Accumulo Summit 2014: Accumulo Visibility Labels and Pluggable Authorization Systems: A Love Story

  • 367 views
Uploaded on

Labels in Accumulo provide great power and flexibility. However, nearly everyone makes the same set of mistakes when first applying labels to their data. In this talk, we will follow two data …

Labels in Accumulo provide great power and flexibility. However, nearly everyone makes the same set of mistakes when first applying labels to their data. In this talk, we will follow two data architects as they first come to the labeling system in Accumulo, and see how they work their way
out of the pitfalls they create for themselves. Along the way, they'll learn about Accumulo's pluggable security architecture surrounding the core functionality of the labeling system.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
367
On Slideshare
0
From Embeds
0
Number of Embeds
3

Actions

Shares
Downloads
13
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Securely explore your data Accumulo Visibility Labels and Pluggable Authorization Systems: A Love Story John Vines Engineer Sqrrl Data, Inc. john@sqrrl.com
  • 2. WHAT MAKES ACCUMULO SPECIAL WHEN IT COMES TO SECURITY? © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
  • 3. CELL-LEVEL SECURITY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
  • 4. CELL-LEVEL SECURITY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
  • 5. © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential tldr; visibilities are like ACLs CELL-LEVEL SECURITY
  • 6. © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential tldr; visibilities are like ACLs ...sort of CELL-LEVEL SECURITY
  • 7. THAT’S GREAT! © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential What does it get me?
  • 8. THAT’S GREAT! © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential What does it get me? Amalgamating data sources that are segregated
  • 9. THE SCENARIO: © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential I am a first time Accumulo user I want to use it’s nifty features I have no idea what I’m doing
  • 10. FIRST TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Scan without JohnsLabel
  • 11. FIRST TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Scan without JohnsLabel *sad trombone* Scan with JohnsLabel
  • 12. FIRST TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Scan without JohnsLabel *sad trombone* Scan with JohnsLabel row1 colf1:colq1 JohnsLabel row1 colf2:colq1 JohnsLabel row2 colf1:colq3 JohnsLabel row3 colf1:colq1 JohnsLabel row4 colf4:colq2 JohnsLabel
  • 13. SECOND TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row1 colf1:colq1 JohnsApplication row1 colf2:colq1 JohnsApplication row2 colf1:colq3 JohnsApplication row3 colf1:colq1 JohnsApplication row4 colf4:colq2 JohnsApplication
  • 14. SECOND TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential What does my label even mean? row1 colf1:colq1 JohnsApplication row1 colf2:colq1 JohnsApplication row2 colf1:colq3 JohnsApplication row3 colf1:colq1 JohnsApplication row4 colf4:colq2 JohnsApplication
  • 15. THIRD TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row1 colf1:colq1 application1|application2 row1 colf2:colq1 application1 row2 colf1:colq3 application2 row3 colf1:colq1 application2 row4 colf4:colq2 application3
  • 16. THIRD TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential What about analytic4? analytic5? 6? row1 colf1:colq1 application1|application2 row1 colf2:colq1 application1 row2 colf1:colq3 application2 row3 colf1:colq1 application2 row4 colf4:colq2 application3
  • 17. BACK TO THE DRAWING BOARD © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential What am I trying to accomplish? Why am I segregating my data?
  • 18. FOURTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row1 colf1:colq1 org1|org2 row1 colf2:colq1 org1 row2 colf1:colq3 org2 row3 colf1:colq1 org2 row4 colf4:colq2 org1&org2
  • 19. FOURTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Organizations are big! row1 colf1:colq1 org1|org2 row1 colf2:colq1 org1 row2 colf1:colq3 org2 row3 colf1:colq1 org2 row4 colf4:colq2 org1&org2
  • 20. FIFTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row1 colf1:colq1 subOrg1|subOrg2 row1 colf2:colq1 subOrg1 row2 colf1:colq3 subOrg2 row3 colf1:colq1 subOrg2 row4 colf4:colq2 subOrg1&subOrg2 What about if subOrgs change?
  • 21. FIFTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential What about if subOrgs change? Why do these orgs have permission? row1 colf1:colq1 subOrg1|subOrg2 row1 colf2:colq1 subOrg1 row2 colf1:colq3 subOrg2 row3 colf1:colq1 subOrg2 row4 colf4:colq2 subOrg1&subOrg2
  • 22. SIXTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row1 colf1:colq1 accountsReceivable|payroll row1 colf2:colq1 accountsReceivable row2 colf1:colq3 payroll row3 colf1:colq1 payroll row4 colf4:colq2 accountsReceivable&payroll Looks good!
  • 23. SIXTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Looks good! But now I need to manage users! row1 colf1:colq1 accountsReceivable|payroll row1 colf2:colq1 accountsReceivable row2 colf1:colq3 payroll row3 colf1:colq1 payroll row4 colf4:colq2 accountsReceivable&payroll
  • 24. PLUGGABLE SECURITY TO THE RESCUE © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
  • 25. PLUGGABLE SECURITY TO THE RESCUE © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential okay… what is this?
  • 26. PLUGGABLE SECURITY TO THE RESCUE © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential tserver scan Pluggable Authorizor getAuths() scan
  • 27. PLUGGABLE SECURITY TO THE RESCUE © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential tserver scan Pluggable Authorizor getAuths() scan Now we can use our existing system!
  • 28. SEVENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential LDAP’s role-based access says: User1->HR User2->InternalConflicts User3->Payroll User4->Taxes
  • 29. SEVENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential One less system to maintain! LDAP’s role-based access says: User1->HR User2->InternalConflicts User3->Payroll User4->Taxes
  • 30. SEVENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential One less system to maintain! But our orgs are hierarchical! LDAP’s role-based access says: User1->HR User2->InternalConflicts User3->Payroll User4->Taxes
  • 31. EIGHTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Authorizor Says: InternalConflicts->InternalConflicts,HR Payroll->Payroll,Finance Taxes->Finance,AccountsReceivable
  • 32. EIGHTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential But what if I don’t want a certain org to get a piece of data? Authorizor Says: InternalConflicts->InternalConflicts,HR Payroll->Payroll,Finance Taxes->Finance,AccountsReceivable
  • 33. © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential What if I don’t want a certain org to get a piece of data?
  • 34. NINTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row5 colf1:colq3 designer&!manager
  • 35. NINTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Accumulo does not support NOTs row5 colf1:colq3 designer&!manager
  • 36. NINTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Accumulo does not support NOTs What are we trying to accomplish? row5 colf1:colq3 designer&!manager
  • 37. TENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row5 colf1:colq3 designer&(worker&contractor)
  • 38. TENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential But I want others to know some part of row5 colf1:colq! row5 colf1:colq3 designer&(worker&contractor)
  • 39. REMEMBER © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
  • 40. ELEVENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row5 colf1:colq3 designer&(worker&contractor) row5 colf1:colq3 engineer&(worker&contractor)
  • 41. ELEVENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row5 colf1:colq3 designer&(worker&contractor) row5 colf1:colq3 engineer&(worker&contractor) But I still want the managers to know that row5 colf1:colq3 exists!
  • 42. TWELTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row5 colf1:colq3 row5 colf1:colq3 designer&(worker&contractor) row5 colf1:colq3 engineer&(worker&contractor)
  • 43. TWELTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential How can root look at everything? row5 colf1:colq3 row5 colf1:colq3 designer&(worker&contractor) row5 colf1:colq3 engineer&(worker&contractor)
  • 44. THIRTEENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row5 colf1:colq3 row5 colf1:colq3 root|(designer&(worker&contractor)) row5 colf1:colq3 root|(engineer&(worker&contractor))
  • 45. THIRTEENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential I don’t like that... row5 colf1:colq3 row5 colf1:colq3 root|(designer&(worker&contractor)) row5 colf1:colq3 root|(engineer&(worker&contractor))
  • 46. THIRTEENTH TRY 2 © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Remember the pluggable Authorizor! LDAP knows all roles root->all roles
  • 47. THIRTEENTH TRY 2 © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential All of my bases are covered! Except... Remember the pluggable Authorizor! LDAP knows all roles root->all roles
  • 48. GETTING CRAFTY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential What if I want to: ● Allow authorizations based on time ● Allow authorizations based on location ● Make data more available ● Make data less available
  • 49. BEING CRAFTY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Remember the pluggable Authorizor! If you have the data available, you can use it!
  • 50. BEING CRAFTY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Remember the pluggable Authorizor! If you have the data available, you can use it! Just remember- visibility labels are filters. They’re not made for restricting entire tables.
  • 51. FOURTEENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Accumulo Tables have Read permissions for coarse access!
  • 52. FOURTEENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Accumulo Tables have Read permissions for coarse access! Can we do it to people who are missing certain labels?
  • 53. PLUGGABLE SECURITY TO THE RESCUE © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
  • 54. PLUGGABLE SECURITY TO THE RESCUE © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Looks familiar… what is this?
  • 55. PLUGGABLE SECURITY TO THE RESCUE © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential tserver scan Pluggable PermissionHandler hasTablePermission() scan
  • 56. PLUGGABLE SECURITY TO THE RESCUE © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential tserver scan Pluggable PermissionHandler hasTablePermission() scan Now we can use our existing system for coarse access!
  • 57. RECAP © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential ● Label for the data, not the users ● Label with the highest granularity possible ● Let the pluggable security do the rest of the work ● Need to rely on external services or special processes for tracking labels ● These can manage users authorizations and general access
  • 58. RECAP © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Cell level security boils down to two separate components ● Data labels ● User granted labels They are the two halves that establish cell level security.
  • 59. RECAP © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Cell level security boils down to two separate components ● Data labels ● User granted labels They are the two halves that establish cell level security. Put the two together, and magic happens.
  • 60. © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential QUESTIONS? @ohshazbot john@sqrrl.com ACCUMULO VISIBILITY LABELS AND PLUGGABLE AUTHORIZATION: A LOVE STORY