Database Permissions in Accumulo

Accumulo is a scalable distributed key value data store that was designed specifically with data security requirements from its inception.

Administration Permissions

Accumulo has rights based security to perform data operations in the accumulo database.   The root user is created for the first time you set up accumulo with the accumulo init command.  The root user can create other users, manage tables, and manage user permissions.  

$ACCUMULO_HOME/bin/accumulo init



When you run this command, it prompts for a password for the root user.

By default users cannot create tables or read data from tables.  In order for users to read data, the administrator must set up the users with read permission on a table but data access authorizations must be also be set up.

Data Access Permissions
Each value in the distributed data store is indexed by by a key containing a row, column family, column qualifier and time stamp.  The key has a column visibility label that is applied each time the value is inserted into Accumulo.





The user trying to read data must have the data access authorization or combination of authorizations to match the column visibility label.  This is in addition to the read access permission on the table.  When each value is inserted into Accumulo, the column visibility is inserted it is inserted with the column visibility required to access it.

Employee Database Example
To see how the permissions work in Accumulo create a table that hypothetically has confidential information and sensitive information about employees.  Confidential information is items such as the first name and last name while sensitive would be the employee's SSN.

First create a table called 'empinfo'.    By default users do not have the create table permission so they cannot create tables so do this as the root user.

Enter the accumulo shell:

$ACCUMULO_HOME/bin/accumulo shell -u root

root@spry> createtable empinfo

Create an HR user that has the ability to view the sensitive but not confidential information.  Only root has the initial ability to create users by default.

root@spry> createuser hr

Each insert into Accumulo consists of the row key (employee id),  field name, and then value followed by -l and the visibility label.  In this case the label for confidential will be 'c' and sensitive will be 's'.  Note that the labels can be and'ed together. Simulate a data import by doing some commands like:

root@spry> insert row 1 fname mark  -l c
root@spry> insert row 1 ssn 56-555-5555 -l c&s

Now the hr user has to be granted read permission on the table and also the 'c' authorization.  This requires alter user permission which root has by default.

root@spry> setauths -s c -u hr
root@spry> grant -t empinfo Table.READ -u hr

Scan the inserted data.

root@spry-> user hr
hr@spry empinfo> scan

You can see only the cells with confidential information are returned.

row 1:fname [c]    mark
row 1:lname [c]    f
row 2:fname [c]    matt
row 2:lname [c]    m

You can also create the payroll user now to access the sensitive and confidential  information.


root@spry>  grant -t empinfo Table.READ -u payroll
root@spry>  setauths -s c,s -u payroll
root@spry> user payroll

payroll@spry empinfo> scan

Sensitive information is now included in the results.

row 1:fname [c]    mark
row 1:lname [c]    f
row 1:ssn [s&c]    555-55-5555
row 2:fname [c]    matt
row 2:lname [c]    m
row 2:ssn [s&c]    555-55-5555

Conclusion
Accumulo provides a very simple but elegant user access control for individual values in a table.  The mechanism is very flexible and useful for use cases which have information with varying access levels.  Once the administration is done for the user authorizations and the applications are created to insert the data, the security mechanism is transparent to the application.

No comments:

Post a Comment