Data store access permission system with interleaved application of deferred access control filters

US 10,198,466 B2
Filed: 03/22/2017
Issued: 02/05/2019
Est. Priority Date: 05/14/2015
Status: Active Grant

First Claim

Patent Images

1. A system for automatically applying access control deferred filters to a first table object, the system comprising:

one or more hardware processors;

a computer readable data storage device coupled to the one or more hardware processors, the computer readable data storage device having stored thereon software instructions that, when executed by the one or more hardware processors, cause the one or more hardware processors to perform operations including;

receiving a user request submitted from a computing device for data from the first table object;

requesting, from an access control list source stored in a computer medium, access control groups for a user;

requesting, from an access control filter source in the computer medium, a set of filter generators for each access control group;

determining, for each set of filter generators for each access control group, a filter generator based on first table metadata for the first table object configured to identify a computer medium source of the first table object data;

for each determined filter generator, executing the determined filter generator to create a generator filter for the first table object;

combining each of the generated filters for the first table object into an access control filter;

creating a second table object in memory that references the first table object;

associating the access control filter with the second table;

making the second table object available for user operations;

receiving a second user request from a computing device to perform a filtering operation on the second table object;

accessing metadata of the second table object;

retrieving a tree-based table storage structure from the metadata;

traversing the tree-based table storage structure starting at a table root of the tree-based table storage structure;

when the second user request requests data from one or more partition columns of the tree-based table storage structure, applying one or more partition column filters based on a partition column structure of the tree;

when the second user request contains a filtering operation for one or more grouping columns of the tree-based table storage structure, in a first pass, executing user-specified filters on the one or more partition columns that execute only system-specified code, and between the first and a second pass, applying internal access-control filters, thereby removing all rows for which the user does not have authorized access by;

retrieving the access control filter from the metadata;

extracting filters from the access control filter that apply to the access control groups for the user;

choosing a filter from the extracted filters;

applying the chosen filter to the second user request;

applying on the second pass one or more second grouping column filters based on a first filter request contained in the second user request;

applying one or more normal filters contained in the second user request to identify a filtered data source result; and

returning a final set of data.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described are methods, systems and computer readable media for a permissions system including relationships of partitioning, grouping, and the application of access control deferred filters.

Citations

12 Claims

1. A system for automatically applying access control deferred filters to a first table object, the system comprising:
- one or more hardware processors;
  
  a computer readable data storage device coupled to the one or more hardware processors, the computer readable data storage device having stored thereon software instructions that, when executed by the one or more hardware processors, cause the one or more hardware processors to perform operations including;
  
  receiving a user request submitted from a computing device for data from the first table object;
  
  requesting, from an access control list source stored in a computer medium, access control groups for a user;
  
  requesting, from an access control filter source in the computer medium, a set of filter generators for each access control group;
  
  determining, for each set of filter generators for each access control group, a filter generator based on first table metadata for the first table object configured to identify a computer medium source of the first table object data;
  
  for each determined filter generator, executing the determined filter generator to create a generator filter for the first table object;
  
  combining each of the generated filters for the first table object into an access control filter;
  
  creating a second table object in memory that references the first table object;
  
  associating the access control filter with the second table;
  
  making the second table object available for user operations;
  
  receiving a second user request from a computing device to perform a filtering operation on the second table object;
  
  accessing metadata of the second table object;
  
  retrieving a tree-based table storage structure from the metadata;
  
  traversing the tree-based table storage structure starting at a table root of the tree-based table storage structure;
  
  when the second user request requests data from one or more partition columns of the tree-based table storage structure, applying one or more partition column filters based on a partition column structure of the tree;
  
  when the second user request contains a filtering operation for one or more grouping columns of the tree-based table storage structure, in a first pass, executing user-specified filters on the one or more partition columns that execute only system-specified code, and between the first and a second pass, applying internal access-control filters, thereby removing all rows for which the user does not have authorized access by;
  
  retrieving the access control filter from the metadata;
  
  extracting filters from the access control filter that apply to the access control groups for the user;
  
  choosing a filter from the extracted filters;
  
  applying the chosen filter to the second user request;
  
  applying on the second pass one or more second grouping column filters based on a first filter request contained in the second user request;
  
  applying one or more normal filters contained in the second user request to identify a filtered data source result; and
  
  returning a final set of data.
- View Dependent Claims (2, 3)
- - 2. The system of claim 1, wherein the access control filter includes an access control disjunctive filter.
  - 3. The system of claim 1, wherein the access control filter includes an access control conjunctive filter.

4. A system for automatically applying access control deferred filters to a first table object, the system comprising:
- one or more hardware processors;
  
  a computer readable data storage device coupled to the one or more hardware processors, the computer readable data storage device having stored thereon software instructions that, when executed by the one or more hardware processors, cause the one or more hardware processors to perform operations including;
  
  receiving a user request submitted from a computing device for data from the first table object;
  
  requesting, from an access control list source stored in a computer medium, access control groups for a user;
  
  requesting, from an access control filter source in the computer medium, a set of filter generators for each access control group;
  
  determining, for each set of filter generators for each access control group, a filter generator based on first table metadata for the first table object configured to identify a computer medium source of the first table object data;
  
  for each determined filter generator, executing the determined filter generator to create a generator filter for the first table object;
  
  combining each of the generated filters for the first table object into an access control filter;
  
  creating a second table object in memory that references the first table object;
  
  associating the access control filter with the second table;
  
  making the second table object available for user operations;
  
  receiving a second user request from a computing device to perform a data access operation on the second table object;
  
  accessing metadata of the second table object;
  
  retrieving a tree-based table storage structure from the metadata;
  
  traversing the tree-based table storage structure starting at a table root of the tree-based table storage structure;
  
  when the second user request requests data from one or more columns of the tree-based table storage structure, applying internal access-control filters, thereby removing all rows for which the user does not have authorized access by;
  
  retrieving the access control filter from the metadata;
  
  extracting filters from the access control filter that apply to the access control groups for the user;
  
  choosing a filter from the extracted filters;
  
  applying the chosen filter to the second user request;
  
  applying the data access operation; and
  
  returning a final set of data.

5. A method for applying access control deferred filters to a first table object in a computer medium, the method comprising:
- receiving a user request submitted from a computing device for data from the first table object;
  
  requesting, from an access control list source stored in a computer medium, access control groups for a user;
  
  requesting, from an access control filter source in the computer medium, a set of filter generators for each access control group;
  
  determining, for each set of filter generators for each access control group, a filter generator based on first table metadata for the first table object configured to identify a computer medium source of the first table object data;
  
  for each determined filter generator, executing the determined filter generator to create a generator filter for the first table object;
  
  combining each of the generated filters for the first table object into an access control filter;
  
  creating a second table object in memory that references the first table object;
  
  associating the access control filter with the second table;
  
  making the second table object available for user operations;
  
  receiving a second user request from a computing device to perform a filtering operation on the second table object;
  
  accessing metadata of the second table object;
  
  retrieving a tree-based table storage structure from the metadata;
  
  traversing the tree-based table storage structure starting at a table root of the tree-based table storage structure;
  
  when the second user request requests data from one or more partition columns of the tree-based table storage structure, applying one or more partition column filters based on a partition column structure of the tree;
  
  when the second user request contains a filtering operation for one or more grouping columns of the tree-based table storage structure, in a first pass, executing user-specified filters on the one or more partition columns that execute only system-specified code, and on a second pass, applying internal access-control filters, thereby removing all rows for which the user does not have authorized access by;
  
  retrieving the access control filter from the metadata;
  
  extracting filters from the access control filter that apply to the access control groups for the user;
  
  choosing a filter from the extracted filters;
  
  applying the chosen filter to the second user request;
  
  applying one or more second grouping column filters based on a first filter request contained in the second user request;
  
  applying one or more normal filters contained in the second user request to identify a filtered data source result; and
  
  returning a final set of data.
- View Dependent Claims (6, 7)
- - 6. The method of claim 5, wherein the access control filter includes an access control disjunctive filter.
  - 7. The method of claim 5, wherein the access control filter includes an access control conjunctive filter.

8. A method for applying access control deferred filters to a first table object in a computer medium, the method comprising:
- receiving a user request submitted from a computing device for data from the first table object;
  
  requesting, from an access control list source stored in a computer medium, access control groups for a user;
  
  requesting, from an access control filter source in the computer medium, a set of filter generators for each access control group;
  
  determining, for each set of filter generators for each access control group, a filter generator based on first table metadata for the first table object configured to identify a computer medium source of the first table object data;
  
  for each determined filter generator, executing the determined filter generator to create a generator filter for the first table object;
  
  combining each of the generated filters for the first table object into an access control filter;
  
  creating a second table object in memory that references the first table object;
  
  associating the access control filter with the second table;
  
  making the second table object available for user operations;
  
  receiving a second user request from a computing device to perform a data access operation on the second table object;
  
  accessing metadata of the second table object;
  
  retrieving a tree-based table storage structure from the metadata;
  
  traversing the tree-based table storage structure starting at a table root of the tree-based table storage structure;
  
  when the second user request requests data from one or more columns of the tree-based table storage structure, applying internal access-control filters, thereby removing all rows for which the user does not have authorized access by;
  
  retrieving the access control filter from the metadata;
  
  extracting filters from the access control filter that apply to the access control groups for the user;
  
  choosing a filter from the extracted filters;
  
  applying the chosen filter to the second user request;
  
  applying the data access operation; and
  
  returning a final set of data.

9. A nontransitory computer readable medium having stored thereon software instructions that, when executed by one or more processors, cause the one or more processors to perform operations including:
- receiving a user request submitted from a computing device for data from the first table object;
  
  requesting, from an access control list source stored in a computer medium, access control groups for a user;
  
  requesting, from an access control filter source in the computer medium, a set of filter generators for each access control group;
  
  determining, for each set of filter generators for each access control group, a filter generator based on first table metadata for the first table object configured to identify a computer medium source of the first table object data;
  
  for each determined filter generator, executing the determined filter generator to create a generator filter for the first table object;
  
  combining each of the generated filters for the first table object into an access control filter;
  
  creating a second table object in memory that references the first table object;
  
  associating the access control filter with the second table;
  
  making the second table object available for user operations;
  
  receiving a second user request from a computing device to perform a filtering operation on the second table object;
  
  accessing metadata of the second table object;
  
  retrieving a tree-based table storage structure from the metadata;
  
  traversing the tree-based table storage structure starting at a table root of the tree-based table storage structure;
  
  if the second user request requests data from one or more partition columns of the tree-based table storage structure, applying one or more partition column filters based on a partition column structure of the tree;
  
  if the second user request contains a filtering operation for one or more grouping columns of the tree-based table storage structure, in a first pass, executing user-specified filters on the one or more partition columns that execute only system-specified code, and on a second pass, applying internal access-control filters, thereby removing all rows for which the user does not have authorized access by;
  
  retrieving the access control filter from the metadata;
  
  extracting filters from the access control filter that apply to the access control groups for the user;
  
  choosing a filter from the extracted filters;
  
  applying the chosen filter to the second user request; and
  
  returning a final set of data.
- View Dependent Claims (10, 11)
- - 10. The nontransitory computer readable medium of claim 9, wherein the access control filter includes an access control disjunctive filter.
  - 11. The nontransitory computer readable medium of claim 9, wherein the access control filter includes an access control conjunctive filter.

12. A nontransitory computer readable medium having stored thereon software instructions that, when executed by one or more processors, cause the one or more processors to perform operations including:
- receiving a user request submitted from a computing device for data from the first table object;
  
  requesting, from an access control list source stored in a computer medium, access control groups for a user;
  
  requesting, from an access control filter source in the computer medium, a set of filter generators for each access control group;
  
  determining, for each set of filter generators for each access control group, a filter generator based on first table metadata for the first table object configured to identify a computer medium source of the first table object data;
  
  for each determined filter generator, executing the determined filter generator to create a generator filter for the first table object;
  
  combining each of the generated filters for the first table object into an access control filter;
  
  creating a second table object in memory that references the first table object;
  
  associating the access control filter with the second table;
  
  making the second table object available for user operations;
  
  receiving a second user request from a computing device to perform a data access operation on the second table object;
  
  retrieving a tree-based table storage structure associated with the second table object;
  
  traversing the tree-based table storage structure starting at a table root of the tree-based table storage structure;
  
  when the second user request requests data from one or more columns of the tree-based table storage structure, applying internal access-control filters, thereby removing all rows for which the user does not have authorized access by;
  
  extracting filters from the access control filter that apply to the access control groups for the user;
  
  choosing a filter from the extracted filters;
  
  applying the chosen filter to the second user request;
  
  applying the data access operation; and
  
  returning a final set of data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Deephaven Data Labs, LLC
Original Assignee
Deephaven Data Labs, LLC
Inventors
Wright, Charles, Caudy, Ryan, Basralian, Raffi, Bronnimann, Herve
Primary Examiner(s)
Syed, Farhan M

Application Number

US15/466,836
Publication Number

US 20170192910A1
Time in Patent Office

685 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/1451   by selection of backup cont...

G06F 11/1464   for networked environments

G06F 11/1469   Backup restoration techniques

G06F 12/0261   using reference counting

G06F 12/084   with a shared cache

G06F 12/1483   using an access-table, e.g....

G06F 15/17331   Distributed shared memory [...

G06F 16/113   Details of archiving lifecy...

G06F 16/144   Query formulation

G06F 16/162   Delete operations erasing i...

G06F 16/215   Improving data quality; Dat...

G06F 16/22   Indexing; Data structures t...

G06F 16/221   Column-oriented storage; Ma...

G06F 16/2228   Indexing structures

G06F 16/2237   Vectors, bitmaps or matrices

G06F 16/2246   Trees, e.g. B+trees

G06F 16/2255   Hash tables

G06F 16/2264   Multidimensional index stru...

G06F 16/2272   Management thereof

G06F 16/2282   Tablespace storage structur...

G06F 16/2291 : User-Defined Types; Storage...

G06F 16/23 : Updating

G06F 16/2308 : Concurrency control transac...

G06F 16/2358 : Change logging, detection, ...

G06F 16/2365 : Ensuring data consistency a...

G06F 16/2372 : Updates performed during of...

G06F 16/2379 : Updates performed during on...

G06F 16/242 : Query formulation

G06F 16/2428 : Query predicate definition ...

G06F 16/245 : Query processing

G06F 16/2453 : Query optimisation

G06F 16/24534 : Query rewriting; Transforma...

G06F 16/24535 : of sub-queries or views

G06F 16/24537 : of operators

G06F 16/24539 : using cached or materialise...

G06F 16/2455 : Query execution

G06F 16/24553 : of query operations

G06F 16/2456 : Join operations

G06F 16/24561 : Intermediate data storage t...

G06F 16/2457 : with adaptation to user needs

G06F 16/24575 : using context

G06F 16/248 : Presentation of query results

G06F 16/254 : Extract, transform and load...

G06F 16/27 : Replication, distribution o...

G06F 16/278 : Data partitioning, e.g. hor...

G06F 16/285 : Clustering or classification

G06F 16/9024 : Graphs; Linked lists G06F16...

G06F 16/907 : Retrieval characterised by ...

G06F 16/951 : Indexing; Web crawling tech...

G06F 16/9535 : Search customisation based ...

G06F 16/9538 : Presentation of query results

G06F 16/9566 : URL specific, e.g. using al...

G06F 16/9574 : of access to content, e.g. ...

G06F 17/40 : Data acquisition and loggin...

G06F 21/00 : Security arrangements for p...

G06F 21/6209 : to a single file or object,...

G06F 2201/805 : Real-time

G06F 2201/84 : Using snapshots, i.e. a log...

G06F 2212/1052 : Security improvement

G06F 2212/154 : Networked environment

G06F 2212/163 : Server or database system

G06F 2212/60 : Details of cache memory

G06F 3/0481 : based on specific propertie...

G06F 3/0482 : Interaction with lists of s...

G06F 3/0483 : Interaction with page-struc...

G06F 3/04847 : Interaction techniques to c...

G06F 3/0485 : Scrolling or panning

G06F 3/04895 : Guidance during keyboard in...

G06F 3/0605 : by facilitating the interac...

G06F 3/0656 : Data buffering arrangements

G06F 3/067 : Distributed or networked st...

G06F 40/117 : Tagging; Marking up details...

G06F 40/134 : Hyperlinking

G06F 40/166 : Editing, e.g. inserting or ...

G06F 40/174 : Form filling; Merging

G06F 40/177 : of tables; using ruled lines

G06F 40/18 : of spreadsheets form-fillin...

G06F 40/183 : Tabulation, i.e. one-dimens...

G06F 40/216 : using statistical methods

G06F 40/274 : Converting codes to words; ...

G06F 8/30 : Creation or generation of s...

G06F 8/41 : Compilation

G06F 8/427 : Parsing

G06F 8/60 : Software deployment

G06Q 40/04 : Trading; Exchange, e.g. sto...

H04L 12/18 : for broadcast or conference...

H04L 51/046 : Interoperability with other...

H04L 51/212 : using filtering or selectiv...

H04L 61/5069 : for group communication, mu...

H04L 63/101 : Access control lists [ACL]

H04L 63/102 : Entity profiles

H04L 67/01 : Protocols

H04L 67/1001 : for accessing one among a p...

H04L 67/141 : Setup of application sessio...

H04L 67/34 : involving the movement of s...

H04L 67/56 : Provisioning of proxy servi...

H04L 67/566 : Grouping or aggregating ser...

H04L 67/568 : Storing data temporarily at...

H04L 67/5681 : Pre-fetching or pre-deliver...

H04L 69/16 : Implementation or adaptatio...

View All

Data store access permission system with interleaved application of deferred access control filters

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Data store access permission system with interleaved application of deferred access control filters

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links