Method and apparatus for validation of application data on a storage system

US 20050278529A1
Filed: 06/10/2004
Published: 12/15/2005
Est. Priority Date: 06/10/2004
Status: Active Grant

First Claim

Patent Images

1. A data access method between a first data processing system and a second data processing system, said second data processing system having a storage of data that is accessed by said first data processing system, the method comprising:

receiving a data request from an application-level program executing on said first data processing system, said data request including file identification information;

obtaining access control information that is associated with said file identification information and which is stored in said first data processing system; and

communicating a second data request to said second data processing system, said second data request including said access control information and second file identification information that is based on said file identification information, wherein said second data processing system selectively performs a data operation in accordance with said second data request depending on said access control information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An authentication processing method and system includes an access control list on both a client system and a storage server system. The access control list stores authentication information for individual files. The authentication information is accessed and used to authenticate an application when the application attempts to access a file.

Citations

24 Claims

1. A data access method between a first data processing system and a second data processing system, said second data processing system having a storage of data that is accessed by said first data processing system, the method comprising:
- receiving a data request from an application-level program executing on said first data processing system, said data request including file identification information;
  
  obtaining access control information that is associated with said file identification information and which is stored in said first data processing system; and
  
  communicating a second data request to said second data processing system, said second data request including said access control information and second file identification information that is based on said file identification information, wherein said second data processing system selectively performs a data operation in accordance with said second data request depending on said access control information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 wherein said second data request is a write operation, the method further comprising combining data that is associated with said write operation with said access control information to produce a data component, communicating a response to said second data request to said first data processing system, said response including said data component.
  - 3. The method of claim 1 further comprising accessing user identification information in response to receiving said data request, wherein said access control information is obtained based on said user identification information.
  - 4. The method of claim 3 wherein said access control information is a user password.
  - 5. The method of claim 4 wherein said second data processing system obtains a candidate password that is associated with a file identified by said second file identification information, wherein said data operation is selectively performed depending on a comparison between said user password and said candidate password.
  - 6. The method of claim 1 wherein said second data request is a read operation.
  - 7. The method of claim 1 wherein said second data request is a write operation.
  - 8. The method of claim 1 wherein said second data processing system is a NAS (network attached storage) server.

9. A method for accessing information from a first processing system, said information being stored in a second processing system, the method comprising:
- receiving from said first processing system a data request, said data request including access control information and file identification information;
  
  obtaining local access control information that is stored in said second processing system based on said file identification information;
  
  if a comparison between said access control information and said local access control information produces a first outcome, then communicating an error message to said first processing system indicative of a negative comparison between said access control information with said local access control information; and
  
  if a comparison between said access control information and said local access control information produces a second outcome, then performing a data operation in accordance with said data request and communicating a result of said data operation to said first processing system.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The method of claim 9 wherein said data request is a write operation, wherein data associated with said write operation includes said access control information.
  - 11. The method of claim 9 wherein said access control information and said local access control information each include user identification information, said comparison steps including comparing user identification information in said access control information and said user identification information in said local access control information.
  - 12. The method of claim 9 wherein said data request is a read operation.
  - 13. The method of claim 9 wherein said data request is a write operation.
  - 14. The method of claim 9 wherein said second processing system is a NAS (network attached storage) server.

15. A method for communicating data between a first system and a second system, wherein said first system comprises system-level programs and application-level programs, said system-level programs providing system services, said application-level programs accessing said system services via said system-level programs, said data being stored in a storage system of said second system, the method comprising:
- receiving a request for a data operation from an application-level program, said first data request including information that identifies a first file;
  
  obtaining first access control information, said first access control information being associated with said first file;
  
  communicating a request to said second system to service said data operation, said request including said first access control information and information that identifies said first file;
  
  in said second system, obtaining second access control information that is associated with said first file; and
  
  if said second access control information matches said first access control information, then performing a data access operation on said storage system to service said data operation and communicating a result of said data access operation to said first system.
- View Dependent Claims (16, 17, 18)
- - 16. The method of claim 15 further comprising accessing a user identifier that is associated with said application-level program, wherein obtaining said first file identifier is further based on said user identifier.
  - 17. The method of claim 15 wherein said request that is communicated to said second system is a write request, said write request including a data component comprising data to be written and first access control information.
  - 18. The method of claim 15 wherein said second system is a NAS (network attached storage) server.

19. A method for exchanging data between a first data processing system and a second data processing system, said data being stored in a storage system of said second data processing system, the method comprising:
- receiving, in said first data processing system, a data access request;
  
  obtaining, in said first data processing system, access control information that is associated with a file that is the target of said data access request; and
  
  if said data access request is a write operation, then communicating a write request to said second data processing system to service said write operation, said write request including a data component comprising said write-data and said access control information, wherein in response to said second data processing system receiving said write request, then;
  
  obtaining local access control information associated with a file that is the target of said write request;
  
  obtaining said access control information from said data component; and
  
  based on a comparison between said local access control information and said access control information, selectively writing said write-data to said storage system.
- View Dependent Claims (20, 21)
- - 20. The method of claim 19 wherein if said data access request is a read operation, then communicating a read request to said second data processing system to service said read operation, wherein in response to said second data processing system receiving said read request, then:
    - accessing read-data from said storage system;
      
      obtaining local access control information associated with a file that is the target of said read operation; and
      
      communicating a read result to said first data processing system, said read result including a data component comprising said read-data and said local access control information, wherein said first data processing system obtains said local access control information from said data component, wherein said first data processing system selectively communicates a positive response to said application-level program based on a comparison between said access control information and said local access control information.
  - 21. The method of claim 20 wherein said read request includes a count field that is a sum of a data size of data to be read and a data size of said access control information.

22. A data processing system comprising:
- a data processing component;
  
  a communication interface configured for communication over a data communication network; and
  
  program code, said program code configured to operate said data processing component to;
  
  receive a data request from an application-level program said data request including file identification information;
  
  obtain access control information that is associated with said file identification information, said access control information being stored in said data processing system; and
  
  communicate a second data request to a storage server system, said second data request including said access control information and second file identification information that is based on said file identification information.

23. A storage server system comprising:
- a data processing portion;
  
  a storage component;
  
  a communication interface for communication over a data network; and
  
  program code, said program code configured to operate said data processing portion to;
  
  receive a data request from a client system, said data request including access control information and file identification information;
  
  obtain local access control information that is stored in said data storage server based on said file identification information;
  
  communicate an error message to said client system indicative of a negative comparison between said access control information with said local access control information, if a comparison between said access control information and said local access control information produces a first outcome; and
  
  perform a data operation in accordance with said data request and communicate a result of said data operation to said client system, if a comparison between said access control information and said local access control information produces a second outcome.
- View Dependent Claims (24)
- - 24. The system of claim 23 wherein said data request is a for a write operation, wherein said data request includes a data component, said data component comprising data to be written and said access control information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hitachi, Ltd.
Original Assignee
Hitachi, Ltd.
Inventors
Kano, Yoshiki

Granted Patent

US 7,549,171 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/08   for authentication of entit...

H04L 63/101   Access control lists [ACL]

Method and apparatus for validation of application data on a storage system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for validation of application data on a storage system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links