Authorization in a distributed system using access control lists and groups

US 10,044,718 B2
Filed: 08/12/2015
Issued: 08/07/2018
Est. Priority Date: 05/27/2015
Status: Active Grant

First Claim

Patent Images

1. A method of controlling sharing of an object between entities in a distributed system, the method comprising:

by a processing device;

identifying an object;

generating an access control list (ACL) for the object so that the ACL includes a list of clauses, in which at least one clause includes a blessing pattern that includes a reference to one or more groups, wherein;

each blessing pattern comprises a slash-separated sequence of components, where each component comprises either a slash-free string of a blessing or a group reference, andeach group represents a set of strings, wherein the set of strings represent one or more second blessing patterns or one or more fragments of one or more second blessing patterns;

saving the ACL to a data store for use in responding to a request to access the object;

receiving, from a client device, a request to access the object, wherein the request includes at least one blessing;

accessing the ACL;

determining that the ACL includes at least one clause with a blessing pattern that matches a blessing in the request;

parsing each determined clause of the ACL that has the relevant blessing pattern to determine whether the clause comprises a permit clause or a deny clause; and

using results of the parsing to decide whether to grant or deny the client device access to the object, and in response either granting or denying the client device access to the object.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a method of controlling sharing of an object between entities in a distributed system, a processor will identify an object and generate an access control list (ACL) for the object so that the ACL includes a list of clauses. Each clause will include a blessing pattern that will match one or more blessings, and at least one of the clauses also may include a reference to one or more groups. Each group represents a set of strings that represent blessing patterns or fragments of blessing patterns. The processor may generate each clause of the ACL as either a permit clause or a deny clause to indicate whether an entity or entities that have a blessing matched by the blessing pattern are permitted to access the object. The processor will save the ACL to a data store for use in responding to a request to access the object.

59 Citations

View as Search Results

18 Claims

1. A method of controlling sharing of an object between entities in a distributed system, the method comprising:
- by a processing device;
  
  identifying an object;
  
  generating an access control list (ACL) for the object so that the ACL includes a list of clauses, in which at least one clause includes a blessing pattern that includes a reference to one or more groups, wherein;
  
  each blessing pattern comprises a slash-separated sequence of components, where each component comprises either a slash-free string of a blessing or a group reference, andeach group represents a set of strings, wherein the set of strings represent one or more second blessing patterns or one or more fragments of one or more second blessing patterns;
  
  saving the ACL to a data store for use in responding to a request to access the object;
  
  receiving, from a client device, a request to access the object, wherein the request includes at least one blessing;
  
  accessing the ACL;
  
  determining that the ACL includes at least one clause with a blessing pattern that matches a blessing in the request;
  
  parsing each determined clause of the ACL that has the relevant blessing pattern to determine whether the clause comprises a permit clause or a deny clause; and
  
  using results of the parsing to decide whether to grant or deny the client device access to the object, and in response either granting or denying the client device access to the object.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein generating the ACL comprises generating each clause as either a permit clause or a deny clause, thus indicating whether an entity or entities that have a blessing matched by the blessing pattern are permitted to access the object.
  - 3. The method of claim 1, wherein:
    - determining that the ACL includes at least one clause comprises determining that the ACL includes multiple clauses with a matching blessing pattern; and
      
      using results of the parsing to decide whether to grant or deny the client device access to the object comprises granting the client device access to the object only if the later of the determined clauses comprises the permit clause, otherwise denying the client device access to the object.
  - 4. The method of claim 1, wherein:
    - determining that the ACL includes at least one clause comprises determining that the ACL includes multiple clauses with a matching blessing pattern; and
      
      using results of the parsing to decide whether to grant or deny the client device access to the object comprise granting the client device access to the object only if the earlier of the determined clauses comprises the permit clause, otherwise denying the client device access to the object.
  - 5. The method of claim 1, wherein:
    - determining that the ACL includes at least one clause comprises determining that the ACL includes a group; and
      
      the method further comprises;
      
      sending a request to a group server to determine whether the request is associated with a member of the group,receiving a response from the group server, andalso using the response from the group server when deciding whether to grant or deny the client device access to the object.
  - 6. The method of claim 5, wherein receiving the response from the group server comprises:
    - receiving a first indication comprising a portion of the request that is associated with the group; and
      
      receiving a second indication comprising a remainder of the request that is not associated with the group.
  - 7. The method of claim 1, wherein each blessing and group is represented by one or more human-readable names.
  - 8. The method of claim 1, wherein at least one of the group names is embedded within an individual component of a blessing pattern.
  - 9. The method of claim 5, further comprising, by the group server:
    - saving a definition of a group to a computer readable memory so that the definition of a group is associated with a first time;
      
      saving an updated definition of a group to the computer readable memory so that the updated definition of a group is associated with a second time; and
      
      when generating the response, determining a time associated with the request, and using the time to determine which version of the group definition to use in evaluating the request.

10. A system for controlling sharing of an object between distributed entities, the system comprising:
- a processing device;
  
  a first data store portion comprising a plurality of stored objects;
  
  a second data store portion; and
  
  a computer-readable memory containing programming instructions that are configured to cause the processing device to;
  
  identify an object from the first data store portion,generate an access control list (ACL) for the object so that the ACL includes a list of clauses, in which at least one clause includes a blessing pattern that includes a reference to one or more groups, wherein;
  
  each blessing pattern comprises a slash-separated sequence of components, where each component comprises either a slash-free string of a blessing, a group reference; and
  
  each group represents a set of strings, wherein the set of strings represent one or more second blessing patterns or one or more fragments of one or more second blessing patterns,save the ACL to the second data store portion for use in responding to a request to access the object,receive, from a client device, a request to access the object, wherein the request includes at least one blessing,access the ACL,determine that the ACL includes at least one clause with a blessing pattern that matches a blessing in the request,parse each determined clause of the ACL that has the relevant blessing pattern to determine whether the clause comprises a permit clause or a deny clause, anduse results of the parsing to decide whether to grant or deny the client device access to the object, and in response either grant or deny the client device access to the object.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein the instructions to generate the ACL comprise instructions to generate each clause as either a permit clause or a deny clause, thus indicating whether an entity or entities that have a blessing matched by the blessing pattern are permitted to access the object.
  - 12. The system of claim 10, wherein:
    - the instructions to determine that the ACL includes at least one clause comprise instructions to determine that the ACL includes multiple clauses with a matching blessing pattern; and
      
      the instructions to use results of the parsing to decide whether to grant or deny the client device access to the object comprise instructions to grant the client device access to the object only if the later of the determined clauses comprises the permit clause, otherwise deny the client device access to the object.
  - 13. The system of claim 10, wherein:
    - the instructions to determine that the ACL includes at least one clause comprise instructions to determine that the ACL includes multiple clauses with a matching blessing pattern; and
      
      the instructions to use results of the parsing to decide whether to grant or deny the client device access to the object comprise the instructions to grant the client device access to the object only if the earlier of the determined clauses comprises the permit clause, otherwise deny the client device access to the object.
  - 14. The system of claim 10, wherein:
    - the instructions to determine that the ACL includes at least one clause comprise instructions to determine that the ACL includes a group; and
      
      the system further comprises additional programming instructions configured to cause the processor to;
      
      send a request to a group server to determine whether the request is associated with a member of the group,receive a response from the group server, andalso use the response from the group server when deciding whether to grant or deny the client device access to the object.
  - 15. The system of claim 14, wherein the instructions to receive the response from the group server comprise instructions to:
    - receive a first indication comprising a portion of the request that is associated with the group; and
      
      receive a second indication comprising a remainder of the request that is not associated with the group.
  - 16. The system of claim 10, wherein each blessing and group is represented by one or more human-readable names.
  - 17. The system of claim 10, wherein at least one of the group names is embedded within an individual component of a blessing pattern.
  - 18. The system of claim 14, further comprising:
    - the group server, wherein the group server comprises a group server processor; and
      
      a computer-readable memory portion containing programming instructions that are configured to instruct the group server to;
      
      save a definition of a group to a third data store portion so that the definition of a group is associated with a first time;
      
      save an updated definition of a group to the third data store portion so that the updated definition of a group is associated with a second time; and
      
      when generating the response, determine a time associated with the request, and use the time to determine which version of the group definition to use in evaluating the request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google LLC (Alphabet Inc.)
Inventors
Burrows, Michael, Abadi, Martin, Pucha, Himabindu, Sadovsky, Adam, Shankar, Asim, Taly, Ankur
Primary Examiner(s)
Shiferaw, Eleni A
Assistant Examiner(s)
Holmes, Angela R

Application Number

US14/824,727
Publication Number

US 20160352744A1
Time in Patent Office

1,091 Days
Field of Search

726 4
US Class Current
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

Authorization in a distributed system using access control lists and groups

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

59 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Authorization in a distributed system using access control lists and groups

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

59 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links