Browse Prior Art Database

A Method and System for Providing Dynamic Access Controls for Bigtable Database

IP.com Disclosure Number: IPCOM000240581D
Publication Date: 2015-Feb-10
Document File: 3 page(s) / 51K

Publishing Venue

The IP.com Prior Art Database

Abstract

A method and system is disclosed for providing dynamic access controls for bigtable database.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 36% of the total text.

Page 01 of 3

A Method and System for Providing Dynamic Access Controls for Bigtable Database

Bigtable model for large, scalable, non relational databases is widely reimplemented, including in the open source HBase and Accumulo databases. Apache Accumulo extends the Bigtable model by adding a visibility label to each cell. When data is read from a database, a database server filters out cells for which a reader does not have access before any further processing. Existing databases might include only a minimal table level security where an entire table or none may be seen. For example, there might not be a provision to see an entire table except for customers ' real names in the existing databases. Accumulo's visibility labels add a level of control, indirectly allowing controls to be applied at row or column levels. Since the visibility labels are stored with the data, any corporate level change in a security policy requires deleting and reloading terabytes or petabytes of data. Generally, customers find data security policies complex. Additionally, the data security policies change quite frequently. Further, a full data reload to accommodate a change in policy is prohibitive . Internally, Accumulo

works by reading lists of cells from files in a networked storage. Thereafter, the files are post processed with a sequence of iterators. The first iterator in Accumulo's processing evaluates each cell's security label against the current user's permissions after data is read from the storage. The first iterator may remove cells from a data stream if cells are hidden. More dynamic access control capabilities are included in DB2's
label based access control (LBAC) and row and column access control (RCAC). Traditional databases such as DB2 have trouble reaching data volumes of petabytes or higher. DB2's LBAC stores visibility information for each row in the database similar to

Accumulo and cannot easily accommodate dynamic changes in a policy .

The method and system is disclosed for providing dynamic access controls for bigtable database. A dynamic security policy evaluator is added to the start of as processing chain. The actual policy is stored as metadata in a table configuration or in an external file. Thus, the policy can be changed easily without reloading the data. This approach can be applied to any distributed database supporting in database computation without requiring changes in an underlying data model. When data is read back from the database, the security policy is evaluated for each cell. The result of the security policy can show the cell as is, hide the cell entirely, or to replace the cell's contents with some other value. Such results add in supporting data anonymization.

The method and system is based on Accumulo 's processing model. The data is broken up into some number of tablets. Each of the broken data is owned by exactly one tablet server running in a cluster. The tablets in turn are backed by a number of indexed binary file...