UPDATING ACCESS CONTROL INFORMATION WITHIN A DISPERSED STORAGE UNIT

US 20130325823A1
Filed: 04/24/2013
Published: 12/05/2013
Est. Priority Date: 06/05/2012
Status: Active Grant

First Claim

Patent Images

1. A method for execution by a processing module of a storage unit, the method comprises:

receiving, from a requesting entity, a write request for storing a data object, wherein the write request includes updated access control list (ACL) information regarding the data object and a name identifying the data object;

determining whether the data object is a new data object or a revised version of an existing data object;

determining write authority of the requesting entity based on information contained in a locally stored access control list, wherein the write authority includes, at least one of, authorization to issue a write request for the new data object, authorization to issue a write request for the revised version of the existing data object, and authorization to issue updated ACL information regarding the new data object or the revised version of the existing data object; and

when the write request is regarding the revised version of the existing data object and the write authority includes the authorization to issue the write request for the revised version of the existing data object and the authorization to issue the updated ACL information regarding the revised version of the existing data object;

storing the revised version of the existing data object; and

updating the locally stored access control list based on the updated ACL information.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method begins by a dispersed storage (DS) processing module of a storage unit receiving a write request for storing a data object that includes updated access control list (ACL) information. The method continues with the DS processing module determining whether the data object is a new data object or a revised version of an existing data object and determining write authority of the requesting entity based on information contained in a locally stored access control list. When the write request is regarding the revised version of the existing data object and the write authority includes authorization to issue the write request for the revised version of the existing data object and authorization to issue the updated ACL information, the method continues with the DS processing module storing the revised version of the existing data object and updating the access control list based on the updated ACL information.

51 Citations

View as Search Results

16 Claims

1. A method for execution by a processing module of a storage unit, the method comprises:
- receiving, from a requesting entity, a write request for storing a data object, wherein the write request includes updated access control list (ACL) information regarding the data object and a name identifying the data object;
  
  determining whether the data object is a new data object or a revised version of an existing data object;
  
  determining write authority of the requesting entity based on information contained in a locally stored access control list, wherein the write authority includes, at least one of, authorization to issue a write request for the new data object, authorization to issue a write request for the revised version of the existing data object, and authorization to issue updated ACL information regarding the new data object or the revised version of the existing data object; and
  
  when the write request is regarding the revised version of the existing data object and the write authority includes the authorization to issue the write request for the revised version of the existing data object and the authorization to issue the updated ACL information regarding the revised version of the existing data object;
  
  storing the revised version of the existing data object; and
  
  updating the locally stored access control list based on the updated ACL information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the determining whether the data object is the new data object or the revised version of the existing data object comprises:
    - interpreting a revision number field of the name.
  - 3. The method of claim 1 further comprises:
    - the write authority including a range of permissible revisions for the revised version of the existing data object;
      
      determining whether a revision number of the revised version of the existing data object is within the range of permissible revisions;
      
      when the revision number is within the range of permissible revisions;
      
      storing the revised version of the existing data object; and
      
      updating the locally stored access control list based on the updated ACL information; and
      
      when the revision number is not within the range of permissible revisions, denying the write request.
  - 4. The method of claim 1 further comprises:
    - when the write request is regarding the new data object;
      
      determining that the requesting entity is authorized to issue the write request for the new data object and to issue the updated ACL information regarding the new data object;
      
      storing the new data object; and
      
      updating the locally stored access control list based on the updated ACL information regarding the new data object.
  - 5. The method of claim 4, wherein the determining that the requesting entity is authorized to issue the write request for the new data object and to issue the updated ACL information regarding the new data object comprises:
    - extracting a signed certificate from the write request; and
      
      verifying the signed certificate to establish authorization to issue the write request for the new data object and to issue the updated ACL information regarding the new data object.
  - 6. The method of claim 1 further comprises:
    - when the write request is regarding the revised version of the existing data object and the write authority includes the authorization to issue the write request for the revised version of the existing data object but not the authorization to issue the updated ACL information regarding the revised version of the existing data object;
      
      storing the revised version of the existing data object;
      
      accessing a trusted source regarding;
      
      authenticating the requesting entity'"'"'s write authorization to issue the updated ACL information regarding the revised version of the existing data object;
      
      orobtaining the updated ACL information regarding the revised version of the existing data object.
  - 7. The method of claim 1 further comprises:
    - when the write request is regarding the revised version of the existing data object and the write authority does not include the authorization to issue the write request for the revised version of the existing data object, sending a write request rejection message to the requesting entity.
  - 8. The method of claim 1, wherein the data object comprises:
    - an encoded data slice of a set of encoded data slices, wherein a data segment is encoded using a dispersed storage error encoding function to produce the set of encoded data slices.

9. A dispersed storage (DS) module comprises:
- a first module, when operable within a computing device, causes the computing device to;
  
  receive, from a requesting entity, a write request for storing a data object, wherein the write request includes updated access control list (ACL) information regarding the data object and a name identifying the data object;
  
  a second module, when operable within the computing device, causes the computing device to;
  
  determine whether the data object is a new data object or a revised version of an existing data object;
  
  a third module, when operable within the computing device, causes the computing device to;
  
  determine write authority of the requesting entity based on information contained in a locally stored access control list, wherein the write authority includes, at least one of, authorization to issue a write request for the new data object, authorization to issue a write request for the revised version of the existing data object, and authorization to issue the updated ACL information regarding the new data object or the revised version of the existing data object; and
  
  a fourth module, when operable within the computing device, causes the computing device to;
  
  when the write request is regarding the revised version of the existing data object and the write authority includes the authorization to issue the write request for the revised version of the existing data object and authorization to issue the updated ACL information regarding the revised version of the existing data object;
  
  store the revised version of the existing data object; and
  
  update the locally stored access control list based on the updated ACL information.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The DS module of claim 9, wherein the second module functions to determine whether the data object is the new data object or the revised version of the existing data object by:
    - interpreting a revision number field of the name.
  - 11. The DS module of claim 9 further comprises:
    - the write authority including a range of permissible revisions for the revised version of the existing data object;
      
      the third module further functions to;
      
      determine whether a revision number of the revised version of the existing data object is within the range of permissible revisions; and
      
      the fourth module further functions to;
      
      when the revision number is within the range of permissible revisions;
      
      store the revised version of the existing data object; and
      
      update the locally stored access control list based on the updated ACL information; and
      
      when the revision number is not within the range of permissible revisions, deny the write request.
  - 12. The DS module of claim 9 further comprises:
    - when the write request is regarding the new data object;
      
      the third module further functions to determine that the requesting entity is authorized to issue the write request for the new data object and to issue the updated ACL information regarding the new data object; and
      
      the fourth module further functions to;
      
      store the new data object; and
      
      update the locally stored access control list based on the updated ACL information regarding the new data object.
  - 13. The DS module of claim 12, wherein the third module functions to determine that the requesting entity is authorized to issue the write request for the new data object and to issue the updated ACL information regarding the new data object by:
    - extracting a signed certificate from the write request; and
      
      verifying the signed certificate to establish authorization to issue the write request for the new data object and to issue the updated ACL information regarding the new data object.
  - 14. The DS module of claim 9 further comprises:
    - the fourth module further functions to;
      
      when the write request is regarding the revised version of the existing data object and the write authority includes the authorization to issue the write request for the revised version of the existing data object but not the authorization to issue the updated ACL information regarding the revised version of the existing data object;
      
      store the revised version of the existing data object;
      
      access a trusted source regarding;
      
      authenticating the requesting entity'"'"'s write authorization to issue the updated ACL information regarding the revised version of the existing data object;
      
      orobtaining the updated ACL information regarding the revised version of the existing data object.
  - 15. The DS module of claim 9 further comprises:
    - the fourth module further functions to, when the write request is regarding the revised version of the existing data object and the write authority does not include the authorization to issue the write request for the revised version of the existing data object, send a write request rejection message to the requesting entity.
  - 16. The DS module of claim 9, wherein the data object comprises:
    - an encoded data slice of a set of encoded data slices, wherein a data segment is encoded using a dispersed storage error encoding function to produce the set of encoded data slices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
Cleversafe Incorporated (International Business Machines Corporation)
Inventors
Resch, Jason K., Leggette, Wesley, Vas, Sebastien

Granted Patent

US 10,178,083 B2
Time in Patent Office

Days
Field of Search
US Class Current

707/695
CPC Class Codes

G06F 16/172   Caching, prefetching or hoa...

G06F 16/1873   Versioning file systems, te...

G06F 21/33   using certificates

G06F 21/57   Certifying or maintaining t...

G06F 21/604   Tools and structures for ma...

H04L 63/0823   using certificates cryptogr...

H04L 63/101   Access control lists [ACL]

UPDATING ACCESS CONTROL INFORMATION WITHIN A DISPERSED STORAGE UNIT

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

51 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

UPDATING ACCESS CONTROL INFORMATION WITHIN A DISPERSED STORAGE UNIT

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

51 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links