Securely explore your data
Accumulo Visibility Labels
and
Pluggable Authorization Systems:
A Love Story
John Vines
Enginee...
WHAT MAKES
ACCUMULO SPECIAL
WHEN IT COMES TO
SECURITY?
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
CELL-LEVEL SECURITY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
CELL-LEVEL SECURITY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
tldr;
visibilities are like ACLs
CELL-LEVEL SECURITY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
tldr;
visibilities are like ACLs
...sort of
CELL-LEVEL S...
THAT’S GREAT!
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
What does it get me?
THAT’S GREAT!
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
What does it get me?
Amalgamating data sou...
THE SCENARIO:
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
I am a first time Accumulo user
I want to ...
FIRST TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
Scan without JohnsLabel
FIRST TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
Scan without JohnsLabel
*sad trombone*
Scan wi...
FIRST TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
Scan without JohnsLabel
*sad trombone*
Scan wi...
SECOND TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
row1 colf1:colq1 JohnsApplication
row1 colf2:...
SECOND TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
What does my label even mean?
row1 colf1:colq...
THIRD TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
row1 colf1:colq1 application1|application2
row...
THIRD TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
What about analytic4?
analytic5? 6?
row1 colf1...
BACK TO THE DRAWING BOARD
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
What am I trying to accomplish...
FOURTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
row1 colf1:colq1 org1|org2
row1 colf2:colq1 o...
FOURTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
Organizations are big!
row1 colf1:colq1 org1|...
FIFTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
row1 colf1:colq1 subOrg1|subOrg2
row1 colf2:co...
FIFTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
What about if subOrgs change?
Why do these org...
SIXTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
row1 colf1:colq1 accountsReceivable|payroll
ro...
SIXTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
Looks good!
But now I need to manage users!
ro...
PLUGGABLE SECURITY TO THE RESCUE
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
PLUGGABLE SECURITY TO THE RESCUE
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
okay… what is this?
PLUGGABLE SECURITY TO THE RESCUE
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
tserver
scan
Pluggable
...
PLUGGABLE SECURITY TO THE RESCUE
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
tserver
scan
Pluggable
...
SEVENTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
LDAP’s role-based access says:
User1->HR
Use...
SEVENTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
One less system to maintain!
LDAP’s role-bas...
SEVENTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
One less system to maintain!
But our orgs ar...
EIGHTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
Authorizor Says:
InternalConflicts->InternalC...
EIGHTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
But what if I don’t want a certain org to
get...
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
What if I don’t want a certain org to get
a piece of dat...
NINTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
row5 colf1:colq3 designer&!manager
NINTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
Accumulo does not support NOTs
row5 colf1:colq...
NINTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
Accumulo does not support NOTs
What are we try...
TENTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
row5 colf1:colq3 designer&(worker&contractor)
TENTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
But I want others to know some part of
row5 co...
REMEMBER
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
ELEVENTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
row5 colf1:colq3 designer&(worker&contracto...
ELEVENTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
row5 colf1:colq3 designer&(worker&contracto...
TWELTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
row5 colf1:colq3
row5 colf1:colq3 designer&(w...
TWELTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
How can root look at everything?
row5 colf1:c...
THIRTEENTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
row5 colf1:colq3
row5 colf1:colq3
root|(d...
THIRTEENTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
I don’t like that...
row5 colf1:colq3
row...
THIRTEENTH TRY 2
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
Remember the pluggable Authorizor!
LDAP...
THIRTEENTH TRY 2
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
All of my bases are covered!
Except...
...
GETTING CRAFTY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
What if I want to:
● Allow authorizations...
BEING CRAFTY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
Remember the pluggable Authorizor!
If you h...
BEING CRAFTY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
Remember the pluggable Authorizor!
If you h...
FOURTEENTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
Accumulo Tables have Read permissions
for...
FOURTEENTH TRY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
Accumulo Tables have Read permissions
for...
PLUGGABLE SECURITY TO THE RESCUE
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
PLUGGABLE SECURITY TO THE RESCUE
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
Looks familiar…
what is...
PLUGGABLE SECURITY TO THE RESCUE
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
tserver
scan
Pluggable ...
PLUGGABLE SECURITY TO THE RESCUE
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
tserver
scan
Pluggable ...
RECAP
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
● Label for the data, not the users
● Label with t...
RECAP
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
Cell level security boils down to two
separate com...
RECAP
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
Cell level security boils down to two
separate com...
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
QUESTIONS?
@ohshazbot
john@sqrrl.com
ACCUMULO VISIBILITY...
Upcoming SlideShare
Loading in …5
×

Accumulo Summit 2014: Accumulo Visibility Labels and Pluggable Authorization Systems: A Love Story

611 views

Published on

Labels in Accumulo provide great power and flexibility. However, nearly everyone makes the same set of mistakes when first applying labels to their data. In this talk, we will follow two data architects as they first come to the labeling system in Accumulo, and see how they work their way
out of the pitfalls they create for themselves. Along the way, they'll learn about Accumulo's pluggable security architecture surrounding the core functionality of the labeling system.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
611
On SlideShare
0
From Embeds
0
Number of Embeds
151
Actions
Shares
0
Downloads
14
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Accumulo Summit 2014: Accumulo Visibility Labels and Pluggable Authorization Systems: A Love Story

  1. 1. Securely explore your data Accumulo Visibility Labels and Pluggable Authorization Systems: A Love Story John Vines Engineer Sqrrl Data, Inc. john@sqrrl.com
  2. 2. WHAT MAKES ACCUMULO SPECIAL WHEN IT COMES TO SECURITY? © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
  3. 3. CELL-LEVEL SECURITY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
  4. 4. CELL-LEVEL SECURITY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
  5. 5. © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential tldr; visibilities are like ACLs CELL-LEVEL SECURITY
  6. 6. © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential tldr; visibilities are like ACLs ...sort of CELL-LEVEL SECURITY
  7. 7. THAT’S GREAT! © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential What does it get me?
  8. 8. THAT’S GREAT! © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential What does it get me? Amalgamating data sources that are segregated
  9. 9. THE SCENARIO: © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential I am a first time Accumulo user I want to use it’s nifty features I have no idea what I’m doing
  10. 10. FIRST TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Scan without JohnsLabel
  11. 11. FIRST TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Scan without JohnsLabel *sad trombone* Scan with JohnsLabel
  12. 12. FIRST TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Scan without JohnsLabel *sad trombone* Scan with JohnsLabel row1 colf1:colq1 JohnsLabel row1 colf2:colq1 JohnsLabel row2 colf1:colq3 JohnsLabel row3 colf1:colq1 JohnsLabel row4 colf4:colq2 JohnsLabel
  13. 13. SECOND TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row1 colf1:colq1 JohnsApplication row1 colf2:colq1 JohnsApplication row2 colf1:colq3 JohnsApplication row3 colf1:colq1 JohnsApplication row4 colf4:colq2 JohnsApplication
  14. 14. SECOND TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential What does my label even mean? row1 colf1:colq1 JohnsApplication row1 colf2:colq1 JohnsApplication row2 colf1:colq3 JohnsApplication row3 colf1:colq1 JohnsApplication row4 colf4:colq2 JohnsApplication
  15. 15. THIRD TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row1 colf1:colq1 application1|application2 row1 colf2:colq1 application1 row2 colf1:colq3 application2 row3 colf1:colq1 application2 row4 colf4:colq2 application3
  16. 16. THIRD TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential What about analytic4? analytic5? 6? row1 colf1:colq1 application1|application2 row1 colf2:colq1 application1 row2 colf1:colq3 application2 row3 colf1:colq1 application2 row4 colf4:colq2 application3
  17. 17. BACK TO THE DRAWING BOARD © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential What am I trying to accomplish? Why am I segregating my data?
  18. 18. FOURTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row1 colf1:colq1 org1|org2 row1 colf2:colq1 org1 row2 colf1:colq3 org2 row3 colf1:colq1 org2 row4 colf4:colq2 org1&org2
  19. 19. FOURTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Organizations are big! row1 colf1:colq1 org1|org2 row1 colf2:colq1 org1 row2 colf1:colq3 org2 row3 colf1:colq1 org2 row4 colf4:colq2 org1&org2
  20. 20. FIFTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row1 colf1:colq1 subOrg1|subOrg2 row1 colf2:colq1 subOrg1 row2 colf1:colq3 subOrg2 row3 colf1:colq1 subOrg2 row4 colf4:colq2 subOrg1&subOrg2 What about if subOrgs change?
  21. 21. FIFTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential What about if subOrgs change? Why do these orgs have permission? row1 colf1:colq1 subOrg1|subOrg2 row1 colf2:colq1 subOrg1 row2 colf1:colq3 subOrg2 row3 colf1:colq1 subOrg2 row4 colf4:colq2 subOrg1&subOrg2
  22. 22. SIXTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row1 colf1:colq1 accountsReceivable|payroll row1 colf2:colq1 accountsReceivable row2 colf1:colq3 payroll row3 colf1:colq1 payroll row4 colf4:colq2 accountsReceivable&payroll Looks good!
  23. 23. SIXTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Looks good! But now I need to manage users! row1 colf1:colq1 accountsReceivable|payroll row1 colf2:colq1 accountsReceivable row2 colf1:colq3 payroll row3 colf1:colq1 payroll row4 colf4:colq2 accountsReceivable&payroll
  24. 24. PLUGGABLE SECURITY TO THE RESCUE © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
  25. 25. PLUGGABLE SECURITY TO THE RESCUE © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential okay… what is this?
  26. 26. PLUGGABLE SECURITY TO THE RESCUE © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential tserver scan Pluggable Authorizor getAuths() scan
  27. 27. PLUGGABLE SECURITY TO THE RESCUE © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential tserver scan Pluggable Authorizor getAuths() scan Now we can use our existing system!
  28. 28. SEVENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential LDAP’s role-based access says: User1->HR User2->InternalConflicts User3->Payroll User4->Taxes
  29. 29. SEVENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential One less system to maintain! LDAP’s role-based access says: User1->HR User2->InternalConflicts User3->Payroll User4->Taxes
  30. 30. SEVENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential One less system to maintain! But our orgs are hierarchical! LDAP’s role-based access says: User1->HR User2->InternalConflicts User3->Payroll User4->Taxes
  31. 31. EIGHTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Authorizor Says: InternalConflicts->InternalConflicts,HR Payroll->Payroll,Finance Taxes->Finance,AccountsReceivable
  32. 32. EIGHTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential But what if I don’t want a certain org to get a piece of data? Authorizor Says: InternalConflicts->InternalConflicts,HR Payroll->Payroll,Finance Taxes->Finance,AccountsReceivable
  33. 33. © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential What if I don’t want a certain org to get a piece of data?
  34. 34. NINTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row5 colf1:colq3 designer&!manager
  35. 35. NINTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Accumulo does not support NOTs row5 colf1:colq3 designer&!manager
  36. 36. NINTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Accumulo does not support NOTs What are we trying to accomplish? row5 colf1:colq3 designer&!manager
  37. 37. TENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row5 colf1:colq3 designer&(worker&contractor)
  38. 38. TENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential But I want others to know some part of row5 colf1:colq! row5 colf1:colq3 designer&(worker&contractor)
  39. 39. REMEMBER © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
  40. 40. ELEVENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row5 colf1:colq3 designer&(worker&contractor) row5 colf1:colq3 engineer&(worker&contractor)
  41. 41. ELEVENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row5 colf1:colq3 designer&(worker&contractor) row5 colf1:colq3 engineer&(worker&contractor) But I still want the managers to know that row5 colf1:colq3 exists!
  42. 42. TWELTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row5 colf1:colq3 row5 colf1:colq3 designer&(worker&contractor) row5 colf1:colq3 engineer&(worker&contractor)
  43. 43. TWELTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential How can root look at everything? row5 colf1:colq3 row5 colf1:colq3 designer&(worker&contractor) row5 colf1:colq3 engineer&(worker&contractor)
  44. 44. THIRTEENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row5 colf1:colq3 row5 colf1:colq3 root|(designer&(worker&contractor)) row5 colf1:colq3 root|(engineer&(worker&contractor))
  45. 45. THIRTEENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential I don’t like that... row5 colf1:colq3 row5 colf1:colq3 root|(designer&(worker&contractor)) row5 colf1:colq3 root|(engineer&(worker&contractor))
  46. 46. THIRTEENTH TRY 2 © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Remember the pluggable Authorizor! LDAP knows all roles root->all roles
  47. 47. THIRTEENTH TRY 2 © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential All of my bases are covered! Except... Remember the pluggable Authorizor! LDAP knows all roles root->all roles
  48. 48. GETTING CRAFTY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential What if I want to: ● Allow authorizations based on time ● Allow authorizations based on location ● Make data more available ● Make data less available
  49. 49. BEING CRAFTY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Remember the pluggable Authorizor! If you have the data available, you can use it!
  50. 50. BEING CRAFTY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Remember the pluggable Authorizor! If you have the data available, you can use it! Just remember- visibility labels are filters. They’re not made for restricting entire tables.
  51. 51. FOURTEENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Accumulo Tables have Read permissions for coarse access!
  52. 52. FOURTEENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Accumulo Tables have Read permissions for coarse access! Can we do it to people who are missing certain labels?
  53. 53. PLUGGABLE SECURITY TO THE RESCUE © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
  54. 54. PLUGGABLE SECURITY TO THE RESCUE © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Looks familiar… what is this?
  55. 55. PLUGGABLE SECURITY TO THE RESCUE © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential tserver scan Pluggable PermissionHandler hasTablePermission() scan
  56. 56. PLUGGABLE SECURITY TO THE RESCUE © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential tserver scan Pluggable PermissionHandler hasTablePermission() scan Now we can use our existing system for coarse access!
  57. 57. RECAP © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential ● Label for the data, not the users ● Label with the highest granularity possible ● Let the pluggable security do the rest of the work ● Need to rely on external services or special processes for tracking labels ● These can manage users authorizations and general access
  58. 58. RECAP © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Cell level security boils down to two separate components ● Data labels ● User granted labels They are the two halves that establish cell level security.
  59. 59. RECAP © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Cell level security boils down to two separate components ● Data labels ● User granted labels They are the two halves that establish cell level security. Put the two together, and magic happens.
  60. 60. © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential QUESTIONS? @ohshazbot john@sqrrl.com ACCUMULO VISIBILITY LABELS AND PLUGGABLE AUTHORIZATION: A LOVE STORY

×