sqrrl june webinar: an accumulo love story
Post on 01-Nov-2014
94 Views
Preview:
DESCRIPTION
TRANSCRIPT
Securely explore your data
Sqrrl Visibility Labels and
Pluggable Authorization Systems: A Love Story
John Vines Engineer Sqrrl Data, Inc. john@sqrrl.com
WHAT MAKES ACCUMULO SPECIAL WHEN IT COMES TO SECURITY?
© 2014 Sqrrl | All Rights Reserved
CELL-LEVEL SECURITY
© 2014 Sqrrl | All Rights Reserved
CELL-LEVEL SECURITY
© 2014 Sqrrl | All Rights Reserved
© 2014 Sqrrl | All Rights Reserved
tldr;
visibilities are like ACLs
CELL-LEVEL SECURITY
© 2014 Sqrrl | All Rights Reserved
tldr;
visibilities are like ACLs
...sort of
CELL-LEVEL SECURITY
SQRRL
© 2014 Sqrrl | All Rights Reserved
What does this mean with sqrrl?
SQRRL
© 2014 Sqrrl | All Rights Reserved
What does this mean with sqrrl?
Sqrrl uses these labels within hierarchical documents for the same
effect
SQRRL JSON
© 2014 Sqrrl | All Rights Reserved
{"children@[FAM|IRS]": {"current": [{ "name": "Johnny" }], "expecting@[FAM]": [{ "name": "Baby Girl"}] } } Only the family and IRS care about
children. Only the family cares about expecting
THAT’S GREAT!
© 2014 Sqrrl | All Rights Reserved
What does it get me?
THAT’S GREAT!
© 2014 Sqrrl | All Rights Reserved
What does it get me?
Amalgamating data sources that are segregated
THE SCENARIO:
© 2014 Sqrrl | All Rights Reserved
I am a first time Sqrrl/Accumulo user I want to use its nifty features I have no idea what I’m doing
FIRST TRY
© 2014 Sqrrl | All Rights Reserved
Scan without JohnsLabel
FIRST TRY
© 2014 Sqrrl | All Rights Reserved
Scan without JohnsLabel *sad trombone*
Scan with JohnsLabel
FIRST TRY
© 2014 Sqrrl | All Rights Reserved
Scan without JohnsLabel *sad trombone*
Scan with JohnsLabel
uuid1 {"field1@[JohnsLabel]": "Value”} uuid2 {"field1@[JohnsLabel]": "Value”} uuid3 {"field2@[JohnsLabel]": "Value”} uuid4 {"field2@[JohnsLabel]": "Value”} uuid5 {"field1@[JohnsLabel]": "Value”}
SECOND TRY
© 2014 Sqrrl | All Rights Reserved
uuid1 {"field1@[JohnsApplication]": "Value”} uuid2 {"field1@[JohnsApplication]": "Value”} uuid3 {"field2@[JohnsApplication]": "Value”} uuid4 {"field2@[JohnsApplication]": "Value”} uuid5 {"field1@[JohnsApplication]": "Value”}
SECOND TRY
© 2014 Sqrrl | All Rights Reserved
What does my label even mean?
uuid1 {"field1@[JohnsApplication]": "Value”} uuid2 {"field1@[JohnsApplication]": "Value”} uuid3 {"field2@[JohnsApplication]": "Value”} uuid4 {"field2@[JohnsApplication]": "Value”} uuid5 {"field1@[JohnsApplication]": "Value”}
THIRD TRY
© 2014 Sqrrl | All Rights Reserved
uuid1 {"field1@[application1|application2]": "Value”} uuid2 {"field1@[application1]": "Value”} uuid3 {"field2@[application1]": "Value”} uuid4 {"field2@[application2]": "Value”} uuid5 {"field1@[application3]": "Value”}
THIRD TRY
© 2014 Sqrrl | All Rights Reserved
What about application4? application5? 6?
uuid1 {"field1@[application1|application2]": "Value”} uuid2 {"field1@[application1]": "Value”} uuid3 {"field2@[application1]": "Value”} uuid4 {"field2@[application2]": "Value”} uuid5 {"field1@[application3]": "Value”}
BACK TO THE DRAWING BOARD
© 2014 Sqrrl | All Rights Reserved
What am I trying to accomplish? Why am I segregating my data?
FOURTH TRY
© 2014 Sqrrl | All Rights Reserved
uuid1 {"field1@[org1|org2]": "Value”} uuid2 {"field1@[org1]": "Value”} uuid3 {"field2@[org1]": "Value”} uuid4 {"field2@[org2]": "Value”}
uuid5 {"field1@[org1&org2]": "Value”}
FOURTH TRY
© 2014 Sqrrl | All Rights Reserved
Organizations are big!
uuid1 {"field1@[org1|org2]": "Value”} uuid2 {"field1@[org1]": "Value”} uuid3 {"field2@[org1]": "Value”} uuid4 {"field2@[org2]": "Value”}
uuid5 {"field1@[org1&org2]": "Value”}
FIFTH TRY
© 2014 Sqrrl | All Rights Reserved
What about if subOrgs change?
uuid1 {"field1@[subOrg1|subOrg2]": "Value”} uuid2 {"field1@[subOrg1]": "Value”} uuid3 {"field2@[subOrg1]": "Value”} uuid4 {"field2@[subOrg2]": "Value”}
uuid5 {"field1@[subOrg1&subOrg2]": "Value”}
FIFTH TRY
© 2014 Sqrrl | All Rights Reserved
What about if subOrgs change? Why do these orgs have permission?
uuid1 {"field1@[subOrg1|subOrg2]": "Value”} uuid2 {"field1@[subOrg1]": "Value”} uuid3 {"field2@[subOrg1]": "Value”} uuid4 {"field2@[subOrg2]": "Value”}
uuid5 {"field1@[subOrg1&subOrg2]": "Value”}
SIXTH TRY
© 2014 Sqrrl | All Rights Reserved
Looks good!
uuid1 {"field1@[accountsReceivable|payroll]": "Value”}
uuid2 {"field1@[accountsReceivable]": "Value”} uuid3 {"field2@[accountsReceivable]": "Value”}
uuid4 {"field2@[payroll]": "Value”} uuid5 {"field1@[accountsReceivable&payroll]":
"Value”}
SIXTH TRY
© 2014 Sqrrl | All Rights Reserved
Looks good! But now I need to manage users!
uuid1 {"field1@[accountsReceivable|payroll]": "Value”}
uuid2 {"field1@[accountsReceivable]": "Value”} uuid3 {"field2@[accountsReceivable]": "Value”}
uuid4 {"field2@[payroll]": "Value”} uuid5 {"field1@[accountsReceivable&payroll]":
"Value”}
PLUGGABLE SECURITY TO THE RESCUE
© 2014 Sqrrl | All Rights Reserved
PLUGGABLE SECURITY TO THE RESCUE
© 2014 Sqrrl | All Rights Reserved
okay… what is this?
PLUGGABLE SECURITY TO THE RESCUE
© 2014 Sqrrl | All Rights Reserved
tserver scan
Pluggable Authorizor
getAuths() scan
PLUGGABLE SECURITY TO THE RESCUE
© 2014 Sqrrl | All Rights Reserved
tserver scan
Pluggable Authorizor
getAuths() scan
What does this mean to Sqrrl?
POLICY ENGINE
© 2014 Sqrrl | All Rights Reserved
Sqrrl uses Apache Shiro to expose configurable security
POLICY ENGINE
© 2014 Sqrrl | All Rights Reserved
Sqrrl uses Apache Shiro to expose configurable security
Less work needed to use existing security architecture
SEVENTH TRY
© 2014 Sqrrl | All Rights Reserved
LDAP’s role-based access says: User1->HR
User2->InternalConflicts User3->Payroll User4->Taxes
SEVENTH TRY
© 2014 Sqrrl | All Rights Reserved
One less system to maintain!
LDAP’s role-based access says: User1->HR
User2->InternalConflicts User3->Payroll User4->Taxes
SEVENTH TRY
© 2014 Sqrrl | All Rights Reserved
One less system to maintain! But our orgs are hierarchical!
LDAP’s role-based access says: User1->HR
User2->InternalConflicts User3->Payroll User4->Taxes
EIGHTH TRY
© 2014 Sqrrl | All Rights Reserved
Policy Engine Says: InternalConflicts->InternalConflicts,HR
Payroll->Payroll,Finance Taxes->Finance,AccountsReceivable
EIGHTH TRY
© 2014 Sqrrl | All Rights Reserved
But what if I don’t want a certain org to get a piece of data?
Policy Engine Says: InternalConflicts->InternalConflicts,HR
Payroll->Payroll,Finance Taxes->Finance,AccountsReceivable
NINTH TRY
© 2014 Sqrrl | All Rights Reserved
uuid5 {"field1@[designer&!manager]": "Value”}
NINTH TRY
© 2014 Sqrrl | All Rights Reserved
Accumulo and Sqrrl do not support NOTs
uuid5 {"field1@[designer&!manager]": "Value”}
© 2014 Sqrrl | All Rights Reserved
Visibility labels have been a core piece of Accumulo for almost 6 years.
Last thing we want is people to inadvertently leak
data because of change in our security story (adding NOTs)
Accumulo has always supported downgrading
authorizations and this behavior will break NOTs
WHY NO NOTS?
NINTH TRY
© 2014 Sqrrl | All Rights Reserved
Accumulo and Sqrrl do not support NOTs
What are we trying to accomplish?
uuid5 {"field1@[designer&!manager]": "Value”}
TENTH TRY
© 2014 Sqrrl | All Rights Reserved
uuid5 {"field1@[designer&(worker&contractor)]": "Value”}
TENTH TRY
© 2014 Sqrrl | All Rights Reserved
But I want others to know some part of uuid5 field1!
uuid5 {"field1@[designer&(worker&contractor)]": "Value”}
REMEMBER
© 2014 Sqrrl | All Rights Reserved
REMEMBER
© 2014 Sqrrl | All Rights Reserved
{"children@[FAM|IRS]": {"current": [{ "name": "Johnny" }], "expecting@[FAM]": [{ "name": "Baby Girl"}] } }
ELEVENTH TRY
© 2014 Sqrrl | All Rights Reserved
uuid5 {"field1@[designer&(worker&contractor)]": "Value”}
uuid5 {"field1@[engineer&(worker&contractor)]": "Value”}
ELEVENTH TRY
© 2014 Sqrrl | All Rights Reserved
But I still want the managers to know that uuid5 field1 exists!
uuid5 {"field1@[designer&(worker&contractor)]": "Value”}
uuid5 {"field1@[engineer&(worker&contractor)]": "Value”}
TWELTH TRY
© 2014 Sqrrl | All Rights Reserved
uuid5 {"field1": "Value”} uuid5 {"field1@[designer&(worker&contractor)]":
"Value”} uuid5 {"field1@[engineer&(worker&contractor)]":
"Value”}
TWELTH TRY
© 2014 Sqrrl | All Rights Reserved
How can root look at everything?
uuid5 {"field1": "Value”} uuid5 {"field1@[designer&(worker&contractor)]":
"Value”} uuid5 {"field1@[engineer&(worker&contractor)]":
"Value”}
THIRTEENTH TRY
© 2014 Sqrrl | All Rights Reserved
uuid5 {"field1": "Value”} uuid5 {"field1@[root|(designer&(worker&contractor))]":
"Value”} uuid5 {"field1@[root|(engineer&(worker&contractor))]":
"Value”}
THIRTEENTH TRY
© 2014 Sqrrl | All Rights Reserved
I don’t like that...
uuid5 {"field1": "Value”} uuid5 {"field1@[root|(designer&(worker&contractor))]":
"Value”} uuid5 {"field1@[root|(engineer&(worker&contractor))]":
"Value”}
THIRTEENTH TRY 2
© 2014 Sqrrl | All Rights Reserved
Remember the policy engine!
LDAP knows all roles root->all roles
THIRTEENTH TRY 2
© 2014 Sqrrl | All Rights Reserved
All of my bases are covered!
Except...
Remember the policy engine!
LDAP knows all roles root->all roles
GETTING CRAFTY
© 2014 Sqrrl | All Rights Reserved
What if I want to: ● Allow authorizations based on time ● Allow authorizations based on location ● Make data more available ● Make data less available
BEING CRAFTY
© 2014 Sqrrl | All Rights Reserved
Remember the policy engine!
If you have the data available, you can use it!
COARSE ACCESS CONTROLS
© 2014 Sqrrl | All Rights Reserved
Accumulo Tables have Read permissions for coarse access.
These can be used to restrict access to an
entire table for a user.
This is also exposed through a pluggable mechanism.
PLUGGABLE SECURITY TO THE RESCUE
© 2014 Sqrrl | All Rights Reserved
PLUGGABLE SECURITY TO THE RESCUE
© 2014 Sqrrl | All Rights Reserved
Looks familiar… what is this?
PLUGGABLE SECURITY TO THE RESCUE
© 2014 Sqrrl | All Rights Reserved
tserver scan
Pluggable PermissionHandler
hasTablePermission() scan
DATA-CENTRIC SECURITY
© 2014 Sqrrl | All Rights Reserved
Sqrrl promotes Data-Centric Security.
Sqrrl encourages amalgamation of data for improved analytics. Coarse access breaks
this.
RECAP
© 2014 Sqrrl | All Rights Reserved
● Label for the data, not the users ● Label with the highest granularity
possible ● Let the policy engine do the rest of the
work ● Need to rely on external services or
special processes for tracking labels ● These can manage users authorizations
and general access
RECAP
© 2014 Sqrrl | All Rights Reserved
Cell level security boils down to two separate components ● Data labels ● User granted labels They are the two halves that establish cell level security.
RECAP
© 2014 Sqrrl | All Rights Reserved
Cell level security boils down to two separate components ● Data labels ● User granted labels They are the two halves that establish cell level security. Put the two together, and magic happens.
© 2014 Sqrrl | All Rights Reserved
QUESTIONS?
@ohshazbot
john@sqrrl.com
SQRRL VISIBILITY LABELS AND PLUGGABLE AUTHORIZATION:
A LOVE STORY
top related