Authorization in a distributed system using access control lists and groups
First Claim
1. A method of controlling sharing of an object between entities in a distributed system, the method comprising:
- by a processing device;
identifying an object;
generating an access control list (ACL) for the object so that the ACL includes a list of clauses, in which at least one clause includes a blessing pattern that includes a reference to one or more groups, wherein;
each blessing pattern comprises a slash-separated sequence of components, where each component comprises either a slash-free string of a blessing or a group reference, andeach group represents a set of strings, wherein the set of strings represent one or more second blessing patterns or one or more fragments of one or more second blessing patterns;
saving the ACL to a data store for use in responding to a request to access the object;
receiving, from a client device, a request to access the object, wherein the request includes at least one blessing;
accessing the ACL;
determining that the ACL includes at least one clause with a blessing pattern that matches a blessing in the request;
parsing each determined clause of the ACL that has the relevant blessing pattern to determine whether the clause comprises a permit clause or a deny clause; and
using results of the parsing to decide whether to grant or deny the client device access to the object, and in response either granting or denying the client device access to the object.
2 Assignments
0 Petitions
Accused Products
Abstract
In a method of controlling sharing of an object between entities in a distributed system, a processor will identify an object and generate an access control list (ACL) for the object so that the ACL includes a list of clauses. Each clause will include a blessing pattern that will match one or more blessings, and at least one of the clauses also may include a reference to one or more groups. Each group represents a set of strings that represent blessing patterns or fragments of blessing patterns. The processor may generate each clause of the ACL as either a permit clause or a deny clause to indicate whether an entity or entities that have a blessing matched by the blessing pattern are permitted to access the object. The processor will save the ACL to a data store for use in responding to a request to access the object.
59 Citations
18 Claims
-
1. A method of controlling sharing of an object between entities in a distributed system, the method comprising:
by a processing device; identifying an object; generating an access control list (ACL) for the object so that the ACL includes a list of clauses, in which at least one clause includes a blessing pattern that includes a reference to one or more groups, wherein; each blessing pattern comprises a slash-separated sequence of components, where each component comprises either a slash-free string of a blessing or a group reference, and each group represents a set of strings, wherein the set of strings represent one or more second blessing patterns or one or more fragments of one or more second blessing patterns; saving the ACL to a data store for use in responding to a request to access the object; receiving, from a client device, a request to access the object, wherein the request includes at least one blessing; accessing the ACL; determining that the ACL includes at least one clause with a blessing pattern that matches a blessing in the request; parsing each determined clause of the ACL that has the relevant blessing pattern to determine whether the clause comprises a permit clause or a deny clause; and using results of the parsing to decide whether to grant or deny the client device access to the object, and in response either granting or denying the client device access to the object. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
10. A system for controlling sharing of an object between distributed entities, the system comprising:
-
a processing device; a first data store portion comprising a plurality of stored objects; a second data store portion; and a computer-readable memory containing programming instructions that are configured to cause the processing device to; identify an object from the first data store portion, generate an access control list (ACL) for the object so that the ACL includes a list of clauses, in which at least one clause includes a blessing pattern that includes a reference to one or more groups, wherein; each blessing pattern comprises a slash-separated sequence of components, where each component comprises either a slash-free string of a blessing, a group reference; and each group represents a set of strings, wherein the set of strings represent one or more second blessing patterns or one or more fragments of one or more second blessing patterns, save the ACL to the second data store portion for use in responding to a request to access the object, receive, from a client device, a request to access the object, wherein the request includes at least one blessing, access the ACL, determine that the ACL includes at least one clause with a blessing pattern that matches a blessing in the request, parse each determined clause of the ACL that has the relevant blessing pattern to determine whether the clause comprises a permit clause or a deny clause, and use results of the parsing to decide whether to grant or deny the client device access to the object, and in response either grant or deny the client device access to the object. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
Specification