Your SlideShare is downloading. ×
Sqrrl June Webinar: An Accumulo Love Story
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Sqrrl June Webinar: An Accumulo Love Story

92
views

Published on

Labels in Sqrrl Enterprise provide great power and flexibility. In this webinar, founding Sqrrl engineer John Vines goes over the benefits and pitfalls of using visibility labels with pluggable …

Labels in Sqrrl Enterprise provide great power and flexibility. In this webinar, founding Sqrrl engineer John Vines goes over the benefits and pitfalls of using visibility labels with pluggable authorizations systems, and we will go through scenarios of different systems on top of Sqrrl Enterprise.


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
92
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Securely explore your data Sqrrl Visibility Labels and Pluggable Authorization Systems: A Love Story John Vines Engineer Sqrrl Data, Inc. john@sqrrl.com
  • 2. WHAT MAKES ACCUMULO SPECIAL WHEN IT COMES TO SECURITY? © 2014 Sqrrl | All Rights Reserved
  • 3. CELL-LEVEL SECURITY © 2014 Sqrrl | All Rights Reserved
  • 4. CELL-LEVEL SECURITY © 2014 Sqrrl | All Rights Reserved
  • 5. © 2014 Sqrrl | All Rights Reserved tldr; visibilities are like ACLs CELL-LEVEL SECURITY
  • 6. © 2014 Sqrrl | All Rights Reserved tldr; visibilities are like ACLs ...sort of CELL-LEVEL SECURITY
  • 7. SQRRL © 2014 Sqrrl | All Rights Reserved What does this mean with sqrrl?
  • 8. SQRRL © 2014 Sqrrl | All Rights Reserved What does this mean with sqrrl? Sqrrl uses these labels within hierarchical documents for the same effect
  • 9. SQRRL JSON © 2014 Sqrrl | All Rights Reserved {"children@[FAM|IRS]": {"current": [{ "name": "Johnny" }], "expecting@[FAM]": [{ "name": "Baby Girl"}] } } Only the family and IRS care about children. Only the family cares about expecting
  • 10. THAT’S GREAT! © 2014 Sqrrl | All Rights Reserved What does it get me?
  • 11. THAT’S GREAT! © 2014 Sqrrl | All Rights Reserved What does it get me? Amalgamating data sources that are segregated
  • 12. THE SCENARIO: © 2014 Sqrrl | All Rights Reserved I am a first time Sqrrl/Accumulo user I want to use its nifty features I have no idea what I’m doing
  • 13. FIRST TRY © 2014 Sqrrl | All Rights Reserved Scan without JohnsLabel
  • 14. FIRST TRY © 2014 Sqrrl | All Rights Reserved Scan without JohnsLabel *sad trombone* Scan with JohnsLabel
  • 15. FIRST TRY © 2014 Sqrrl | All Rights Reserved Scan without JohnsLabel *sad trombone* Scan with JohnsLabel uuid1 {"field1@[JohnsLabel]": "Value”} uuid2 {"field1@[JohnsLabel]": "Value”} uuid3 {"field2@[JohnsLabel]": "Value”} uuid4 {"field2@[JohnsLabel]": "Value”} uuid5 {"field1@[JohnsLabel]": "Value”}
  • 16. SECOND TRY © 2014 Sqrrl | All Rights Reserved uuid1 {"field1@[JohnsApplication]": "Value”} uuid2 {"field1@[JohnsApplication]": "Value”} uuid3 {"field2@[JohnsApplication]": "Value”} uuid4 {"field2@[JohnsApplication]": "Value”} uuid5 {"field1@[JohnsApplication]": "Value”}
  • 17. SECOND TRY © 2014 Sqrrl | All Rights Reserved What does my label even mean? uuid1 {"field1@[JohnsApplication]": "Value”} uuid2 {"field1@[JohnsApplication]": "Value”} uuid3 {"field2@[JohnsApplication]": "Value”} uuid4 {"field2@[JohnsApplication]": "Value”} uuid5 {"field1@[JohnsApplication]": "Value”}
  • 18. THIRD TRY © 2014 Sqrrl | All Rights Reserved uuid1 {"field1@[application1|application2]": "Value”} uuid2 {"field1@[application1]": "Value”} uuid3 {"field2@[application1]": "Value”} uuid4 {"field2@[application2]": "Value”} uuid5 {"field1@[application3]": "Value”}
  • 19. THIRD TRY © 2014 Sqrrl | All Rights Reserved What about application4? application5? 6? uuid1 {"field1@[application1|application2]": "Value”} uuid2 {"field1@[application1]": "Value”} uuid3 {"field2@[application1]": "Value”} uuid4 {"field2@[application2]": "Value”} uuid5 {"field1@[application3]": "Value”}
  • 20. BACK TO THE DRAWING BOARD © 2014 Sqrrl | All Rights Reserved What am I trying to accomplish? Why am I segregating my data?
  • 21. FOURTH TRY © 2014 Sqrrl | All Rights Reserved uuid1 {"field1@[org1|org2]": "Value”} uuid2 {"field1@[org1]": "Value”} uuid3 {"field2@[org1]": "Value”} uuid4 {"field2@[org2]": "Value”} uuid5 {"field1@[org1&org2]": "Value”}
  • 22. FOURTH TRY © 2014 Sqrrl | All Rights Reserved Organizations are big! uuid1 {"field1@[org1|org2]": "Value”} uuid2 {"field1@[org1]": "Value”} uuid3 {"field2@[org1]": "Value”} uuid4 {"field2@[org2]": "Value”} uuid5 {"field1@[org1&org2]": "Value”}
  • 23. FIFTH TRY © 2014 Sqrrl | All Rights Reserved What about if subOrgs change? uuid1 {"field1@[subOrg1|subOrg2]": "Value”} uuid2 {"field1@[subOrg1]": "Value”} uuid3 {"field2@[subOrg1]": "Value”} uuid4 {"field2@[subOrg2]": "Value”} uuid5 {"field1@[subOrg1&subOrg2]": "Value”}
  • 24. FIFTH TRY © 2014 Sqrrl | All Rights Reserved What about if subOrgs change? Why do these orgs have permission? uuid1 {"field1@[subOrg1|subOrg2]": "Value”} uuid2 {"field1@[subOrg1]": "Value”} uuid3 {"field2@[subOrg1]": "Value”} uuid4 {"field2@[subOrg2]": "Value”} uuid5 {"field1@[subOrg1&subOrg2]": "Value”}
  • 25. SIXTH TRY © 2014 Sqrrl | All Rights Reserved Looks good! uuid1 {"field1@[accountsReceivable|payroll]": "Value”} uuid2 {"field1@[accountsReceivable]": "Value”} uuid3 {"field2@[accountsReceivable]": "Value”} uuid4 {"field2@[payroll]": "Value”} uuid5 {"field1@[accountsReceivable&payroll]": "Value”}
  • 26. SIXTH TRY © 2014 Sqrrl | All Rights Reserved Looks good! But now I need to manage users! uuid1 {"field1@[accountsReceivable|payroll]": "Value”} uuid2 {"field1@[accountsReceivable]": "Value”} uuid3 {"field2@[accountsReceivable]": "Value”} uuid4 {"field2@[payroll]": "Value”} uuid5 {"field1@[accountsReceivable&payroll]": "Value”}
  • 27. PLUGGABLE SECURITY TO THE RESCUE © 2014 Sqrrl | All Rights Reserved
  • 28. PLUGGABLE SECURITY TO THE RESCUE © 2014 Sqrrl | All Rights Reserved okay… what is this?
  • 29. PLUGGABLE SECURITY TO THE RESCUE © 2014 Sqrrl | All Rights Reserved tserver scan Pluggable Authorizor getAuths() scan
  • 30. PLUGGABLE SECURITY TO THE RESCUE © 2014 Sqrrl | All Rights Reserved tserver scan Pluggable Authorizor getAuths() scan What does this mean to Sqrrl?
  • 31. POLICY ENGINE © 2014 Sqrrl | All Rights Reserved Sqrrl uses Apache Shiro to expose configurable security
  • 32. POLICY ENGINE © 2014 Sqrrl | All Rights Reserved Sqrrl uses Apache Shiro to expose configurable security Less work needed to use existing security architecture
  • 33. SEVENTH TRY © 2014 Sqrrl | All Rights Reserved LDAP’s role-based access says: User1->HR User2->InternalConflicts User3->Payroll User4->Taxes
  • 34. SEVENTH TRY © 2014 Sqrrl | All Rights Reserved One less system to maintain! LDAP’s role-based access says: User1->HR User2->InternalConflicts User3->Payroll User4->Taxes
  • 35. SEVENTH TRY © 2014 Sqrrl | All Rights Reserved One less system to maintain! But our orgs are hierarchical! LDAP’s role-based access says: User1->HR User2->InternalConflicts User3->Payroll User4->Taxes
  • 36. EIGHTH TRY © 2014 Sqrrl | All Rights Reserved Policy Engine Says: InternalConflicts->InternalConflicts,HR Payroll->Payroll,Finance Taxes->Finance,AccountsReceivable
  • 37. EIGHTH TRY © 2014 Sqrrl | All Rights Reserved But what if I don’t want a certain org to get a piece of data? Policy Engine Says: InternalConflicts->InternalConflicts,HR Payroll->Payroll,Finance Taxes->Finance,AccountsReceivable
  • 38. NINTH TRY © 2014 Sqrrl | All Rights Reserved uuid5 {"field1@[designer&!manager]": "Value”}
  • 39. NINTH TRY © 2014 Sqrrl | All Rights Reserved Accumulo and Sqrrl do not support NOTs uuid5 {"field1@[designer&!manager]": "Value”}
  • 40. © 2014 Sqrrl | All Rights Reserved Visibility labels have been a core piece of Accumulo for almost 6 years. Last thing we want is people to inadvertently leak data because of change in our security story (adding NOTs) Accumulo has always supported downgrading authorizations and this behavior will break NOTs WHY NO NOTS?
  • 41. NINTH TRY © 2014 Sqrrl | All Rights Reserved Accumulo and Sqrrl do not support NOTs What are we trying to accomplish? uuid5 {"field1@[designer&!manager]": "Value”}
  • 42. TENTH TRY © 2014 Sqrrl | All Rights Reserved uuid5 {"field1@[designer&(worker&contractor)]": "Value”}
  • 43. TENTH TRY © 2014 Sqrrl | All Rights Reserved But I want others to know some part of uuid5 field1! uuid5 {"field1@[designer&(worker&contractor)]": "Value”}
  • 44. REMEMBER © 2014 Sqrrl | All Rights Reserved
  • 45. REMEMBER © 2014 Sqrrl | All Rights Reserved {"children@[FAM|IRS]": {"current": [{ "name": "Johnny" }], "expecting@[FAM]": [{ "name": "Baby Girl"}] } }
  • 46. ELEVENTH TRY © 2014 Sqrrl | All Rights Reserved uuid5 {"field1@[designer&(worker&contractor)]": "Value”} uuid5 {"field1@[engineer&(worker&contractor)]": "Value”}
  • 47. ELEVENTH TRY © 2014 Sqrrl | All Rights Reserved But I still want the managers to know that uuid5 field1 exists! uuid5 {"field1@[designer&(worker&contractor)]": "Value”} uuid5 {"field1@[engineer&(worker&contractor)]": "Value”}
  • 48. TWELTH TRY © 2014 Sqrrl | All Rights Reserved uuid5 {"field1": "Value”} uuid5 {"field1@[designer&(worker&contractor)]": "Value”} uuid5 {"field1@[engineer&(worker&contractor)]": "Value”}
  • 49. TWELTH TRY © 2014 Sqrrl | All Rights Reserved How can root look at everything? uuid5 {"field1": "Value”} uuid5 {"field1@[designer&(worker&contractor)]": "Value”} uuid5 {"field1@[engineer&(worker&contractor)]": "Value”}
  • 50. THIRTEENTH TRY © 2014 Sqrrl | All Rights Reserved uuid5 {"field1": "Value”} uuid5 {"field1@[root|(designer&(worker&contractor))]": "Value”} uuid5 {"field1@[root|(engineer&(worker&contractor))]": "Value”}
  • 51. THIRTEENTH TRY © 2014 Sqrrl | All Rights Reserved I don’t like that... uuid5 {"field1": "Value”} uuid5 {"field1@[root|(designer&(worker&contractor))]": "Value”} uuid5 {"field1@[root|(engineer&(worker&contractor))]": "Value”}
  • 52. THIRTEENTH TRY 2 © 2014 Sqrrl | All Rights Reserved Remember the policy engine! LDAP knows all roles root->all roles
  • 53. THIRTEENTH TRY 2 © 2014 Sqrrl | All Rights Reserved All of my bases are covered! Except... Remember the policy engine! LDAP knows all roles root->all roles
  • 54. GETTING CRAFTY © 2014 Sqrrl | All Rights Reserved What if I want to: ●  Allow authorizations based on time ●  Allow authorizations based on location ●  Make data more available ●  Make data less available
  • 55. BEING CRAFTY © 2014 Sqrrl | All Rights Reserved Remember the policy engine! If you have the data available, you can use it!
  • 56. COARSE ACCESS CONTROLS © 2014 Sqrrl | All Rights Reserved Accumulo Tables have Read permissions for coarse access. These can be used to restrict access to an entire table for a user. This is also exposed through a pluggable mechanism.
  • 57. PLUGGABLE SECURITY TO THE RESCUE © 2014 Sqrrl | All Rights Reserved
  • 58. PLUGGABLE SECURITY TO THE RESCUE © 2014 Sqrrl | All Rights Reserved Looks familiar… what is this?
  • 59. PLUGGABLE SECURITY TO THE RESCUE © 2014 Sqrrl | All Rights Reserved tserver scan Pluggable PermissionHandler hasTablePermission() scan
  • 60. DATA-CENTRIC SECURITY © 2014 Sqrrl | All Rights Reserved Sqrrl promotes Data-Centric Security. Sqrrl encourages amalgamation of data for improved analytics. Coarse access breaks this.
  • 61. RECAP © 2014 Sqrrl | All Rights Reserved ●  Label for the data, not the users ●  Label with the highest granularity possible ●  Let the policy engine do the rest of the work ●  Need to rely on external services or special processes for tracking labels ●  These can manage users authorizations and general access
  • 62. RECAP © 2014 Sqrrl | All Rights Reserved Cell level security boils down to two separate components ●  Data labels ●  User granted labels They are the two halves that establish cell level security.
  • 63. RECAP © 2014 Sqrrl | All Rights Reserved Cell level security boils down to two separate components ●  Data labels ●  User granted labels They are the two halves that establish cell level security. Put the two together, and magic happens.
  • 64. © 2014 Sqrrl | All Rights Reserved QUESTIONS? @ohshazbot john@sqrrl.com SQRRL VISIBILITY LABELS AND PLUGGABLE AUTHORIZATION: A LOVE STORY

×