Dispersed storage system with identity unit selection and methods for use therewith

US 10,120,569 B2
Filed: 08/12/2014
Issued: 11/06/2018
Est. Priority Date: 10/03/2013
Status: Active Grant

First Claim

Patent Images

1. A method for execution in a dispersed storage network (DSN), the method comprises:

receiving, by a first computing device of the DSN, a data access request relating to at least one set of encoded data slices stored in the DSN, the data access request including requesting entity credentials and a data request having an associated request type, wherein at least a threshold number of encoded data slices of the set of encoded data slices is required to recover a corresponding data segment;

selecting, by the first computing device, one of a plurality of identity units based on the requesting entity credentials;

determining, via the selected one of the plurality of identity units, whether to allow the data access request;

when the selected one of the plurality of identity units indicates that the data access request is allowed based on the requesting entity credentials, selecting, by the first computing device or a first storage unit of a set of storage units, another one of the plurality of identity units based on the data request;

determining, via the selected other one of the plurality of identity units, whether to allow the associated request type of the data request based on access control information for at least a portion of a vault identified by a vault identifier associated with the requesting entity credentials, wherein the at least a portion of the vault comprises a sub-vault associated with the requestingentity credentials; and

when the associated request type of the data request is allowed by the selected other one of the plurality of identity units, performing, by the first storage unit, a first corresponding portion of the data access request.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for execution by one or more processing modules of a dispersed storage network (DSN) includes receiving a data access request for at least one data segment stored in the DSN. One of a plurality of identity units is selected, based on the data access request. The method determines, via the selected one of the plurality of identity units, whether to allow the data access request. The data access request is processed, when the data access request is allowed via the selected one of the plurality of identity units.

86 Citations

13 Claims

1. A method for execution in a dispersed storage network (DSN), the method comprises:
- receiving, by a first computing device of the DSN, a data access request relating to at least one set of encoded data slices stored in the DSN, the data access request including requesting entity credentials and a data request having an associated request type, wherein at least a threshold number of encoded data slices of the set of encoded data slices is required to recover a corresponding data segment;
  
  selecting, by the first computing device, one of a plurality of identity units based on the requesting entity credentials;
  
  determining, via the selected one of the plurality of identity units, whether to allow the data access request;
  
  when the selected one of the plurality of identity units indicates that the data access request is allowed based on the requesting entity credentials, selecting, by the first computing device or a first storage unit of a set of storage units, another one of the plurality of identity units based on the data request;
  
  determining, via the selected other one of the plurality of identity units, whether to allow the associated request type of the data request based on access control information for at least a portion of a vault identified by a vault identifier associated with the requesting entity credentials, wherein the at least a portion of the vault comprises a sub-vault associated with the requestingentity credentials; and
  
  when the associated request type of the data request is allowed by the selected other one of the plurality of identity units, performing, by the first storage unit, a first corresponding portion of the data access request.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 further comprises:
    - when the first computing device selects the another one of the plurality of identity units and when the associated request type of the data request is allowed by the selected other one of the plurality of identity units, issuing, by the first computing device, corresponding portions of the data access request to the set of storage units.
  - 3. The method of claim 1 further comprises:
    - receiving, by the first storage unit, the first corresponding portion of the data access request from the first computing device; and
      
      in response to receiving the first corresponding portion of the data access request, selecting, by the first storage unit, the another one of the plurality of identity units.
  - 4. The method of claim 1 further comprises:
    - when the selected one of the plurality of identity units indicates that the data access request is not allowed, denying, by the first computing device or the first storage unit, the data access request.
  - 5. The method of claim 1 further comprising:
    - denying the data access request, when the data access request is not allowed via the selected one of the plurality of identity units.

6. A dispersed storage and task (DST) processing unit comprises:
- one or more network interfaces;
  
  a memory comprising instructions; and
  
  processing circuitry in communication with the memory, wherein the processing circuitry executes the instructions to;
  
  receive, via the one or more network interfaces, a data access request relating to at least one set of encoded data slices stored in a dispersed storage network (DSN), the data access request including requesting entity credentials and a data request, wherein at least a threshold number of encoded data slices of the set of encoded data slices is required to recover a corresponding data segment;
  
  select one of a plurality of identity units based on the requesting entity credentials;
  
  receive, from the selected one of the plurality of identity units, a first indication allowing the data access request based on the requesting entity credentials;
  
  in response to the first indication, select another one of the plurality of identity units based on the data request;
  
  receive, from the selected other one of the plurality of identity units, a second indication allowing the data access request based on access control information for at least a portion of a vault identified by a vault identifier associated with the requesting entity credentials, wherein the at least a portion of the vault comprises a sub-vault associated with the requesting entitycredentials; and
  
  issue, via the one or more network interfaces, corresponding portions of the data access request to a set of storage units.
- View Dependent Claims (7, 8, 9)
- - 7. The DST processing unit of claim 6, wherein the processing circuitry further executes the instructions to:
    - receive, via the one or more network interfaces, a favorable indication when a first storage unit of the set of storage units successfully executed a corresponding portion of the data access request; and
      
      receive, via the one or more network interfaces, a denial message when the first storage unit did not successfully execute the corresponding portion of the data access request.
  - 8. The DST processing unit of claim 6, wherein the processing circuitry further executes the instructions to:
    - deny the data access request when the first indication is not received.
  - 9. The DST processing unit of claim 6, wherein the processing circuitry further executes the instructions to:
    - deny the data access request when the second indication is not received.

10. A non-transitory computer readable storage medium comprises:
- a first memory section that stores operational instructions that, when executed by a computing device of a dispersed storage network (DSN), causes the computing device to;
  
  receive a data access request relating to at least one set of encoded data slices stored in the DSN, wherein the data access request includes requesting entity credentials and a data request having an associated request type; and
  
  select one of a plurality of identity units based on the requesting entity credentials;
  
  a second memory section that stores operational instructions that, when executed by the selected one of the plurality of identity units, causes the selected one of the plurality of identity units to determine whether to allow the data access request based on the requesting entity credentials;
  
  a third memory section that stores operational instructions that, when executed by the computing device or a storage unit of the DSN, causes the computing device or the storage unit to, when the selected one of the plurality of identity units indicates that the data access request is allowed based on the requesting entity credentials, select another one of the plurality of identity units based on the data request;
  
  a fourth memory section that stores operation instructions that, when executed by selected other one of the plurality of identity units, causes selected other one of the plurality of identity units to determine whether to allow the associated request type of the data request based on access control information for at least a portion of a vault identified by a vault identifier associated with the requesting entity credentials, wherein the at least a portion of the vault comprises a sub-vault associated with the requesting entity credentials; and
  
  a fifth memory section that stores operational instructions that, when executed by the storage unit, causes the storage unit to, when the associated request type of the data request is allowed by the selected other one of the plurality of identity units, perform a first corresponding portion of the data access request.
- View Dependent Claims (11, 12, 13)
- - 11. The non-transitory computer readable storage medium of claim 10 further comprises:
    - when the computing device selects the another one of the plurality of identity units and when the associated request type of the data request is allowed by the selected other one of the plurality of identity units, the third memory section further stores operational instructions that, when executed by the computing device, causes the computing device to issue corresponding portions of the data access request to a set of storage units.
  - 12. The non-transitory computer readable storage medium of claim 10 further comprises:
    - the third memory section that further stores operational instructions that, when executed by the storage unit, causes the storage unit to;
      
      receive the first corresponding portion of the data access request from the computing device; and
      
      in response to receiving the first corresponding portion of the data access request, select the another one of the plurality of identity units.
  - 13. The non-transitory computer readable storage medium of claim 10 wherein the first memory section that further stores operational instructions that, when executed by the computing device, causes the computing device to:
    - deny the data access request, when the data access request is not allowed via the selected one of the plurality of identity units.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
International Business Machines Corporation
Inventors
Leggette, Wesley, Resch, Jason K., Smith, Eric Gunnar
Primary Examiner(s)
Shaw, Peter C

Application Number

US14/457,907
Publication Number

US 20150101024A1
Time in Patent Office

1,547 Days
Field of Search

726 4
US Class Current
CPC Class Codes

G06F 11/1076   Parity data used in redunda...

G06F 12/1458   by checking the subject acc...

G06F 16/10   File systems; File servers

G06F 16/182   Distributed file systems

G06F 21/31   User authentication

G06F 21/6272   by registering files or doc...

G06F 2211/1028   Distributed, i.e. distribut...

G06F 2212/1052   Security improvement

G06F 2212/154   Networked environment

G06F 2221/2149   Restricted operating enviro...

G06F 3/0604   Improving or facilitating a...

G06F 3/061   Improving I/O performance

G06F 3/0611   in relation to response time

G06F 3/0619   in relation to data integri...

G06F 3/0622   in relation to access

G06F 3/0635   by changing the path, e.g. ...

G06F 3/0637   Permissions

G06F 3/064   Management of blocks

G06F 3/0647   Migration mechanisms

G06F 3/0655   Vertical data movement, i.e...

G06F 3/0665 : at area level, e.g. provisi...

G06F 3/067 : Distributed or networked st...

G06F 3/0682 : Tape device

G06F 3/0689 : Disk arrays, e.g. RAID, JBOD

G06F 9/4881 : Scheduling strategies for d...

H04L 67/1001 : for accessing one among a p...

H04L 67/1095 : Replication or mirroring of...

H04L 67/1097 : for distributed storage of ...

H04L 67/145 : avoiding end of session, e....

View All

Dispersed storage system with identity unit selection and methods for use therewith

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

86 Citations

13 Claims

Specification

Use Cases

Quick Links

Others

Dispersed storage system with identity unit selection and methods for use therewith

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

86 Citations

13 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others