Dispersed storage system with identity unit selection and methods for use therewith
First Claim
Patent Images
1. A method for execution in a dispersed storage network (DSN), the method comprises:
- receiving, by a first computing device of the DSN, a data access request relating to at least one set of encoded data slices stored in the DSN, the data access request including requesting entity credentials and a data request having an associated request type, wherein at least a threshold number of encoded data slices of the set of encoded data slices is required to recover a corresponding data segment;
selecting, by the first computing device, one of a plurality of identity units based on the requesting entity credentials;
determining, via the selected one of the plurality of identity units, whether to allow the data access request;
when the selected one of the plurality of identity units indicates that the data access request is allowed based on the requesting entity credentials, selecting, by the first computing device or a first storage unit of a set of storage units, another one of the plurality of identity units based on the data request;
determining, via the selected other one of the plurality of identity units, whether to allow the associated request type of the data request based on access control information for at least a portion of a vault identified by a vault identifier associated with the requesting entity credentials, wherein the at least a portion of the vault comprises a sub-vault associated with the requestingentity credentials; and
when the associated request type of the data request is allowed by the selected other one of the plurality of identity units, performing, by the first storage unit, a first corresponding portion of the data access request.
5 Assignments
0 Petitions
Accused Products
Abstract
A method for execution by one or more processing modules of a dispersed storage network (DSN) includes receiving a data access request for at least one data segment stored in the DSN. One of a plurality of identity units is selected, based on the data access request. The method determines, via the selected one of the plurality of identity units, whether to allow the data access request. The data access request is processed, when the data access request is allowed via the selected one of the plurality of identity units.
86 Citations
13 Claims
-
1. A method for execution in a dispersed storage network (DSN), the method comprises:
-
receiving, by a first computing device of the DSN, a data access request relating to at least one set of encoded data slices stored in the DSN, the data access request including requesting entity credentials and a data request having an associated request type, wherein at least a threshold number of encoded data slices of the set of encoded data slices is required to recover a corresponding data segment; selecting, by the first computing device, one of a plurality of identity units based on the requesting entity credentials; determining, via the selected one of the plurality of identity units, whether to allow the data access request; when the selected one of the plurality of identity units indicates that the data access request is allowed based on the requesting entity credentials, selecting, by the first computing device or a first storage unit of a set of storage units, another one of the plurality of identity units based on the data request; determining, via the selected other one of the plurality of identity units, whether to allow the associated request type of the data request based on access control information for at least a portion of a vault identified by a vault identifier associated with the requesting entity credentials, wherein the at least a portion of the vault comprises a sub-vault associated with the requesting entity credentials; and when the associated request type of the data request is allowed by the selected other one of the plurality of identity units, performing, by the first storage unit, a first corresponding portion of the data access request. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A dispersed storage and task (DST) processing unit comprises:
-
one or more network interfaces;
a memory comprising instructions; andprocessing circuitry in communication with the memory, wherein the processing circuitry executes the instructions to; receive, via the one or more network interfaces, a data access request relating to at least one set of encoded data slices stored in a dispersed storage network (DSN), the data access request including requesting entity credentials and a data request, wherein at least a threshold number of encoded data slices of the set of encoded data slices is required to recover a corresponding data segment; select one of a plurality of identity units based on the requesting entity credentials; receive, from the selected one of the plurality of identity units, a first indication allowing the data access request based on the requesting entity credentials; in response to the first indication, select another one of the plurality of identity units based on the data request; receive, from the selected other one of the plurality of identity units, a second indication allowing the data access request based on access control information for at least a portion of a vault identified by a vault identifier associated with the requesting entity credentials, wherein the at least a portion of the vault comprises a sub-vault associated with the requesting entity credentials; and issue, via the one or more network interfaces, corresponding portions of the data access request to a set of storage units. - View Dependent Claims (7, 8, 9)
-
-
10. A non-transitory computer readable storage medium comprises:
-
a first memory section that stores operational instructions that, when executed by a computing device of a dispersed storage network (DSN), causes the computing device to; receive a data access request relating to at least one set of encoded data slices stored in the DSN, wherein the data access request includes requesting entity credentials and a data request having an associated request type; and select one of a plurality of identity units based on the requesting entity credentials; a second memory section that stores operational instructions that, when executed by the selected one of the plurality of identity units, causes the selected one of the plurality of identity units to determine whether to allow the data access request based on the requesting entity credentials; a third memory section that stores operational instructions that, when executed by the computing device or a storage unit of the DSN, causes the computing device or the storage unit to, when the selected one of the plurality of identity units indicates that the data access request is allowed based on the requesting entity credentials, select another one of the plurality of identity units based on the data request; a fourth memory section that stores operation instructions that, when executed by selected other one of the plurality of identity units, causes selected other one of the plurality of identity units to determine whether to allow the associated request type of the data request based on access control information for at least a portion of a vault identified by a vault identifier associated with the requesting entity credentials, wherein the at least a portion of the vault comprises a sub-vault associated with the requesting entity credentials; and a fifth memory section that stores operational instructions that, when executed by the storage unit, causes the storage unit to, when the associated request type of the data request is allowed by the selected other one of the plurality of identity units, perform a first corresponding portion of the data access request. - View Dependent Claims (11, 12, 13)
-
Specification