Data store access permission system with interleaved application of deferred access control filters
First Claim
Patent Images
1. A system for automatically applying access control deferred filters to a first table object, the system comprising:
- one or more hardware processors;
a computer readable data storage device coupled to the one or more hardware processors, the computer readable data storage device having stored thereon software instructions that, when executed by the one or more hardware processors, cause the one or more hardware processors to perform operations including;
receiving a user request submitted from a computing device for data from the first table object;
requesting, from an access control list source stored in a computer medium, access control groups for a user;
requesting, from an access control filter source in the computer medium, a set of filter generators for each access control group;
determining, for each set of filter generators for each access control group, a filter generator based on first table metadata for the first table object configured to identify a computer medium source of the first table object data;
for each determined filter generator, executing the determined filter generator to create a generator filter for the first table object;
combining each of the generated filters for the first table object into an access control filter;
creating a second table object in memory that references the first table object;
associating the access control filter with the second table;
making the second table object available for user operations;
receiving a second user request from a computing device to perform a filtering operation on the second table object;
accessing metadata of the second table object;
retrieving a tree-based table storage structure from the metadata;
traversing the tree-based table storage structure starting at a table root of the tree-based table storage structure;
when the second user request requests data from one or more partition columns of the tree-based table storage structure, applying one or more partition column filters based on a partition column structure of the tree;
when the second user request contains a filtering operation for one or more grouping columns of the tree-based table storage structure, in a first pass, executing user-specified filters on the one or more partition columns that execute only system-specified code, and between the first and a second pass, applying internal access-control filters, thereby removing all rows for which the user does not have authorized access by;
retrieving the access control filter from the metadata;
extracting filters from the access control filter that apply to the access control groups for the user;
choosing a filter from the extracted filters;
applying the chosen filter to the second user request;
applying on the second pass one or more second grouping column filters based on a first filter request contained in the second user request;
applying one or more normal filters contained in the second user request to identify a filtered data source result; and
returning a final set of data.
3 Assignments
0 Petitions
Accused Products
Abstract
Described are methods, systems and computer readable media for a permissions system including relationships of partitioning, grouping, and the application of access control deferred filters.
-
Citations
12 Claims
-
1. A system for automatically applying access control deferred filters to a first table object, the system comprising:
-
one or more hardware processors; a computer readable data storage device coupled to the one or more hardware processors, the computer readable data storage device having stored thereon software instructions that, when executed by the one or more hardware processors, cause the one or more hardware processors to perform operations including; receiving a user request submitted from a computing device for data from the first table object; requesting, from an access control list source stored in a computer medium, access control groups for a user; requesting, from an access control filter source in the computer medium, a set of filter generators for each access control group; determining, for each set of filter generators for each access control group, a filter generator based on first table metadata for the first table object configured to identify a computer medium source of the first table object data; for each determined filter generator, executing the determined filter generator to create a generator filter for the first table object; combining each of the generated filters for the first table object into an access control filter; creating a second table object in memory that references the first table object; associating the access control filter with the second table; making the second table object available for user operations; receiving a second user request from a computing device to perform a filtering operation on the second table object; accessing metadata of the second table object; retrieving a tree-based table storage structure from the metadata; traversing the tree-based table storage structure starting at a table root of the tree-based table storage structure; when the second user request requests data from one or more partition columns of the tree-based table storage structure, applying one or more partition column filters based on a partition column structure of the tree; when the second user request contains a filtering operation for one or more grouping columns of the tree-based table storage structure, in a first pass, executing user-specified filters on the one or more partition columns that execute only system-specified code, and between the first and a second pass, applying internal access-control filters, thereby removing all rows for which the user does not have authorized access by; retrieving the access control filter from the metadata; extracting filters from the access control filter that apply to the access control groups for the user; choosing a filter from the extracted filters; applying the chosen filter to the second user request; applying on the second pass one or more second grouping column filters based on a first filter request contained in the second user request; applying one or more normal filters contained in the second user request to identify a filtered data source result; and returning a final set of data. - View Dependent Claims (2, 3)
-
-
4. A system for automatically applying access control deferred filters to a first table object, the system comprising:
-
one or more hardware processors; a computer readable data storage device coupled to the one or more hardware processors, the computer readable data storage device having stored thereon software instructions that, when executed by the one or more hardware processors, cause the one or more hardware processors to perform operations including; receiving a user request submitted from a computing device for data from the first table object; requesting, from an access control list source stored in a computer medium, access control groups for a user; requesting, from an access control filter source in the computer medium, a set of filter generators for each access control group; determining, for each set of filter generators for each access control group, a filter generator based on first table metadata for the first table object configured to identify a computer medium source of the first table object data; for each determined filter generator, executing the determined filter generator to create a generator filter for the first table object; combining each of the generated filters for the first table object into an access control filter; creating a second table object in memory that references the first table object; associating the access control filter with the second table; making the second table object available for user operations; receiving a second user request from a computing device to perform a data access operation on the second table object; accessing metadata of the second table object; retrieving a tree-based table storage structure from the metadata; traversing the tree-based table storage structure starting at a table root of the tree-based table storage structure; when the second user request requests data from one or more columns of the tree-based table storage structure, applying internal access-control filters, thereby removing all rows for which the user does not have authorized access by; retrieving the access control filter from the metadata; extracting filters from the access control filter that apply to the access control groups for the user; choosing a filter from the extracted filters; applying the chosen filter to the second user request; applying the data access operation; and returning a final set of data.
-
-
5. A method for applying access control deferred filters to a first table object in a computer medium, the method comprising:
-
receiving a user request submitted from a computing device for data from the first table object; requesting, from an access control list source stored in a computer medium, access control groups for a user; requesting, from an access control filter source in the computer medium, a set of filter generators for each access control group; determining, for each set of filter generators for each access control group, a filter generator based on first table metadata for the first table object configured to identify a computer medium source of the first table object data; for each determined filter generator, executing the determined filter generator to create a generator filter for the first table object; combining each of the generated filters for the first table object into an access control filter; creating a second table object in memory that references the first table object; associating the access control filter with the second table; making the second table object available for user operations; receiving a second user request from a computing device to perform a filtering operation on the second table object; accessing metadata of the second table object; retrieving a tree-based table storage structure from the metadata; traversing the tree-based table storage structure starting at a table root of the tree-based table storage structure; when the second user request requests data from one or more partition columns of the tree-based table storage structure, applying one or more partition column filters based on a partition column structure of the tree; when the second user request contains a filtering operation for one or more grouping columns of the tree-based table storage structure, in a first pass, executing user-specified filters on the one or more partition columns that execute only system-specified code, and on a second pass, applying internal access-control filters, thereby removing all rows for which the user does not have authorized access by; retrieving the access control filter from the metadata; extracting filters from the access control filter that apply to the access control groups for the user; choosing a filter from the extracted filters; applying the chosen filter to the second user request; applying one or more second grouping column filters based on a first filter request contained in the second user request; applying one or more normal filters contained in the second user request to identify a filtered data source result; and returning a final set of data. - View Dependent Claims (6, 7)
-
-
8. A method for applying access control deferred filters to a first table object in a computer medium, the method comprising:
-
receiving a user request submitted from a computing device for data from the first table object; requesting, from an access control list source stored in a computer medium, access control groups for a user; requesting, from an access control filter source in the computer medium, a set of filter generators for each access control group; determining, for each set of filter generators for each access control group, a filter generator based on first table metadata for the first table object configured to identify a computer medium source of the first table object data; for each determined filter generator, executing the determined filter generator to create a generator filter for the first table object; combining each of the generated filters for the first table object into an access control filter; creating a second table object in memory that references the first table object; associating the access control filter with the second table; making the second table object available for user operations; receiving a second user request from a computing device to perform a data access operation on the second table object; accessing metadata of the second table object; retrieving a tree-based table storage structure from the metadata; traversing the tree-based table storage structure starting at a table root of the tree-based table storage structure; when the second user request requests data from one or more columns of the tree-based table storage structure, applying internal access-control filters, thereby removing all rows for which the user does not have authorized access by; retrieving the access control filter from the metadata; extracting filters from the access control filter that apply to the access control groups for the user; choosing a filter from the extracted filters; applying the chosen filter to the second user request; applying the data access operation; and returning a final set of data.
-
-
9. A nontransitory computer readable medium having stored thereon software instructions that, when executed by one or more processors, cause the one or more processors to perform operations including:
-
receiving a user request submitted from a computing device for data from the first table object; requesting, from an access control list source stored in a computer medium, access control groups for a user; requesting, from an access control filter source in the computer medium, a set of filter generators for each access control group; determining, for each set of filter generators for each access control group, a filter generator based on first table metadata for the first table object configured to identify a computer medium source of the first table object data; for each determined filter generator, executing the determined filter generator to create a generator filter for the first table object; combining each of the generated filters for the first table object into an access control filter; creating a second table object in memory that references the first table object; associating the access control filter with the second table; making the second table object available for user operations; receiving a second user request from a computing device to perform a filtering operation on the second table object; accessing metadata of the second table object; retrieving a tree-based table storage structure from the metadata; traversing the tree-based table storage structure starting at a table root of the tree-based table storage structure; if the second user request requests data from one or more partition columns of the tree-based table storage structure, applying one or more partition column filters based on a partition column structure of the tree; if the second user request contains a filtering operation for one or more grouping columns of the tree-based table storage structure, in a first pass, executing user-specified filters on the one or more partition columns that execute only system-specified code, and on a second pass, applying internal access-control filters, thereby removing all rows for which the user does not have authorized access by; retrieving the access control filter from the metadata; extracting filters from the access control filter that apply to the access control groups for the user; choosing a filter from the extracted filters; applying the chosen filter to the second user request; and returning a final set of data. - View Dependent Claims (10, 11)
-
-
12. A nontransitory computer readable medium having stored thereon software instructions that, when executed by one or more processors, cause the one or more processors to perform operations including:
-
receiving a user request submitted from a computing device for data from the first table object; requesting, from an access control list source stored in a computer medium, access control groups for a user; requesting, from an access control filter source in the computer medium, a set of filter generators for each access control group; determining, for each set of filter generators for each access control group, a filter generator based on first table metadata for the first table object configured to identify a computer medium source of the first table object data; for each determined filter generator, executing the determined filter generator to create a generator filter for the first table object; combining each of the generated filters for the first table object into an access control filter; creating a second table object in memory that references the first table object; associating the access control filter with the second table; making the second table object available for user operations; receiving a second user request from a computing device to perform a data access operation on the second table object; retrieving a tree-based table storage structure associated with the second table object; traversing the tree-based table storage structure starting at a table root of the tree-based table storage structure; when the second user request requests data from one or more columns of the tree-based table storage structure, applying internal access-control filters, thereby removing all rows for which the user does not have authorized access by; extracting filters from the access control filter that apply to the access control groups for the user; choosing a filter from the extracted filters; applying the chosen filter to the second user request; applying the data access operation; and returning a final set of data.
-
Specification