Protocol-level identity mapping

US 10,250,723 B2
Filed: 04/13/2017
Issued: 04/02/2019
Est. Priority Date: 04/13/2017
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

intercepting, by an identity mapping system, a user request submitted from a client device through an application program to a distributed computing system that provides a plurality of services, the user request being associated with user credentials, wherein the identity mapping system intercepts the user request at a protocol level that is outside of the application program;

determining, by the identity mapping system, a user protocol in which the client device submitted the user request;

authenticating the user request based on the user credentials;

upon successfully authenticating the user request, determining, by the identity mapping system, a service of the services that the user request is authorized to access;

determining service credentials associated with the service;

generating a service request by the identity mapping system, including translating the user protocol of the user request to a service protocol associated with the service at least in part by associating the service credentials with the service request; and

submitting the service request by the identity mapping system to the distributed computing system, wherein the identity mapping system includes one or more computer processors.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, computer program products and methods implementing protocol-level mapping are described. An identity mapping system intercepts a request from a client device to a distributed computing system. The identity mapping system determines a first protocol of the request. The identity mapping system determines user credentials associated with the request. The identity mapping system authenticates the request based on the user credentials. The identity mapping system determines a service provided by the distributed computing system that the request accesses. The identity mapping system determines service credentials of that service. The identity mapping system translates the first protocol into a second protocol associated with the distributed computing system, including associating the service credentials with the request. The identity mapping system then submits the request to the distributed computing system.

Citations

20 Claims

1. A method, comprising:
- intercepting, by an identity mapping system, a user request submitted from a client device through an application program to a distributed computing system that provides a plurality of services, the user request being associated with user credentials, wherein the identity mapping system intercepts the user request at a protocol level that is outside of the application program;
  
  determining, by the identity mapping system, a user protocol in which the client device submitted the user request;
  
  authenticating the user request based on the user credentials;
  
  upon successfully authenticating the user request, determining, by the identity mapping system, a service of the services that the user request is authorized to access;
  
  determining service credentials associated with the service;
  
  generating a service request by the identity mapping system, including translating the user protocol of the user request to a service protocol associated with the service at least in part by associating the service credentials with the service request; and
  
  submitting the service request by the identity mapping system to the distributed computing system, wherein the identity mapping system includes one or more computer processors.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the distributed computing system includes a Hadoop cluster, and the services include at least one of a distributed computing service, a distributed file storage service, a distributed data warehouse service, or a distributed messaging service.
  - 3. The method of claim 1, wherein authenticating the user request comprises submitting a representation of the user credentials by the identity mapping system to a user authentication service and receiving a response indicating that the user request is authenticated by the user authentication service.
  - 4. The method of claim 1, wherein authenticating the user request comprises performing a multi-level authentication that is customizable, the multi-level authentication being independent from authentication provided by the distributed computing system.
  - 5. The method of claim 1, wherein translating the user protocol comprises replacing a user identifier of the user request with a service identifier.
  - 6. The method of claim 1, comprising, prior to intercepting the user request:
    - receiving a first byte stream from the client device;
      
      determining that the first byte stream includes an authentication request;
      
      submitting the first byte stream to the distributed computing system;
      
      receiving, from the distributed computing system, a second byte stream including a tag indicating that the authentication request will be handled in a trust mode where the user credentials are not required for authentication;
      
      modifying the second byte stream, including changing the tag to indicate that the user credentials are required; and
      
      submitting the modified byte stream to the client device, wherein the user credentials are provided by the client device in response to the modified byte stream.
  - 7. The method of claim 1, wherein the method is performed at protocol level independent of native authentications performed by the client device and native authentications performed by the distributed computing system.

8. A non-transitory computer readable storage medium storing instructions executable by an identity mapping system and upon such execution cause the identity mapping system to perform operations comprising:
- intercepting a user request submitted from a client device through an application program to a distributed computing system that provides a plurality of services, the user request being associated with user credentials, wherein the user request is being intercepted at a protocol level that is outside of the application program;
  
  determining a user protocol in which the client device submitted the user request;
  
  authenticating the user request based on the user credentials;
  
  upon successfully authenticating the user request, determining a service of the services that the user request is authorized to access;
  
  determining service credentials associated with the service;
  
  generating a service request, including translating the user protocol of the user request to a service protocol associated with the service at least in part by associating the service credentials with the service request; and
  
  submitting the service request by to the distributed computing system, wherein the identity mapping system includes one or more computer processors.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory computer readable storage medium of claim 8, wherein the distributed computing system includes a Hadoop cluster, and the services include at least one of a distributed computing service, a distributed file storage service, a distributed data warehouse service, or a distributed messaging service.
  - 10. The non-transitory computer readable storage medium of claim 8, wherein authenticating the user request comprises submitting a representation of the user credentials by the identity mapping system to a user authentication service and receiving a response indicating that the user request is authenticated by the user authentication service.
  - 11. The non-transitory computer readable storage medium of claim 8, wherein authenticating the user request comprises performing a multi-level authentication that is customizable, the multi-level authentication being independent from authentication provided by the distributed computing system.
  - 12. The non-transitory computer readable storage medium of claim 8, wherein translating the user protocol comprises replacing a user identifier of the user request with a service identifier.
  - 13. The non-transitory computer readable storage medium of claim 8, the operations comprising, prior to intercepting the user request:
    - receiving a first byte stream from the client device;
      
      determining that the first byte stream includes an authentication request;
      
      submitting the first byte stream to the distributed computing system;
      
      receiving, from the distributed computing system, a second byte stream including a tag indicating that the authentication request will be handled in a trust mode where the user credentials are not required for authentication;
      
      modifying the second byte stream, including changing the tag to indicate that the user credentials are required; and
      
      submitting the modified byte stream to the client device, wherein the user credentials are provided by the client device in response to the modified byte stream.
  - 14. The non-transitory computer readable storage medium of claim 8, wherein the operations are performed at protocol level independent of native authentications performed by the client device and native authentications performed by the distributed computing system.

15. An identity mapping system comprising:
- one or more computers; and
  
  one or more storage devices on which are stored instructions that are operable, when executed by the one or more computers, to cause the one or more computers to perform operations comprising;
  
  intercepting a user request submitted from a client device through an application program to a distributed computing system that provides a plurality of services, the user request being associated with user credentials, wherein the user request is being intercepted at a protocol level that is outside of the application program;
  
  determining a user protocol in which the client device submitted the user request;
  
  authenticating the user request based on the user credentials;
  
  upon successfully authenticating the user request, determining a service of the services that the user request is authorized to access;
  
  determining service credentials associated with the service;
  
  generating a service request, including translating the user protocol of the user request to a service protocol associated with the service at least in part by associating the service credentials with the service request; and
  
  submitting the service request to the distributed computing system.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The identity mapping system of claim 15, wherein the distributed computing system includes a Hadoop cluster, and the services include at least one of a distributed computing service, a distributed file storage service, a distributed data warehouse service, or a distributed messaging service.
  - 17. The identity mapping system of claim 15, wherein authenticating the user request comprises submitting a representation of the user credentials by the identity mapping system to a user authentication service and receiving a response indicating that the user request is authenticated by the user authentication service.
  - 18. The identity mapping system of claim 15, wherein authenticating the user request comprises performing a multi-level authentication that is customizable, the multi-level authentication being independent from authentication provided by the distributed computing system.
  - 19. The identity mapping system of claim 15, wherein translating the user protocol comprises replacing a user identifier of the user request with a service identifier.
  - 20. The identity mapping system of claim 15, the operations comprising, prior to intercepting the user request:
    - receiving a first byte stream from the client device;
      
      determining that the first byte stream includes an authentication request;
      
      submitting the first byte stream to the distributed computing system;
      
      receiving, from the distributed computing system, a second byte stream including a tag indicating that the authentication request will be handled in a trust mode where the user credentials are not required for authentication;
      
      modifying the second byte stream, including changing the tag to indicate that the user credentials are required; and
      
      submitting the modified byte stream to the client device, wherein the user credentials are provided by the client device in response to the modified byte stream.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
BlueTalon, Inc. (Microsoft Corporation)
Inventors
Khanduja, Rakesh, Mittal, Vineet
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Wyszynski, Aubrey H

Application Number

US15/487,360
Publication Number

US 20180302399A1
Time in Patent Office

719 Days
Field of Search

726 3
US Class Current
CPC Class Codes

H04L 63/083   using passwords cryptograph...

H04L 63/0884   by delegation of authentica...

H04L 63/1458   Denial of Service

H04L 63/1466   Active attacks involving in...

H04L 67/10   in which an application is ...

H04L 69/08   Protocols for interworking;...

H04L 69/26   Special purpose or propriet...

Protocol-level identity mapping

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Protocol-level identity mapping

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links