System and method for tenant network identity-based authentication and authorization for administrative access in a protection storage system

US 10,404,702 B1
Filed: 03/30/2016
Issued: 09/03/2019
Est. Priority Date: 03/30/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for configuring a multi-tenancy storage system, the method comprising:

in response to a request received from a remote device of a user for configuring a tenant-unit of a storage system via a user'"'"'s secure connection session, determining whether the tenant-unit requires a tenant admin role for access,if the tenant admin role is not required, then the request is allowed;

if the tenant admin role is required,determining a first network identity associated with the user'"'"'s secure connection session wherein the first network identity is of the user'"'"'s remote device used to establish the secure connection session;

examining a secure multi-tenancy (SMT) registry namespace to determine a second network identity that has been assigned to the tenant-unit;

comparing the first network identity with the second network identity to authenticate the user;

allowing the request to configure the tenant-unit in response to determining that the first network identity matches the second network identity; and

denying the request to configure the tenant-unit if the first and second network identities do not match.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a request is received from a remote device of a user for configuring a tenant-unit of a storage system via a secure connection session. A secure multi-tenancy (SMT) module determines a first network identity associated with the secure connection session. The SMT module examines an SMT registry namespace associated with the tenant-unit of the tenant to determine a second network identity that has been assigned to the tenant-unit. The first network identity is compared with the second network identity. The request is allowed to configure the tenant-unit in response to determining that the first and second network identities match; otherwise, the request is denied.

51 Citations

View as Search Results

24 Claims

1. A computer-implemented method for configuring a multi-tenancy storage system, the method comprising:
- in response to a request received from a remote device of a user for configuring a tenant-unit of a storage system via a user'"'"'s secure connection session, determining whether the tenant-unit requires a tenant admin role for access,if the tenant admin role is not required, then the request is allowed;
  
  if the tenant admin role is required,determining a first network identity associated with the user'"'"'s secure connection session wherein the first network identity is of the user'"'"'s remote device used to establish the secure connection session;
  
  examining a secure multi-tenancy (SMT) registry namespace to determine a second network identity that has been assigned to the tenant-unit;
  
  comparing the first network identity with the second network identity to authenticate the user;
  
  allowing the request to configure the tenant-unit in response to determining that the first network identity matches the second network identity; and
  
  denying the request to configure the tenant-unit if the first and second network identities do not match.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - determining a first local network address associated with the first network identity;
      
      retrieving a second local network address associated with the second network identity from a registry entry of the SMT registry namespace corresponding to the tenant-unit; and
      
      determining whether the first local network address matches the second local network address, wherein the request to configure the tenant-unit is allowed if the first and second local network addresses match.
  - 3. The method of claim 2, wherein the first local network address comprises a destination Internet protocol (IP) address associated with the user'"'"'s secure connection session with respect to the remote device.
  - 4. The method of claim 2, further comprising:
    - determining a first remote network address associated with the first network identity;
      
      retrieving a second remote network address associated with the second network identity from the registry entry of the SMT registry namespace corresponding to the tenant-unit; and
      
      determining whether the first remote network address matches the second remote network address, wherein the request to configure the tenant-unit is allowed if the first and second remote network addresses match.
  - 5. The method of claim 4, wherein the first remote network address comprises a source IP address associated with the user'"'"'s secure connection session with respect to the remote device.
  - 6. The method of claim 1, further comprising:
    - examining an SMT flag to determine whether the SMT flag has been set to a predetermined value; and
      
      allowing the request without examining the SMT registry namespace and comparing the first and second network identities, in response to determining that the SMT flag has been set to the predetermined value.
  - 7. The method of claim 1, further comprising:
    - identifying a list of one or more tenant-units associated with the user based on a username or a user identifier (ID) of the user; and
      
      for each of the identified tenant-units in the list, iteratively performing examining an SMT registry namespace and comparing the first and second network identities to derive a list of tenant-units that the user is authorized to access.
  - 8. The method of claim 1, wherein determining a first network identity associated with the user'"'"'s secure connection session comprises:
    - receiving a request to fork and execute a new process to service a network connection;
      
      obtaining a source IP address and a destination IP address associated with the network connection;
      
      determining whether the network connection is a secure shell (SSH) connection;
      
      in response to determining that the network connection is an SSH connection, copying the source IP address and the destination IP address into a process data-structure of the new process; and
      
      launching the new process with the process data-structure to perform examining an SMT registry namespace and comparing the first and second network identities, wherein the source and destination IP addresses are part of the first network identity.

9. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform operations of configuring tenants of a multi-tenant storage system, the operations comprising:
- in response to a request received from a remote device of a user for configuring a tenant-unit of a storage system via a user'"'"'s secure connection session, determining whether the tenant-unit requires a tenant admin role for access,if the tenant admin role is not required, then the request is allowed;
  
  if the tenant admin role is required,determining a first network identity associated with the user'"'"'s secure connection session wherein the first network identity is of the user'"'"'s remote device used to establish the secure connection session;
  
  examining a secure multi-tenancy (SMT) registry namespace to determine a second network identity that has been assigned to the tenant-unit;
  
  comparing the first network identity with the second network identity to authenticate the user;
  
  allowing the request to configure the tenant-unit in response to determining that the first network identity matches the second network identity; and
  
  denying the request to configure the tenant-unit if the first and second network identities do not match.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The non-transitory machine-readable medium of claim 9, wherein the operations further comprise:
    - determining a first local network address associated with the first network identity;
      
      retrieving a second local network address associated with the second network identity from a registry entry of the SMT registry namespace corresponding to the tenant-unit; and
      
      determining whether the first local network address matches the second local network address, wherein the request to configure the tenant-unit is allowed if the first and second local network addresses match.
  - 11. The non-transitory machine-readable medium of claim 10, wherein the first local network address comprises a destination Internet protocol (IP) address associated with the user'"'"'s secure connection session with respect to the remote device.
  - 12. The non-transitory machine-readable medium of claim 10, wherein the operations further comprise:
    - determining a first remote network address associated with the first network identity;
      
      retrieving a second remote network address associated with the second network identity from the registry entry of the SMT registry namespace corresponding to the tenant-unit; and
      
      determining whether the first remote network address matches the second remote network address, wherein the request to configure the tenant-unit is allowed if the first and second remote network addresses match.
  - 13. The non-transitory machine-readable medium of claim 12, wherein the first remote network address comprises a source IP address associated with the user'"'"'s secure connection session with respect to the remote device.
  - 14. The non-transitory machine-readable medium of claim 9, wherein the operations further comprise:
    - examining an SMT flag to determine whether the SMT flag has been set to a predetermined value; and
      
      allowing the request without examining the SMT registry namespace and comparing the first and second network identities, in response to determining that the SMT flag has been set to the predetermined value.
  - 15. The non-transitory machine-readable medium of claim 9, wherein the operations further comprise:
    - identifying a list of one or more tenant-units associated with the user based on a username or a user identifier (ID) of the user; and
      
      for each of the identified tenant-units in the list, iteratively performing examining an SMT registry namespace and comparing the first and second network identities to derive a list of tenant-units that the user is authorized to access.
  - 16. The non-transitory machine-readable medium of claim 9, wherein determining a first network identity associated with the user'"'"'s secure connection session comprises:
    - receiving a request to fork and execute a new process to service a network connection;
      
      obtaining a source IP address and a destination IP address associated with the network connection;
      
      determining whether the network connection is a secure shell (SSH) connection;
      
      in response to determining that the network connection is an SSH connection, copying the source IP address and the destination IP address into a process data-structure of the new process; and
      
      launching the new process with the process data-structure to perform examining an SMT registry namespace and comparing the first and second network identities, wherein the source and destination IP addresses are part of the first network identity.

17. A storage system, comprising:
- a processor; and
  
  a secure multi-tenant (SMT) module executed by the processor to perform operations, the operations includingin response to a request received from a remote device of a user for configuring a tenant-unit of the storage system via a user'"'"'s secure connection session, determining whether the tenant-unit requires a tenant admin role for access,if the tenant admin role is not required, then the request is allowed;
  
  if the tenant admin role is required,determining a first network identity associated with the user'"'"'s secure connection session wherein the first network identity is of the user'"'"'s remote device used to establish the secure connection session,examining a secure multi-tenancy (SMT) registry namespace to determine a second network identity that has been assigned to the tenant-unit,comparing the first network identity with the second network identity to authenticate the user,allowing the request to configure the tenant-unit in response to determining that the first network identity matches the second network identity, anddenying the request to configure the tenant-unit if the first and second network identities do not match.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The system of claim 17, wherein the operations further comprise:
    - determining a first local network address associated with the first network identity;
      
      retrieving a second local network address associated with the second network identity from a registry entry of the SMT registry namespace corresponding to the tenant-unit; and
      
      determining whether the first local network address matches the second local network address, wherein the request to configure the tenant-unit is allowed if the first and second local network addresses match.
  - 19. The system of claim 18, wherein the first local network address comprises a destination Internet protocol (IP) address associated with the user'"'"'s secure connection session with respect to the remote device.
  - 20. The system of claim 18, wherein the operations further comprise:
    - determining a first remote network address associated with the first network identity;
      
      retrieving a second remote network address associated with the second network identity from the registry entry of the SMT registry namespace corresponding to the tenant-unit; and
      
      determining whether the first remote network address matches the second remote network address, wherein the request to configure the tenant-unit is allowed if the first and second remote network addresses match.
  - 21. The system of claim 20, wherein the first remote network address comprises a source IP address associated with the user'"'"'s secure connection session with respect to the remote device.
  - 22. The system of claim 17, wherein the operations further comprise:
    - examining an SMT flag to determine whether the SMT flag has been set to a predetermined value; and
      
      allowing the request without examining the SMT registry namespace and comparing the first and second network identities, in response to determining that the SMT flag has been set to the predetermined value.
  - 23. The system of claim 17, wherein the operations further comprise:
    - identifying a list of one or more tenant-units associated with the user based on a username or a user identifier (ID) of the user; and
      
      for each of the identified tenant-units in the list, iteratively performing examining an SMT registry namespace and comparing the first and second network identities to derive a list of tenant-units that the user is authorized to access.
  - 24. The system of claim 17, wherein determining a first network identity associated with the user'"'"'s secure connection session comprises:
    - receiving a request to fork and execute a new process to service a network connection;
      
      obtaining a source IP address and a destination IP address associated with the network connection;
      
      determining whether the network connection is a secure shell (SSH) connection;
      
      in response to determining that the network connection is an SSH connection, copying the source IP address and the destination IP address into a process data-structure of the new process; and
      
      launching the new process with the process data-structure to perform examining an SMT registry namespace and comparing the first and second network identities, wherein the source and destination IP addresses are part of the first network identity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Inventors
Chakraborty, Subhasish, Jonnala, Uday, Zhang, Hongyu
Primary Examiner(s)
Homayounmehr, Farid
Assistant Examiner(s)
Le, Thanh T

Application Number

US15/085,937
Time in Patent Office

1,252 Days
Field of Search

726 4
US Class Current
CPC Class Codes

H04L 2101/668   Internet protocol [IP] addr...

H04L 61/45   Network directories; Name-t...

H04L 61/5007   Internet protocol [IP] addr...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 67/02   based on web technology, e....

H04L 67/1097   for distributed storage of ...

H04L 67/34   involving the movement of s...

System and method for tenant network identity-based authentication and authorization for administrative access in a protection storage system

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

51 Citations

24 Claims

Specification

Use Cases

Quick Links

Others

System and method for tenant network identity-based authentication and authorization for administrative access in a protection storage system

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

51 Citations

24 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others