Securely explore your data

Sqrrl Visibility Labels and

Pluggable Authorization Systems: A Love Story

John Vines Engineer Sqrrl Data, Inc. john@sqrrl.com

WHAT MAKES ACCUMULO SPECIAL WHEN IT COMES TO SECURITY?

© 2014 Sqrrl | All Rights Reserved

CELL-LEVEL SECURITY

© 2014 Sqrrl | All Rights Reserved

CELL-LEVEL SECURITY

© 2014 Sqrrl | All Rights Reserved

© 2014 Sqrrl | All Rights Reserved

tldr;

visibilities are like ACLs

CELL-LEVEL SECURITY

© 2014 Sqrrl | All Rights Reserved

tldr;

visibilities are like ACLs

...sort of

CELL-LEVEL SECURITY

SQRRL

© 2014 Sqrrl | All Rights Reserved

What does this mean with sqrrl?

SQRRL

© 2014 Sqrrl | All Rights Reserved

What does this mean with sqrrl?

Sqrrl uses these labels within hierarchical documents for the same

effect

SQRRL JSON

© 2014 Sqrrl | All Rights Reserved

{"children@[FAM|IRS]": {"current": [{ "name": "Johnny" }], "expecting@[FAM]": [{ "name": "Baby Girl"}] } } Only the family and IRS care about

children. Only the family cares about expecting

THAT’S GREAT!

© 2014 Sqrrl | All Rights Reserved

What does it get me?

THAT’S GREAT!

© 2014 Sqrrl | All Rights Reserved

What does it get me?

Amalgamating data sources that are segregated

THE SCENARIO:

© 2014 Sqrrl | All Rights Reserved

I am a first time Sqrrl/Accumulo user I want to use its nifty features I have no idea what I’m doing

FIRST TRY

© 2014 Sqrrl | All Rights Reserved

Scan without JohnsLabel

FIRST TRY

© 2014 Sqrrl | All Rights Reserved

Scan without JohnsLabel *sad trombone*

Scan with JohnsLabel

FIRST TRY

© 2014 Sqrrl | All Rights Reserved

Scan without JohnsLabel *sad trombone*

Scan with JohnsLabel

uuid1 {"field1@[JohnsLabel]": "Value”} uuid2 {"field1@[JohnsLabel]": "Value”} uuid3 {"field2@[JohnsLabel]": "Value”} uuid4 {"field2@[JohnsLabel]": "Value”} uuid5 {"field1@[JohnsLabel]": "Value”}

SECOND TRY

© 2014 Sqrrl | All Rights Reserved

uuid1 {"field1@[JohnsApplication]": "Value”} uuid2 {"field1@[JohnsApplication]": "Value”} uuid3 {"field2@[JohnsApplication]": "Value”} uuid4 {"field2@[JohnsApplication]": "Value”} uuid5 {"field1@[JohnsApplication]": "Value”}

SECOND TRY

© 2014 Sqrrl | All Rights Reserved

What does my label even mean?

uuid1 {"field1@[JohnsApplication]": "Value”} uuid2 {"field1@[JohnsApplication]": "Value”} uuid3 {"field2@[JohnsApplication]": "Value”} uuid4 {"field2@[JohnsApplication]": "Value”} uuid5 {"field1@[JohnsApplication]": "Value”}

THIRD TRY

© 2014 Sqrrl | All Rights Reserved

uuid1 {"field1@[application1|application2]": "Value”} uuid2 {"field1@[application1]": "Value”} uuid3 {"field2@[application1]": "Value”} uuid4 {"field2@[application2]": "Value”} uuid5 {"field1@[application3]": "Value”}

THIRD TRY

© 2014 Sqrrl | All Rights Reserved

What about application4? application5? 6?

uuid1 {"field1@[application1|application2]": "Value”} uuid2 {"field1@[application1]": "Value”} uuid3 {"field2@[application1]": "Value”} uuid4 {"field2@[application2]": "Value”} uuid5 {"field1@[application3]": "Value”}

BACK TO THE DRAWING BOARD

© 2014 Sqrrl | All Rights Reserved

What am I trying to accomplish? Why am I segregating my data?

FOURTH TRY

© 2014 Sqrrl | All Rights Reserved

uuid1 {"field1@[org1|org2]": "Value”} uuid2 {"field1@[org1]": "Value”} uuid3 {"field2@[org1]": "Value”} uuid4 {"field2@[org2]": "Value”}

uuid5 {"field1@[org1&org2]": "Value”}

FOURTH TRY

© 2014 Sqrrl | All Rights Reserved

Organizations are big!

uuid1 {"field1@[org1|org2]": "Value”} uuid2 {"field1@[org1]": "Value”} uuid3 {"field2@[org1]": "Value”} uuid4 {"field2@[org2]": "Value”}

uuid5 {"field1@[org1&org2]": "Value”}

FIFTH TRY

© 2014 Sqrrl | All Rights Reserved

What about if subOrgs change?

uuid1 {"field1@[subOrg1|subOrg2]": "Value”} uuid2 {"field1@[subOrg1]": "Value”} uuid3 {"field2@[subOrg1]": "Value”} uuid4 {"field2@[subOrg2]": "Value”}

uuid5 {"field1@[subOrg1&subOrg2]": "Value”}

FIFTH TRY

© 2014 Sqrrl | All Rights Reserved

What about if subOrgs change? Why do these orgs have permission?

uuid1 {"field1@[subOrg1|subOrg2]": "Value”} uuid2 {"field1@[subOrg1]": "Value”} uuid3 {"field2@[subOrg1]": "Value”} uuid4 {"field2@[subOrg2]": "Value”}

uuid5 {"field1@[subOrg1&subOrg2]": "Value”}

SIXTH TRY

© 2014 Sqrrl | All Rights Reserved

Looks good!

uuid1 {"field1@[accountsReceivable|payroll]": "Value”}

uuid2 {"field1@[accountsReceivable]": "Value”} uuid3 {"field2@[accountsReceivable]": "Value”}

uuid4 {"field2@[payroll]": "Value”} uuid5 {"field1@[accountsReceivable&payroll]":

"Value”}

SIXTH TRY

© 2014 Sqrrl | All Rights Reserved

Looks good! But now I need to manage users!

uuid1 {"field1@[accountsReceivable|payroll]": "Value”}

uuid2 {"field1@[accountsReceivable]": "Value”} uuid3 {"field2@[accountsReceivable]": "Value”}

uuid4 {"field2@[payroll]": "Value”} uuid5 {"field1@[accountsReceivable&payroll]":

"Value”}

PLUGGABLE SECURITY TO THE RESCUE

© 2014 Sqrrl | All Rights Reserved

PLUGGABLE SECURITY TO THE RESCUE

© 2014 Sqrrl | All Rights Reserved

okay… what is this?

PLUGGABLE SECURITY TO THE RESCUE

© 2014 Sqrrl | All Rights Reserved

tserver scan

Pluggable Authorizor

getAuths() scan

PLUGGABLE SECURITY TO THE RESCUE

© 2014 Sqrrl | All Rights Reserved

tserver scan

Pluggable Authorizor

getAuths() scan

What does this mean to Sqrrl?

POLICY ENGINE

© 2014 Sqrrl | All Rights Reserved

Sqrrl uses Apache Shiro to expose configurable security

POLICY ENGINE

© 2014 Sqrrl | All Rights Reserved

Sqrrl uses Apache Shiro to expose configurable security

Less work needed to use existing security architecture

SEVENTH TRY

© 2014 Sqrrl | All Rights Reserved

LDAP’s role-based access says: User1->HR

User2->InternalConflicts User3->Payroll User4->Taxes

SEVENTH TRY

© 2014 Sqrrl | All Rights Reserved

One less system to maintain!

LDAP’s role-based access says: User1->HR

User2->InternalConflicts User3->Payroll User4->Taxes

SEVENTH TRY

© 2014 Sqrrl | All Rights Reserved

One less system to maintain! But our orgs are hierarchical!

LDAP’s role-based access says: User1->HR

User2->InternalConflicts User3->Payroll User4->Taxes

EIGHTH TRY

© 2014 Sqrrl | All Rights Reserved

Policy Engine Says: InternalConflicts->InternalConflicts,HR

Payroll->Payroll,Finance Taxes->Finance,AccountsReceivable

EIGHTH TRY

© 2014 Sqrrl | All Rights Reserved

But what if I don’t want a certain org to get a piece of data?

Policy Engine Says: InternalConflicts->InternalConflicts,HR

Payroll->Payroll,Finance Taxes->Finance,AccountsReceivable

NINTH TRY

© 2014 Sqrrl | All Rights Reserved

uuid5 {"field1@[designer&!manager]": "Value”}

NINTH TRY

© 2014 Sqrrl | All Rights Reserved

Accumulo and Sqrrl do not support NOTs

uuid5 {"field1@[designer&!manager]": "Value”}

© 2014 Sqrrl | All Rights Reserved

Visibility labels have been a core piece of Accumulo for almost 6 years.

Last thing we want is people to inadvertently leak

data because of change in our security story (adding NOTs)

Accumulo has always supported downgrading

authorizations and this behavior will break NOTs

WHY NO NOTS?

NINTH TRY

© 2014 Sqrrl | All Rights Reserved

Accumulo and Sqrrl do not support NOTs

What are we trying to accomplish?

uuid5 {"field1@[designer&!manager]": "Value”}

TENTH TRY

© 2014 Sqrrl | All Rights Reserved

uuid5 {"field1@[designer&(worker&contractor)]": "Value”}

TENTH TRY

© 2014 Sqrrl | All Rights Reserved

But I want others to know some part of uuid5 field1!

uuid5 {"field1@[designer&(worker&contractor)]": "Value”}

REMEMBER

© 2014 Sqrrl | All Rights Reserved

REMEMBER

© 2014 Sqrrl | All Rights Reserved

{"children@[FAM|IRS]": {"current": [{ "name": "Johnny" }], "expecting@[FAM]": [{ "name": "Baby Girl"}] } }

ELEVENTH TRY

© 2014 Sqrrl | All Rights Reserved

uuid5 {"field1@[designer&(worker&contractor)]": "Value”}

uuid5 {"field1@[engineer&(worker&contractor)]": "Value”}

ELEVENTH TRY

© 2014 Sqrrl | All Rights Reserved

But I still want the managers to know that uuid5 field1 exists!

uuid5 {"field1@[designer&(worker&contractor)]": "Value”}

uuid5 {"field1@[engineer&(worker&contractor)]": "Value”}

TWELTH TRY

© 2014 Sqrrl | All Rights Reserved

uuid5 {"field1": "Value”} uuid5 {"field1@[designer&(worker&contractor)]":

"Value”} uuid5 {"field1@[engineer&(worker&contractor)]":

"Value”}

TWELTH TRY

© 2014 Sqrrl | All Rights Reserved

How can root look at everything?

uuid5 {"field1": "Value”} uuid5 {"field1@[designer&(worker&contractor)]":

"Value”} uuid5 {"field1@[engineer&(worker&contractor)]":

"Value”}

THIRTEENTH TRY

© 2014 Sqrrl | All Rights Reserved

uuid5 {"field1": "Value”} uuid5 {"field1@[root|(designer&(worker&contractor))]":

"Value”} uuid5 {"field1@[root|(engineer&(worker&contractor))]":

"Value”}

THIRTEENTH TRY

© 2014 Sqrrl | All Rights Reserved

I don’t like that...

uuid5 {"field1": "Value”} uuid5 {"field1@[root|(designer&(worker&contractor))]":

"Value”} uuid5 {"field1@[root|(engineer&(worker&contractor))]":

"Value”}

THIRTEENTH TRY 2

© 2014 Sqrrl | All Rights Reserved

Remember the policy engine!

LDAP knows all roles root->all roles

THIRTEENTH TRY 2

© 2014 Sqrrl | All Rights Reserved

All of my bases are covered!

Except...

Remember the policy engine!

LDAP knows all roles root->all roles

GETTING CRAFTY

© 2014 Sqrrl | All Rights Reserved

What if I want to: ●  Allow authorizations based on time ●  Allow authorizations based on location ●  Make data more available ●  Make data less available

BEING CRAFTY

© 2014 Sqrrl | All Rights Reserved

Remember the policy engine!

If you have the data available, you can use it!

COARSE ACCESS CONTROLS

© 2014 Sqrrl | All Rights Reserved

Accumulo Tables have Read permissions for coarse access.

These can be used to restrict access to an

entire table for a user.

This is also exposed through a pluggable mechanism.

PLUGGABLE SECURITY TO THE RESCUE

© 2014 Sqrrl | All Rights Reserved

PLUGGABLE SECURITY TO THE RESCUE

© 2014 Sqrrl | All Rights Reserved

Looks familiar… what is this?

PLUGGABLE SECURITY TO THE RESCUE

© 2014 Sqrrl | All Rights Reserved

tserver scan

Pluggable PermissionHandler

hasTablePermission() scan

DATA-CENTRIC SECURITY

© 2014 Sqrrl | All Rights Reserved

Sqrrl promotes Data-Centric Security.

Sqrrl encourages amalgamation of data for improved analytics. Coarse access breaks

this.

RECAP

© 2014 Sqrrl | All Rights Reserved

●  Label for the data, not the users ●  Label with the highest granularity

possible ●  Let the policy engine do the rest of the

work ●  Need to rely on external services or

special processes for tracking labels ●  These can manage users authorizations

and general access

RECAP

© 2014 Sqrrl | All Rights Reserved

Cell level security boils down to two separate components ●  Data labels ●  User granted labels They are the two halves that establish cell level security.

RECAP

© 2014 Sqrrl | All Rights Reserved

Cell level security boils down to two separate components ●  Data labels ●  User granted labels They are the two halves that establish cell level security. Put the two together, and magic happens.

© 2014 Sqrrl | All Rights Reserved

QUESTIONS?

@ohshazbot

john@sqrrl.com

SQRRL VISIBILITY LABELS AND PLUGGABLE AUTHORIZATION:

A LOVE STORY