This document discusses how Sqrrl uses visibility labels and pluggable authorization systems to provide cell-level security in Accumulo databases. It describes how visibility labels are applied to data fields and segments of data, while pluggable authorization systems like Apache Shiro manage user permissions and access. The document walks through several examples and iterations of how users can experiment with applying different visibility labels to their data and configure authorization policies to control access. The key aspects of Sqrrl's security approach are labeling data at the finest granularity, letting external services manage user authorizations, and bringing different labeled data sources together for analysis while maintaining access controls.

1. Securely explore your data
Sqrrl Visibility Labels
and
Pluggable Authorization Systems:
A Love Story
John Vines
Engineer
Sqrrl Data, Inc.
john@sqrrl.com

2. WHAT MAKES
ACCUMULO SPECIAL
WHEN IT COMES TO
SECURITY?
© 2014 Sqrrl | All Rights Reserved

3. CELL-LEVEL SECURITY
© 2014 Sqrrl | All Rights Reserved

4. CELL-LEVEL SECURITY
© 2014 Sqrrl | All Rights Reserved

5. © 2014 Sqrrl | All Rights Reserved
tldr;
visibilities are like ACLs
CELL-LEVEL SECURITY

6. © 2014 Sqrrl | All Rights Reserved
tldr;
visibilities are like ACLs
...sort of
CELL-LEVEL SECURITY

7. SQRRL
© 2014 Sqrrl | All Rights Reserved
What does this mean with sqrrl?

8. SQRRL
© 2014 Sqrrl | All Rights Reserved
What does this mean with sqrrl?
Sqrrl uses these labels within
hierarchical documents for the same
effect

9. SQRRL JSON
© 2014 Sqrrl | All Rights Reserved
{"children@[FAM|IRS]":
{"current": [{ "name": "Johnny" }],
"expecting@[FAM]": [{ "name": "Baby Girl"}]
}
}
Only the family and IRS care about
children.
Only the family cares about expecting

10. THAT’S GREAT!
© 2014 Sqrrl | All Rights Reserved
What does it get me?

11. THAT’S GREAT!
© 2014 Sqrrl | All Rights Reserved
What does it get me?
Amalgamating data sources that are
segregated

12. THE SCENARIO:
© 2014 Sqrrl | All Rights Reserved
I am a first time Sqrrl/Accumulo user
I want to use its nifty features
I have no idea what I’m doing

13. FIRST TRY
© 2014 Sqrrl | All Rights Reserved
Scan without JohnsLabel

14. FIRST TRY
© 2014 Sqrrl | All Rights Reserved
Scan without JohnsLabel
*sad trombone*
Scan with JohnsLabel

15. FIRST TRY
© 2014 Sqrrl | All Rights Reserved
Scan without JohnsLabel
*sad trombone*
Scan with JohnsLabel
uuid1 {"field1@[JohnsLabel]": "Value”}
uuid2 {"field1@[JohnsLabel]": "Value”}
uuid3 {"field2@[JohnsLabel]": "Value”}
uuid4 {"field2@[JohnsLabel]": "Value”}
uuid5 {"field1@[JohnsLabel]": "Value”}

16. SECOND TRY
© 2014 Sqrrl | All Rights Reserved
uuid1 {"field1@[JohnsApplication]": "Value”}
uuid2 {"field1@[JohnsApplication]": "Value”}
uuid3 {"field2@[JohnsApplication]": "Value”}
uuid4 {"field2@[JohnsApplication]": "Value”}
uuid5 {"field1@[JohnsApplication]": "Value”}

17. SECOND TRY
© 2014 Sqrrl | All Rights Reserved
What does my label even mean?
uuid1 {"field1@[JohnsApplication]": "Value”}
uuid2 {"field1@[JohnsApplication]": "Value”}
uuid3 {"field2@[JohnsApplication]": "Value”}
uuid4 {"field2@[JohnsApplication]": "Value”}
uuid5 {"field1@[JohnsApplication]": "Value”}

18. THIRD TRY
© 2014 Sqrrl | All Rights Reserved
uuid1 {"field1@[application1|application2]": "Value”}
uuid2 {"field1@[application1]": "Value”}
uuid3 {"field2@[application1]": "Value”}
uuid4 {"field2@[application2]": "Value”}
uuid5 {"field1@[application3]": "Value”}

19. THIRD TRY
© 2014 Sqrrl | All Rights Reserved
What about application4?
application5? 6?
uuid1 {"field1@[application1|application2]": "Value”}
uuid2 {"field1@[application1]": "Value”}
uuid3 {"field2@[application1]": "Value”}
uuid4 {"field2@[application2]": "Value”}
uuid5 {"field1@[application3]": "Value”}

20. BACK TO THE DRAWING BOARD
© 2014 Sqrrl | All Rights Reserved
What am I trying to accomplish?
Why am I segregating my data?

21. FOURTH TRY
© 2014 Sqrrl | All Rights Reserved
uuid1 {"field1@[org1|org2]": "Value”}
uuid2 {"field1@[org1]": "Value”}
uuid3 {"field2@[org1]": "Value”}
uuid4 {"field2@[org2]": "Value”}
uuid5 {"field1@[org1&org2]": "Value”}

22. FOURTH TRY
© 2014 Sqrrl | All Rights Reserved
Organizations are big!
uuid1 {"field1@[org1|org2]": "Value”}
uuid2 {"field1@[org1]": "Value”}
uuid3 {"field2@[org1]": "Value”}
uuid4 {"field2@[org2]": "Value”}
uuid5 {"field1@[org1&org2]": "Value”}

23. FIFTH TRY
© 2014 Sqrrl | All Rights Reserved
What about if subOrgs change?
uuid1 {"field1@[subOrg1|subOrg2]": "Value”}
uuid2 {"field1@[subOrg1]": "Value”}
uuid3 {"field2@[subOrg1]": "Value”}
uuid4 {"field2@[subOrg2]": "Value”}
uuid5 {"field1@[subOrg1&subOrg2]": "Value”}

24. FIFTH TRY
© 2014 Sqrrl | All Rights Reserved
What about if subOrgs change?
Why do these orgs have permission?
uuid1 {"field1@[subOrg1|subOrg2]": "Value”}
uuid2 {"field1@[subOrg1]": "Value”}
uuid3 {"field2@[subOrg1]": "Value”}
uuid4 {"field2@[subOrg2]": "Value”}
uuid5 {"field1@[subOrg1&subOrg2]": "Value”}

25. SIXTH TRY
© 2014 Sqrrl | All Rights Reserved
Looks good!
uuid1 {"field1@[accountsReceivable|payroll]":
"Value”}
uuid2 {"field1@[accountsReceivable]": "Value”}
uuid3 {"field2@[accountsReceivable]": "Value”}
uuid4 {"field2@[payroll]": "Value”}
uuid5 {"field1@[accountsReceivable&payroll]":
"Value”}

26. SIXTH TRY
© 2014 Sqrrl | All Rights Reserved
Looks good!
But now I need to manage users!
uuid1 {"field1@[accountsReceivable|payroll]":
"Value”}
uuid2 {"field1@[accountsReceivable]": "Value”}
uuid3 {"field2@[accountsReceivable]": "Value”}
uuid4 {"field2@[payroll]": "Value”}
uuid5 {"field1@[accountsReceivable&payroll]":
"Value”}

27. PLUGGABLE SECURITY TO THE RESCUE
© 2014 Sqrrl | All Rights Reserved

28. PLUGGABLE SECURITY TO THE RESCUE
© 2014 Sqrrl | All Rights Reserved
okay… what is this?

29. PLUGGABLE SECURITY TO THE RESCUE
© 2014 Sqrrl | All Rights Reserved
tserver
scan
Pluggable
Authorizor
getAuths()
scan

30. PLUGGABLE SECURITY TO THE RESCUE
© 2014 Sqrrl | All Rights Reserved
tserver
scan
Pluggable
Authorizor
getAuths()
scan
What does this mean to Sqrrl?

31. POLICY ENGINE
© 2014 Sqrrl | All Rights Reserved
Sqrrl uses Apache Shiro to expose
configurable security

32. POLICY ENGINE
© 2014 Sqrrl | All Rights Reserved
Sqrrl uses Apache Shiro to expose
configurable security
Less work needed to use existing
security architecture

33. SEVENTH TRY
© 2014 Sqrrl | All Rights Reserved
LDAP’s role-based access says:
User1->HR
User2->InternalConflicts
User3->Payroll
User4->Taxes

34. SEVENTH TRY
© 2014 Sqrrl | All Rights Reserved
One less system to maintain!
LDAP’s role-based access says:
User1->HR
User2->InternalConflicts
User3->Payroll
User4->Taxes

35. SEVENTH TRY
© 2014 Sqrrl | All Rights Reserved
One less system to maintain!
But our orgs are hierarchical!
LDAP’s role-based access says:
User1->HR
User2->InternalConflicts
User3->Payroll
User4->Taxes

36. EIGHTH TRY
© 2014 Sqrrl | All Rights Reserved
Policy Engine Says:
InternalConflicts->InternalConflicts,HR
Payroll->Payroll,Finance
Taxes->Finance,AccountsReceivable

37. EIGHTH TRY
© 2014 Sqrrl | All Rights Reserved
But what if I don’t want a certain org to
get a piece of data?
Policy Engine Says:
InternalConflicts->InternalConflicts,HR
Payroll->Payroll,Finance
Taxes->Finance,AccountsReceivable

38. NINTH TRY
© 2014 Sqrrl | All Rights Reserved
uuid5 {"field1@[designer&!manager]": "Value”}

39. NINTH TRY
© 2014 Sqrrl | All Rights Reserved
Accumulo and Sqrrl do not support
NOTs
uuid5 {"field1@[designer&!manager]": "Value”}

40. © 2014 Sqrrl | All Rights Reserved
Visibility labels have been a core piece of
Accumulo for almost 6 years.
Last thing we want is people to inadvertently leak
data because of change in our security story
(adding NOTs)
Accumulo has always supported downgrading
authorizations and this behavior will break NOTs
WHY NO NOTS?

41. NINTH TRY
© 2014 Sqrrl | All Rights Reserved
Accumulo and Sqrrl do not support
NOTs
What are we trying to accomplish?
uuid5 {"field1@[designer&!manager]": "Value”}

42. TENTH TRY
© 2014 Sqrrl | All Rights Reserved
uuid5 {"field1@[designer&(worker&contractor)]":
"Value”}

43. TENTH TRY
© 2014 Sqrrl | All Rights Reserved
But I want others to know some part of
uuid5 field1!
uuid5 {"field1@[designer&(worker&contractor)]":
"Value”}

44. REMEMBER
© 2014 Sqrrl | All Rights Reserved

45. REMEMBER
© 2014 Sqrrl | All Rights Reserved
{"children@[FAM|IRS]":
{"current": [{ "name": "Johnny" }],
"expecting@[FAM]": [{ "name": "Baby Girl"}]
}
}

46. ELEVENTH TRY
© 2014 Sqrrl | All Rights Reserved
uuid5 {"field1@[designer&(worker&contractor)]":
"Value”}
uuid5 {"field1@[engineer&(worker&contractor)]":
"Value”}

47. ELEVENTH TRY
© 2014 Sqrrl | All Rights Reserved
But I still want the managers to know
that uuid5 field1 exists!
uuid5 {"field1@[designer&(worker&contractor)]":
"Value”}
uuid5 {"field1@[engineer&(worker&contractor)]":
"Value”}

48. TWELTH TRY
© 2014 Sqrrl | All Rights Reserved
uuid5 {"field1": "Value”}
uuid5 {"field1@[designer&(worker&contractor)]":
"Value”}
uuid5 {"field1@[engineer&(worker&contractor)]":
"Value”}

49. TWELTH TRY
© 2014 Sqrrl | All Rights Reserved
How can root look at everything?
uuid5 {"field1": "Value”}
uuid5 {"field1@[designer&(worker&contractor)]":
"Value”}
uuid5 {"field1@[engineer&(worker&contractor)]":
"Value”}

50. THIRTEENTH TRY
© 2014 Sqrrl | All Rights Reserved
uuid5 {"field1": "Value”}
uuid5 {"field1@[root|(designer&(worker&contractor))]":
"Value”}
uuid5 {"field1@[root|(engineer&(worker&contractor))]":
"Value”}

51. THIRTEENTH TRY
© 2014 Sqrrl | All Rights Reserved
I don’t like that...
uuid5 {"field1": "Value”}
uuid5 {"field1@[root|(designer&(worker&contractor))]":
"Value”}
uuid5 {"field1@[root|(engineer&(worker&contractor))]":
"Value”}

52. THIRTEENTH TRY 2
© 2014 Sqrrl | All Rights Reserved
Remember the policy engine!
LDAP knows all roles
root->all roles

53. THIRTEENTH TRY 2
© 2014 Sqrrl | All Rights Reserved
All of my bases are covered!
Except...
Remember the policy engine!
LDAP knows all roles
root->all roles

54. GETTING CRAFTY
© 2014 Sqrrl | All Rights Reserved
What if I want to:
● Allow authorizations based on time
● Allow authorizations based on location
● Make data more available
● Make data less available

55. BEING CRAFTY
© 2014 Sqrrl | All Rights Reserved
Remember the policy engine!
If you have the data available, you can use
it!

56. COARSE ACCESS CONTROLS
© 2014 Sqrrl | All Rights Reserved
Accumulo Tables have Read permissions
for coarse access.
These can be used to restrict access to an
entire table for a user.
This is also exposed through a pluggable
mechanism.

57. PLUGGABLE SECURITY TO THE RESCUE
© 2014 Sqrrl | All Rights Reserved

58. PLUGGABLE SECURITY TO THE RESCUE
© 2014 Sqrrl | All Rights Reserved
Looks familiar…
what is this?

59. PLUGGABLE SECURITY TO THE RESCUE
© 2014 Sqrrl | All Rights Reserved
tserver
scan
Pluggable PermissionHandler
hasTablePermission()
scan

60. DATA-CENTRIC SECURITY
© 2014 Sqrrl | All Rights Reserved
Sqrrl promotes Data-Centric Security.
Sqrrl encourages amalgamation of data for
improved analytics. Coarse access breaks
this.

61. RECAP
© 2014 Sqrrl | All Rights Reserved
● Label for the data, not the users
● Label with the highest granularity
possible
● Let the policy engine do the rest of the
work
● Need to rely on external services or
special processes for tracking labels
● These can manage users authorizations
and general access

62. RECAP
© 2014 Sqrrl | All Rights Reserved
Cell level security boils down to two
separate components
● Data labels
● User granted labels
They are the two halves that establish cell
level security.

63. RECAP
© 2014 Sqrrl | All Rights Reserved
Cell level security boils down to two
separate components
● Data labels
● User granted labels
They are the two halves that establish cell
level security. Put the two together, and
magic happens.

64. © 2014 Sqrrl | All Rights Reserved
QUESTIONS?
@ohshazbot
john@sqrrl.com
SQRRL VISIBILITY LABELS AND PLUGGABLE
AUTHORIZATION:
A LOVE STORY