● User granted labels
They are the two halves that establish cell
level security.

59. RECAP
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
Cell level security boils down to two
separate components
● Data labels
● User granted labels
They are the two halves that establish cell
level security. Put the two together, and
magic happens.

60. © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
QUESTIONS?
@ohshazbot
john@sqrrl.com
ACCUMULO VISIBILITY LABELS AND PLUGGABLE
AUTHORIZATION:
A LOVE STORY