SlideShare a Scribd company logo

Accumulo Summit 2014: Accumulo Visibility Labels and Pluggable Authorization Systems: A Love Story

Download as PPTX, PDF
Accumulo Summit, profile picture
Accumulo Summit

The document discusses the security features of Accumulo, specifically focusing on its visibility labels and pluggable authorization systems, emphasizing cell-level security. It explores practical scenarios faced by first-time users and their attempts to effectively utilize these features for managing data access across various organizational structures. The document concludes with insights into the importance of data labeling and how it integrates with user-granted labels to enhance security.

TechnologyEconomy & FinanceBusiness
1 of 60
Downloaded 15 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Securely explore your data Accumulo Visibility Labels and Pluggable Authorization Systems: A Love Story John Vines Engineer Sqrrl Data, Inc. john@sqrrl.com
WHAT MAKES ACCUMULO SPECIAL WHEN IT COMES TO SECURITY? © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
CELL-LEVEL SECURITY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
CELL-LEVEL SECURITY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential tldr; visibilities are like ACLs CELL-LEVEL SECURITY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential tldr; visibilities are like ACLs ...sort of CELL-LEVEL SECURITY
THAT’S GREAT! © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential What does it get me?
THAT’S GREAT! © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential What does it get me? Amalgamating data sources that are segregated
THE SCENARIO: © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential I am a first time Accumulo user I want to use it’s nifty features I have no idea what I’m doing
FIRST TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Scan without JohnsLabel
FIRST TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Scan without JohnsLabel *sad trombone* Scan with JohnsLabel
FIRST TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Scan without JohnsLabel *sad trombone* Scan with JohnsLabel row1 colf1:colq1 JohnsLabel row1 colf2:colq1 JohnsLabel row2 colf1:colq3 JohnsLabel row3 colf1:colq1 JohnsLabel row4 colf4:colq2 JohnsLabel
SECOND TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row1 colf1:colq1 JohnsApplication row1 colf2:colq1 JohnsApplication row2 colf1:colq3 JohnsApplication row3 colf1:colq1 JohnsApplication row4 colf4:colq2 JohnsApplication
SECOND TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential What does my label even mean? row1 colf1:colq1 JohnsApplication row1 colf2:colq1 JohnsApplication row2 colf1:colq3 JohnsApplication row3 colf1:colq1 JohnsApplication row4 colf4:colq2 JohnsApplication
THIRD TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row1 colf1:colq1 application1|application2 row1 colf2:colq1 application1 row2 colf1:colq3 application2 row3 colf1:colq1 application2 row4 colf4:colq2 application3
THIRD TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential What about analytic4? analytic5? 6? row1 colf1:colq1 application1|application2 row1 colf2:colq1 application1 row2 colf1:colq3 application2 row3 colf1:colq1 application2 row4 colf4:colq2 application3
BACK TO THE DRAWING BOARD © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential What am I trying to accomplish? Why am I segregating my data?
FOURTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row1 colf1:colq1 org1|org2 row1 colf2:colq1 org1 row2 colf1:colq3 org2 row3 colf1:colq1 org2 row4 colf4:colq2 org1&org2
FOURTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Organizations are big! row1 colf1:colq1 org1|org2 row1 colf2:colq1 org1 row2 colf1:colq3 org2 row3 colf1:colq1 org2 row4 colf4:colq2 org1&org2
FIFTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row1 colf1:colq1 subOrg1|subOrg2 row1 colf2:colq1 subOrg1 row2 colf1:colq3 subOrg2 row3 colf1:colq1 subOrg2 row4 colf4:colq2 subOrg1&subOrg2 What about if subOrgs change?
FIFTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential What about if subOrgs change? Why do these orgs have permission? row1 colf1:colq1 subOrg1|subOrg2 row1 colf2:colq1 subOrg1 row2 colf1:colq3 subOrg2 row3 colf1:colq1 subOrg2 row4 colf4:colq2 subOrg1&subOrg2
SIXTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row1 colf1:colq1 accountsReceivable|payroll row1 colf2:colq1 accountsReceivable row2 colf1:colq3 payroll row3 colf1:colq1 payroll row4 colf4:colq2 accountsReceivable&payroll Looks good!
SIXTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Looks good! But now I need to manage users! row1 colf1:colq1 accountsReceivable|payroll row1 colf2:colq1 accountsReceivable row2 colf1:colq3 payroll row3 colf1:colq1 payroll row4 colf4:colq2 accountsReceivable&payroll
PLUGGABLE SECURITY TO THE RESCUE © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
PLUGGABLE SECURITY TO THE RESCUE © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential okay… what is this?
PLUGGABLE SECURITY TO THE RESCUE © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential tserver scan Pluggable Authorizor getAuths() scan
PLUGGABLE SECURITY TO THE RESCUE © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential tserver scan Pluggable Authorizor getAuths() scan Now we can use our existing system!
SEVENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential LDAP’s role-based access says: User1->HR User2->InternalConflicts User3->Payroll User4->Taxes
SEVENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential One less system to maintain! LDAP’s role-based access says: User1->HR User2->InternalConflicts User3->Payroll User4->Taxes
SEVENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential One less system to maintain! But our orgs are hierarchical! LDAP’s role-based access says: User1->HR User2->InternalConflicts User3->Payroll User4->Taxes
EIGHTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Authorizor Says: InternalConflicts->InternalConflicts,HR Payroll->Payroll,Finance Taxes->Finance,AccountsReceivable
EIGHTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential But what if I don’t want a certain org to get a piece of data? Authorizor Says: InternalConflicts->InternalConflicts,HR Payroll->Payroll,Finance Taxes->Finance,AccountsReceivable
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential What if I don’t want a certain org to get a piece of data?
NINTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row5 colf1:colq3 designer&!manager
NINTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Accumulo does not support NOTs row5 colf1:colq3 designer&!manager
NINTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Accumulo does not support NOTs What are we trying to accomplish? row5 colf1:colq3 designer&!manager
TENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row5 colf1:colq3 designer&(worker&contractor)
TENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential But I want others to know some part of row5 colf1:colq! row5 colf1:colq3 designer&(worker&contractor)
REMEMBER © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
ELEVENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row5 colf1:colq3 designer&(worker&contractor) row5 colf1:colq3 engineer&(worker&contractor)
ELEVENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row5 colf1:colq3 designer&(worker&contractor) row5 colf1:colq3 engineer&(worker&contractor) But I still want the managers to know that row5 colf1:colq3 exists!
TWELTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row5 colf1:colq3 row5 colf1:colq3 designer&(worker&contractor) row5 colf1:colq3 engineer&(worker&contractor)
TWELTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential How can root look at everything? row5 colf1:colq3 row5 colf1:colq3 designer&(worker&contractor) row5 colf1:colq3 engineer&(worker&contractor)
THIRTEENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row5 colf1:colq3 row5 colf1:colq3 root|(designer&(worker&contractor)) row5 colf1:colq3 root|(engineer&(worker&contractor))
THIRTEENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential I don’t like that... row5 colf1:colq3 row5 colf1:colq3 root|(designer&(worker&contractor)) row5 colf1:colq3 root|(engineer&(worker&contractor))
THIRTEENTH TRY 2 © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Remember the pluggable Authorizor! LDAP knows all roles root->all roles
THIRTEENTH TRY 2 © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential All of my bases are covered! Except... Remember the pluggable Authorizor! LDAP knows all roles root->all roles
GETTING CRAFTY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential What if I want to: ● Allow authorizations based on time ● Allow authorizations based on location ● Make data more available ● Make data less available
BEING CRAFTY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Remember the pluggable Authorizor! If you have the data available, you can use it!
BEING CRAFTY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Remember the pluggable Authorizor! If you have the data available, you can use it! Just remember- visibility labels are filters. They’re not made for restricting entire tables.
FOURTEENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Accumulo Tables have Read permissions for coarse access!
FOURTEENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Accumulo Tables have Read permissions for coarse access! Can we do it to people who are missing certain labels?
PLUGGABLE SECURITY TO THE RESCUE © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
PLUGGABLE SECURITY TO THE RESCUE © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Looks familiar… what is this?
PLUGGABLE SECURITY TO THE RESCUE © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential tserver scan Pluggable PermissionHandler hasTablePermission() scan
PLUGGABLE SECURITY TO THE RESCUE © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential tserver scan Pluggable PermissionHandler hasTablePermission() scan Now we can use our existing system for coarse access!
RECAP © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential ● Label for the data, not the users ● Label with the highest granularity possible ● Let the pluggable security do the rest of the work ● Need to rely on external services or special processes for tracking labels ● These can manage users authorizations and general access
RECAP © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Cell level security boils down to two separate components ● Data labels ● User granted labels They are the two halves that establish cell level security.
RECAP © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Cell level security boils down to two separate components ● Data labels ● User granted labels They are the two halves that establish cell level security. Put the two together, and magic happens.
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential QUESTIONS? @ohshazbot john@sqrrl.com ACCUMULO VISIBILITY LABELS AND PLUGGABLE AUTHORIZATION: A LOVE STORY

More Related Content

PDF
ATS Programming Tutorial
Kiwamu Okabe
 
PPTX
Accumulo Summit 2014: Accumulo backed Tinkerpop Implementation
Accumulo Summit
 
PPTX
Accumulo Summit 2014: Accumulo on YARN
Accumulo Summit
 
PPTX
Accumulo Summit 2015: Attempting to answer unanswerable questions: Key manage...
Accumulo Summit
 
PDF
Cassandra Day London 2015: Securing Cassandra and DataStax Enterprise
DataStax Academy
 
PDF
Highly available, scalable and secure data with Cassandra and DataStax Enterp...
Johnny Miller
 
PDF
Securing Cassandra The Right Way
DataStax Academy
 
PDF
Sqrrl June Webinar: An Accumulo Love Story
Sqrrl
 
ATS Programming Tutorial
Kiwamu Okabe
 
Accumulo Summit 2014: Accumulo backed Tinkerpop Implementation
Accumulo Summit
 
Accumulo Summit 2014: Accumulo on YARN
Accumulo Summit
 
Accumulo Summit 2015: Attempting to answer unanswerable questions: Key manage...
Accumulo Summit
 
Cassandra Day London 2015: Securing Cassandra and DataStax Enterprise
DataStax Academy
 
Highly available, scalable and secure data with Cassandra and DataStax Enterp...
Johnny Miller
 
Securing Cassandra The Right Way
DataStax Academy
 
Sqrrl June Webinar: An Accumulo Love Story
Sqrrl
 

Similar to Accumulo Summit 2014: Accumulo Visibility Labels and Pluggable Authorization Systems: A Love Story (20)

PPTX
ViewShift: Hassle-free Dynamic Policy Enforcement for Every Data Lake
Walaa Eldin Moustafa
 
PDF
Sqrrl October Webinar: Data Modeling and Indexing
Sqrrl
 
PPTX
NoSQL - Leo's notes
Léopold Gault
 
PDF
Large Scale Accumulo Clusters
Aaron Cordova
 
PDF
Accumulo Summit 2014: Four Orders of Magnitude: Running Large Scale Accumulo ...
Accumulo Summit
 
PDF
Sqrrl Overview for Stac Research
Sqrrl
 
PDF
Cassandra Data Modelling with CQL (OSCON 2015)
twentyideas
 
PPTX
Database modeling and security
Neeharika Nidadavolu
 
PDF
Sqrrl May Webinar: Data-Centric Security
Sqrrl
 
PPTX
Hortonworks Technical Workshop: HBase For Mission Critical Applications
Hortonworks
 
PPTX
Sqrrl and Accumulo
John Dougherty
 
PDF
Sqrrl September Webinar: Cell-Level Security
Sqrrl
 
PPTX
Adam Fuchs' Accumulo Talk at NoSQL Now! 2013
Sqrrl
 
PDF
Sangam 2019 - The Latest Features
Connor McDonald
 
PDF
Cassandra, Modeling and Availability at AMUG
Matthew Dennis
 
PDF
Sqrrl real time_big_data_20130411
Sqrrl
 
PDF
APEX Connect 2019 - SQL Tuning 101
Connor McDonald
 
PDF
Columnar databases on Big data analytics
yoshidamiyasaki
 
PDF
Using PostgreSQL for Data Privacy
Mason Sharp
 
PDF
APEX Connect 2019 - successful application development
Connor McDonald
 
ViewShift: Hassle-free Dynamic Policy Enforcement for Every Data Lake
Walaa Eldin Moustafa
 
Sqrrl October Webinar: Data Modeling and Indexing
Sqrrl
 
NoSQL - Leo's notes
Léopold Gault
 
Large Scale Accumulo Clusters
Aaron Cordova
 
Accumulo Summit 2014: Four Orders of Magnitude: Running Large Scale Accumulo ...
Accumulo Summit
 
Sqrrl Overview for Stac Research
Sqrrl
 
Cassandra Data Modelling with CQL (OSCON 2015)
twentyideas
 
Database modeling and security
Neeharika Nidadavolu
 
Sqrrl May Webinar: Data-Centric Security
Sqrrl
 
Hortonworks Technical Workshop: HBase For Mission Critical Applications
Hortonworks
 
Sqrrl and Accumulo
John Dougherty
 
Sqrrl September Webinar: Cell-Level Security
Sqrrl
 
Adam Fuchs' Accumulo Talk at NoSQL Now! 2013
Sqrrl
 
Sangam 2019 - The Latest Features
Connor McDonald
 
Cassandra, Modeling and Availability at AMUG
Matthew Dennis
 
Sqrrl real time_big_data_20130411
Sqrrl
 
APEX Connect 2019 - SQL Tuning 101
Connor McDonald
 
Columnar databases on Big data analytics
yoshidamiyasaki
 
Using PostgreSQL for Data Privacy
Mason Sharp
 
APEX Connect 2019 - successful application development
Connor McDonald
 
Ad

Recently uploaded (20)

PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
KodekX | Application Modernization Development
KodekX
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
KodekX | Application Modernization Development
KodekX
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Encapsulation theory and applications.pdf
gurumoop
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Ad

Accumulo Summit 2014: Accumulo Visibility Labels and Pluggable Authorization Systems: A Love Story

  • 1. Securely explore your data Accumulo Visibility Labels and Pluggable Authorization Systems: A Love Story John Vines Engineer Sqrrl Data, Inc. john@sqrrl.com
  • 2. WHAT MAKES ACCUMULO SPECIAL WHEN IT COMES TO SECURITY? © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
  • 3. CELL-LEVEL SECURITY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
  • 4. CELL-LEVEL SECURITY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
  • 5. © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential tldr; visibilities are like ACLs CELL-LEVEL SECURITY
  • 6. © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential tldr; visibilities are like ACLs ...sort of CELL-LEVEL SECURITY
  • 7. THAT’S GREAT! © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential What does it get me?
  • 8. THAT’S GREAT! © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential What does it get me? Amalgamating data sources that are segregated
  • 9. THE SCENARIO: © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential I am a first time Accumulo user I want to use it’s nifty features I have no idea what I’m doing
  • 10. FIRST TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Scan without JohnsLabel
  • 11. FIRST TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Scan without JohnsLabel *sad trombone* Scan with JohnsLabel
  • 12. FIRST TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Scan without JohnsLabel *sad trombone* Scan with JohnsLabel row1 colf1:colq1 JohnsLabel row1 colf2:colq1 JohnsLabel row2 colf1:colq3 JohnsLabel row3 colf1:colq1 JohnsLabel row4 colf4:colq2 JohnsLabel
  • 13. SECOND TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row1 colf1:colq1 JohnsApplication row1 colf2:colq1 JohnsApplication row2 colf1:colq3 JohnsApplication row3 colf1:colq1 JohnsApplication row4 colf4:colq2 JohnsApplication
  • 14. SECOND TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential What does my label even mean? row1 colf1:colq1 JohnsApplication row1 colf2:colq1 JohnsApplication row2 colf1:colq3 JohnsApplication row3 colf1:colq1 JohnsApplication row4 colf4:colq2 JohnsApplication
  • 15. THIRD TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row1 colf1:colq1 application1|application2 row1 colf2:colq1 application1 row2 colf1:colq3 application2 row3 colf1:colq1 application2 row4 colf4:colq2 application3
  • 16. THIRD TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential What about analytic4? analytic5? 6? row1 colf1:colq1 application1|application2 row1 colf2:colq1 application1 row2 colf1:colq3 application2 row3 colf1:colq1 application2 row4 colf4:colq2 application3
  • 17. BACK TO THE DRAWING BOARD © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential What am I trying to accomplish? Why am I segregating my data?
  • 18. FOURTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row1 colf1:colq1 org1|org2 row1 colf2:colq1 org1 row2 colf1:colq3 org2 row3 colf1:colq1 org2 row4 colf4:colq2 org1&org2
  • 19. FOURTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Organizations are big! row1 colf1:colq1 org1|org2 row1 colf2:colq1 org1 row2 colf1:colq3 org2 row3 colf1:colq1 org2 row4 colf4:colq2 org1&org2
  • 20. FIFTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row1 colf1:colq1 subOrg1|subOrg2 row1 colf2:colq1 subOrg1 row2 colf1:colq3 subOrg2 row3 colf1:colq1 subOrg2 row4 colf4:colq2 subOrg1&subOrg2 What about if subOrgs change?
  • 21. FIFTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential What about if subOrgs change? Why do these orgs have permission? row1 colf1:colq1 subOrg1|subOrg2 row1 colf2:colq1 subOrg1 row2 colf1:colq3 subOrg2 row3 colf1:colq1 subOrg2 row4 colf4:colq2 subOrg1&subOrg2
  • 22. SIXTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row1 colf1:colq1 accountsReceivable|payroll row1 colf2:colq1 accountsReceivable row2 colf1:colq3 payroll row3 colf1:colq1 payroll row4 colf4:colq2 accountsReceivable&payroll Looks good!
  • 23. SIXTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Looks good! But now I need to manage users! row1 colf1:colq1 accountsReceivable|payroll row1 colf2:colq1 accountsReceivable row2 colf1:colq3 payroll row3 colf1:colq1 payroll row4 colf4:colq2 accountsReceivable&payroll
  • 24. PLUGGABLE SECURITY TO THE RESCUE © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
  • 25. PLUGGABLE SECURITY TO THE RESCUE © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential okay… what is this?
  • 26. PLUGGABLE SECURITY TO THE RESCUE © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential tserver scan Pluggable Authorizor getAuths() scan
  • 27. PLUGGABLE SECURITY TO THE RESCUE © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential tserver scan Pluggable Authorizor getAuths() scan Now we can use our existing system!
  • 28. SEVENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential LDAP’s role-based access says: User1->HR User2->InternalConflicts User3->Payroll User4->Taxes
  • 29. SEVENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential One less system to maintain! LDAP’s role-based access says: User1->HR User2->InternalConflicts User3->Payroll User4->Taxes
  • 30. SEVENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential One less system to maintain! But our orgs are hierarchical! LDAP’s role-based access says: User1->HR User2->InternalConflicts User3->Payroll User4->Taxes
  • 31. EIGHTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Authorizor Says: InternalConflicts->InternalConflicts,HR Payroll->Payroll,Finance Taxes->Finance,AccountsReceivable
  • 32. EIGHTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential But what if I don’t want a certain org to get a piece of data? Authorizor Says: InternalConflicts->InternalConflicts,HR Payroll->Payroll,Finance Taxes->Finance,AccountsReceivable
  • 33. © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential What if I don’t want a certain org to get a piece of data?
  • 34. NINTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row5 colf1:colq3 designer&!manager
  • 35. NINTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Accumulo does not support NOTs row5 colf1:colq3 designer&!manager
  • 36. NINTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Accumulo does not support NOTs What are we trying to accomplish? row5 colf1:colq3 designer&!manager
  • 37. TENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row5 colf1:colq3 designer&(worker&contractor)
  • 38. TENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential But I want others to know some part of row5 colf1:colq! row5 colf1:colq3 designer&(worker&contractor)
  • 39. REMEMBER © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
  • 40. ELEVENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row5 colf1:colq3 designer&(worker&contractor) row5 colf1:colq3 engineer&(worker&contractor)
  • 41. ELEVENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row5 colf1:colq3 designer&(worker&contractor) row5 colf1:colq3 engineer&(worker&contractor) But I still want the managers to know that row5 colf1:colq3 exists!
  • 42. TWELTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row5 colf1:colq3 row5 colf1:colq3 designer&(worker&contractor) row5 colf1:colq3 engineer&(worker&contractor)
  • 43. TWELTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential How can root look at everything? row5 colf1:colq3 row5 colf1:colq3 designer&(worker&contractor) row5 colf1:colq3 engineer&(worker&contractor)
  • 44. THIRTEENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential row5 colf1:colq3 row5 colf1:colq3 root|(designer&(worker&contractor)) row5 colf1:colq3 root|(engineer&(worker&contractor))
  • 45. THIRTEENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential I don’t like that... row5 colf1:colq3 row5 colf1:colq3 root|(designer&(worker&contractor)) row5 colf1:colq3 root|(engineer&(worker&contractor))
  • 46. THIRTEENTH TRY 2 © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Remember the pluggable Authorizor! LDAP knows all roles root->all roles
  • 47. THIRTEENTH TRY 2 © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential All of my bases are covered! Except... Remember the pluggable Authorizor! LDAP knows all roles root->all roles
  • 48. GETTING CRAFTY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential What if I want to: ● Allow authorizations based on time ● Allow authorizations based on location ● Make data more available ● Make data less available
  • 49. BEING CRAFTY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Remember the pluggable Authorizor! If you have the data available, you can use it!
  • 50. BEING CRAFTY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Remember the pluggable Authorizor! If you have the data available, you can use it! Just remember- visibility labels are filters. They’re not made for restricting entire tables.
  • 51. FOURTEENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Accumulo Tables have Read permissions for coarse access!
  • 52. FOURTEENTH TRY © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Accumulo Tables have Read permissions for coarse access! Can we do it to people who are missing certain labels?
  • 53. PLUGGABLE SECURITY TO THE RESCUE © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
  • 54. PLUGGABLE SECURITY TO THE RESCUE © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Looks familiar… what is this?
  • 55. PLUGGABLE SECURITY TO THE RESCUE © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential tserver scan Pluggable PermissionHandler hasTablePermission() scan
  • 56. PLUGGABLE SECURITY TO THE RESCUE © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential tserver scan Pluggable PermissionHandler hasTablePermission() scan Now we can use our existing system for coarse access!
  • 57. RECAP © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential ● Label for the data, not the users ● Label with the highest granularity possible ● Let the pluggable security do the rest of the work ● Need to rely on external services or special processes for tracking labels ● These can manage users authorizations and general access
  • 58. RECAP © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Cell level security boils down to two separate components ● Data labels ● User granted labels They are the two halves that establish cell level security.
  • 59. RECAP © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Cell level security boils down to two separate components ● Data labels ● User granted labels They are the two halves that establish cell level security. Put the two together, and magic happens.
  • 60. © 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential QUESTIONS? @ohshazbot john@sqrrl.com ACCUMULO VISIBILITY LABELS AND PLUGGABLE AUTHORIZATION: A LOVE STORY