Provide access to data storage services in a network environment

US 10,601,804 B2
Filed: 12/11/2017
Issued: 03/24/2020
Est. Priority Date: 12/11/2017
Status: Active Grant

First Claim

Patent Images

1. A computer program product for providing access to data storage services in a network environment, wherein the computer program product comprises a computer readable storage medium having program instructions embodied therewith that when executed cause operations, the operations comprising:

providing multi-tenancy information for a plurality of clients, wherein for each client of the clients, the multi-tenancy information indicates at least one tenant assigned to the client, and for each of the at least one tenant assigned to a client, at least one data source assigned to the tenant assigned to the client, and for each of the at least one data source, information on at least one user assigned to the data source and permitted access to the data source;

providing to a user an isolate tag to use when accessing data in a data source, wherein the isolate tag includes a client tag identifying one client, a tenant tag identifying one tenant, and a data source tag identifying one data source to which the user is permitted to access data;

receiving from the user the isolate tag with a user access request to data in a data source, wherein the isolate tag indicates the client tag, tenant tag, and data source tag;

validating the user access request by determining whether the multi-tenancy information indicates that the client, tenant, and data source identified by the client tag, the tenant tag, and the data source tag, respectively, in the isolate tag, are related;

in response to the validating the user access request, determining a processing pipeline associated with the tenant identified by the tenant tag in the isolate tag, wherein the processing pipeline specifies a series of data processing services to apply to data for the tenant; and

applying the data processing services specified in the determined processing pipeline to the data subject to the user access request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided are a computer program product, system, and method for providing access to data storage services in a network environment. Multi-tenancy information for each of a plurality of clients has at least one tenant assigned to the client, at least one data source assigned to the tenant assigned to the client, and for each of the at least one data source, information on at least one user assigned to the data source and permitted access to the data source. A user is provided an isolate tag comprising a client tag identifying one client, a tenant tag identifying one tenant, and a data source tag identifying one data source to which the user is permitted to access data. A user access request with an isolate tag is processed in response to determining that the multi-tenancy information indicates that the client, tenant, and data source identified by the isolate tag are related.

Citations

19 Claims

1. A computer program product for providing access to data storage services in a network environment, wherein the computer program product comprises a computer readable storage medium having program instructions embodied therewith that when executed cause operations, the operations comprising:
- providing multi-tenancy information for a plurality of clients, wherein for each client of the clients, the multi-tenancy information indicates at least one tenant assigned to the client, and for each of the at least one tenant assigned to a client, at least one data source assigned to the tenant assigned to the client, and for each of the at least one data source, information on at least one user assigned to the data source and permitted access to the data source;
  
  providing to a user an isolate tag to use when accessing data in a data source, wherein the isolate tag includes a client tag identifying one client, a tenant tag identifying one tenant, and a data source tag identifying one data source to which the user is permitted to access data;
  
  receiving from the user the isolate tag with a user access request to data in a data source, wherein the isolate tag indicates the client tag, tenant tag, and data source tag;
  
  validating the user access request by determining whether the multi-tenancy information indicates that the client, tenant, and data source identified by the client tag, the tenant tag, and the data source tag, respectively, in the isolate tag, are related;
  
  in response to the validating the user access request, determining a processing pipeline associated with the tenant identified by the tenant tag in the isolate tag, wherein the processing pipeline specifies a series of data processing services to apply to data for the tenant; and
  
  applying the data processing services specified in the determined processing pipeline to the data subject to the user access request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computer program product of claim 1, wherein the user access request includes user authentication information, wherein the at least one user indicated for each of the at least one data source in the multi-tenancy information indicates user authentication information of the user, wherein the validating the user access request comprises:
    - determining whether the user authentication information provided with the user access request satisfies the user authentication information in the multi-tenancy information.
  - 3. The computer program product of claim 1, wherein the user access request is validated in response to:
    - determining that the user submitting the user access request is assigned to a data source in the multi-tenancy information identified by the data source tag in the isolate tag with the user access request;
      
      determining that the data source to which the user is assigned is assigned to a tenant in the multi-tenancy information identified by the tenant tag in the isolate tag with the user access request; and
      
      determining that the tenant to which the data source is assigned is assigned to a client in the multi-tenancy information identified by the client tag in the isolate tag with the user access request.
  - 4. The computer program product of claim 1, wherein the user access request comprises a write request to write data, wherein the applying the data processing services specified in the determined processing pipeline to the data subject to the user access request further comprises:
    - writing the write data to the data source identified by the data source tag in the isolate tag.
  - 5. The computer program product of claim 4, wherein the writing the write data further comprises:
    - writing the isolate tag with the write in the user access request in the data source identified by the data source tag in the isolate tag.
  - 6. The computer program product of claim 1, wherein the multi-tenancy information comprises a hierarchical relationship of clients to tenants, tenants to data sources, and data sources to tenants, wherein a user assigned to a higher level in the hierarchical relationship than a data source, including a client or tenant, is permitted to access all data sources assigned to the client or tenant to which the user is assigned, wherein the user assigned to a client is permitted to access all data sources assigned to at least one tenant assigned to the client to which the user is assigned.
  - 7. The computer program product of claim 1, wherein all user access requests to data in data sources must include an isolate tag in order to be processed, wherein users cannot access data sources not indicated in the isolate tag presented by the user.
  - 8. The computer program product of claim 1, wherein at least one user is provided multiple isolate tags including at least one of different data source tag, tenant tag, and client tag to provide access to different data sources.
  - 9. The computer program product of claim 1, wherein at least two processing pipelines associated with different tenants specify different data processing services.
  - 10. The computer program product of claim 1, wherein for a write operation for write data provided with the user access request to write, a processing pipeline for the tenant indicated in the isolation tag applies the data processing services defined by the determined processing pipeline to the write data to write to the data source identified by the data source tag in the isolate tag.
  - 11. The computer program product of claim 10, wherein the user access request is to read requested data, wherein the processing pipeline for the tenant indicated in the isolate tag reads the requested data from the data source identified by the data source tag and applies the data processing services defined by the determined processing pipeline to the read requested data from the data source indicated in the isolate tag.

12. A system for providing access to data storage services in a network environment, comprising:
- a processor;
  
  a multi-tenancy information for a plurality of clients, wherein for each client of the clients, the multi-tenancy information indicates at least one tenant assigned to the client, and for each of the at least one tenant assigned to a client, at least one data source assigned to the tenant assigned to the client, and for each of the at least one data source, information on at least one user assigned to the data source and permitted access to the data source; and
  
  a computer readable storage medium having program instructions embodied therewith that when executed cause operations, the operations comprising;
  
  providing to a user an isolate tag to use when accessing data in a data source, wherein the isolate tag includes a client tag identifying one client, a tenant tag identifying one tenant, and a data source tag identifying one data source to which the user is permitted to access data;
  
  receiving from the user the isolate tag with a user access request to data in a data source, wherein the isolate tag indicates the client tag, tenant tag, and data source tag;
  
  validating the user access request by determining whether the multi-tenancy information indicates that the client, tenant, and data source identified by the client tag, the tenant tag, and the data source tag, respectively, in the isolate tag, are related;
  
  in response to the validating the user access request, determining a processing pipeline associated with the tenant identified by the tenant tag in the isolate tag, wherein the processing pipeline specifies a series of data processing services to apply to data for the tenant; and
  
  applying the data processing services specified in the determined processing pipeline to the data subject to the user access request.
- View Dependent Claims (13, 14, 15)
- - 13. The system of claim 12, wherein the user access request is validated in response to:
    - determining that the user submitting the user access request is assigned to a data source in the multi-tenancy information identified by the data source tag in the isolate tag with the user access request;
      
      determining that the data source to which the user is assigned is assigned to a tenant in the multi-tenancy information identified by the tenant tag in the isolate tag with the user access request; and
      
      determining that the tenant to which the data source is assigned is assigned to a client in the multi-tenancy information identified by the client tag in the isolate tag with the user access request.
  - 14. The system of claim 12, wherein the operations further comprise:
    - writing the isolate tag with write data in a write access request to the data source identified by the data source tag in the isolate tag.
  - 15. The system of claim 12, wherein at least two processing pipelines associated with different tenants specify different data processing services.

16. A method for providing access to data storage services in a network environment, comprising:
- providing multi-tenancy information for a plurality of clients, wherein for each client of the clients, the multi-tenancy information indicates at least one tenant assigned to the client, and for each of the at least one tenant assigned to a client, at least one data source assigned to the tenant assigned to the client, and for each of the at least one data source, information on at least one user assigned to the data source and permitted access to the data source;
  
  providing to a user an isolate tag to use when accessing data in a data source, wherein the isolate tag includes a client tag identifying one client, a tenant tag identifying one tenant, and a data source tag identifying one data source to which the user is permitted to access data;
  
  receiving from the user the isolate tag with a user access request to data in a data source, wherein the isolate tag indicates the client tag, tenant tag, and data source tag;
  
  validating the user access request by determining whether the multi-tenancy information indicates that the client, tenant, and data source identified by the client tag, the tenant tag, and the data source tag, respectively, in the isolate tag, are related;
  
  in response to the validating the user access request, determining a processing pipeline associated with the tenant identified by the tenant tag in the isolate tag, wherein the processing pipeline specifies a series of data processing services to apply to data for the tenant; and
  
  applying the data processing services specified in the determined processing pipeline to the data subject to the user access request.
- View Dependent Claims (17, 18, 19)
- - 17. The method of claim 16, wherein the user access request is validated in response to:
    - determining that the user submitting the user access request is assigned to a data source in the multi-tenancy information identified by the data source tag in the isolate tag with the user access request;
      
      determining that the data source to which the user is assigned is assigned to a tenant in the multi-tenancy information identified by the tenant tag in the isolate tag with the user access request; and
      
      determining that the tenant to which the data source is assigned is assigned to a client in the multi-tenancy information identified by the client tag in the isolate tag with the user access request.
  - 18. The method of claim 16, further comprising:
    - writing the isolate tag with write data in a write access request to the data source identified by the data source tag in the isolate tag.
  - 19. The method of claim 16, wherein at least two processing pipelines associated with different tenants specify different data processing services.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Bakthavachalam, Senthil, Bastide, Paul R., Franke, Hubertus
Primary Examiner(s)
Zee, Edward

Application Number

US15/838,321
Publication Number

US 20190182226A1
Time in Patent Office

834 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/44   Program or device authentic...

G06F 21/6218   to a system of files or obj...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/10   for controlling access to d...

H04L 63/104   Grouping of entities

Provide access to data storage services in a network environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Provide access to data storage services in a network environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links