ACCESS CONTROL OF DATA IN A DISPERSED STORAGE NETWORK

US 20140123316A1
Filed: 09/17/2013
Published: 05/01/2014
Est. Priority Date: 10/30/2012
Status: Active Grant

First Claim

Patent Images

1. A method for execution by one or more processing modules of one or more computing devices, the method comprises:

in response to a data access request that includes a data access request type, a data object identifier of a data object, and a user identifier of a user of a user device, accessing hierarchical data access control information that includes;

a plurality of logical memory access control files, wherein a logical memory access control file of the plurality of logical memory access control files includes a list of users that have access to a particular logical memory space and a list of corresponding access rights to data stored within the particular logical memory space; and

a plurality of sets of data object access control files, wherein a set of data object access control files of the plurality of sets of data object access control files is associated with the logical memory access control file, wherein a data object access control file of the set of data object access control files includes a list of data access restrictions for one or more users of the list of users of the logical memory access control file;

from the hierarchical data access control information, obtaining one of the plurality of logical memory access control files based on the user identifier;

determining, from the one of the plurality of logical memory access control files, whether the data access request type is within corresponding access rights of the user device;

when the data access request type is within the corresponding access rights of the user device, obtaining a corresponding data object access control file from a corresponding set of data object access files of the plurality of sets of data object access control files based on the data object identifier;

determining, from the corresponding data object access control file, whether the data access request type is restricted; and

when the data access request type is not restricted, processing the data access request.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method begins by a dispersed storage (DS) processing module receiving, from a user device, a data access request and accessing hierarchical data access control information. The method continues with the DS processing module obtaining a logical memory access control file from the hierarchical data access control information and determining a data access request type of the request is within access rights of the user device. When the data access request type is within the access rights of the user device, the method continues with the DS processing module obtaining a data object access control file from the hierarchical data access control information. The method continues with the DS processing module determining, from the data object access control file, whether the data access request type is restricted. When the data access request type is not restricted, the method continues with the DS processing module processing the data access request.

Citations

22 Claims

1. A method for execution by one or more processing modules of one or more computing devices, the method comprises:
- in response to a data access request that includes a data access request type, a data object identifier of a data object, and a user identifier of a user of a user device, accessing hierarchical data access control information that includes;
  
  a plurality of logical memory access control files, wherein a logical memory access control file of the plurality of logical memory access control files includes a list of users that have access to a particular logical memory space and a list of corresponding access rights to data stored within the particular logical memory space; and
  
  a plurality of sets of data object access control files, wherein a set of data object access control files of the plurality of sets of data object access control files is associated with the logical memory access control file, wherein a data object access control file of the set of data object access control files includes a list of data access restrictions for one or more users of the list of users of the logical memory access control file;
  
  from the hierarchical data access control information, obtaining one of the plurality of logical memory access control files based on the user identifier;
  
  determining, from the one of the plurality of logical memory access control files, whether the data access request type is within corresponding access rights of the user device;
  
  when the data access request type is within the corresponding access rights of the user device, obtaining a corresponding data object access control file from a corresponding set of data object access files of the plurality of sets of data object access control files based on the data object identifier;
  
  determining, from the corresponding data object access control file, whether the data access request type is restricted; and
  
  when the data access request type is not restricted, processing the data access request.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 further comprises:
    - when the data access request type is not within the corresponding access rights of the user device, rejecting the data access request and ceasing further processing of the data access request.
  - 3. The method of claim 1 further comprises:
    - when the data access request type is restricted, rejecting the data access request.
  - 4. The method of claim 1, wherein the hierarchical data access control information further comprises:
    - a plurality of sets of folder access control files, wherein a set of folder access control files of the plurality of sets of folder access control files is associated with the logical memory access control file, wherein a folder access control file of the set of folder access control files includes a list of data access restrictions for one or more of the users of the list of users of the logical memory access control file regarding data objects stored within a corresponding folder of the particular logical memory space, wherein a sub-set of data object access control files of the set of data object access control files is associated with the folder access control file.
  - 5. The method of claim 1, wherein the obtaining the corresponding data object access control file comprises one of:
    - retrieving a first portion of the data object from network memory, wherein the first portion includes the corresponding data object access control file; and
      
      retrieving the corresponding data object access control file from the network memory as a separate file.

6. A method for execution by one or more processing modules of one or more computing devices for maintaining access control information for data storage in network memory, the method comprises:
- interpreting a data access request to determine whether a data object corresponding to a data object identifier of the data access request is stored in the network memory, wherein the data access request includes a data access request type, the data object identifier, and a user identifier of a user of a user device;
  
  when the data object corresponding to the data object identifier is not stored in the network memory, accessing, based on the user identifier, hierarchical data access control information to retrieve a logical memory access control file of a plurality of logical memory access control files, wherein the logical memory access control file includes a list of users that have access to a particular logical memory space of the network memory and a list of corresponding access rights to data stored within the particular logical memory space;
  
  determining, based on the logical memory access control file, whether the user device has corresponding access rights to initially write the data object into the particular logical memory space; and
  
  when the user device has the corresponding access rights to initially write the data object into the particular logical memory space;
  
  creating a data object access control file for the data object, wherein the data object access control file includes a list of data access restrictions for one or more users of the list of users of the logical memory access control file; and
  
  linking the data object access control file to the logical memory access control file.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The method of claim 6 further comprises:
    - updating the logical memory access control file by at least one of;
      
      adding a new user to the list of users and new corresponding access rights to the list of corresponding access rights;
      
      deleting an older user from the list of users and deleting the corresponding access rights from the list of corresponding access rights; and
      
      editing the corresponding access rights of the user device in the list of corresponding access rights.
  - 8. The method of claim 6 further comprises:
    - updating the data object access control file by at least one of;
      
      adding new data access restrictions to the list of data access restrictions for another one or more of the users of the list of users of the logical memory access control file;
      
      adding the new data access restrictions to the list of data access restrictions for the one or more of the users of the list of users of the logical memory access control file; and
      
      deleting one or more data access restrictions from the list of data access restrictions for the one or more of the users of the list of users of the logical memory access control file.
  - 9. The method of claim 6 further comprises:
    - when the data object corresponding to the data object identifier is stored in the network memory and the data access request type is a delete the data object;
      
      determining, based on the logical memory access control file, whether the user device has corresponding access rights to delete the data object;
      
      when the user device has corresponding access rights to delete the data object, deleting the data object access control file and the data object; and
      
      deleting the linking of the data object access control file to the logical memory access control file.
  - 10. The method of claim 6 further comprises:
    - linking the data object access control file to a folder access control file of a set of folder access control files of a plurality of sets of folder access control files, wherein the set of folder access control files is associated with the logical memory access control file, wherein the folder access control file includes the list of data access restrictions for one or more of the users of the list of users of the logical memory access control file regarding data objects stored within a corresponding folder of the particular logical memory space, wherein a sub-set of data object access control files of a set of data object access control files is associated with the folder access control file.
  - 11. The method of claim 6 further comprises one of:
    - storing the data object access control file with the data object in the network memory; and
      
      storing the data object access control file as a separate file in the network memory.

12. A dispersed storage (DS) module comprises:
- a first module, when operable within a computing device, causes the computing device to;
  
  in response to a data access request that includes a data access request type, a data object identifier of a data object, and a user identifier of a user of a user device, access hierarchical data access control information that includes;
  
  a plurality of logical memory access control files, wherein a logical memory access control file of the plurality of logical memory access control files includes a list of users that have access to a particular logical memory space and a list of corresponding access rights to data stored within the particular logical memory space; and
  
  a plurality of sets of data object access control files, wherein a set of data object access control files of the plurality of sets of data object access control files is associated with the logical memory access control file, wherein a data object access control file of the set of data object access control files includes a list of data access restrictions for one or more users of the list of users of the logical memory access control file;
  
  a second module, when operable within the computing device, causes the computing device to;
  
  from the hierarchical data access control information, obtain one of the plurality of logical memory access control files based on the user identifier;
  
  determine, from the one of the plurality of logical memory access control files, whether the data access request type is within the corresponding access rights of the user device;
  
  when the data access request type is within the corresponding access rights of the user device, obtain a corresponding data object access control file from a corresponding set of data object access files of the plurality of sets of data object access control files based on the data object identifier; and
  
  determine, from the corresponding data object access control file, whether the data access request type is restricted; and
  
  a third module, when operable within the computing device, causes the computing device to;
  
  when the data access request type is not restricted, process the data access request.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The DS module of claim 12 further comprises:
    - the second module, when operable within the computing device, further causes the computing device to;
      
      when the data access request type is not within the corresponding access rights of the user device, reject the data access request and cease further processing of the data access request.
  - 14. The DS module of claim 12 further comprises:
    - the second module, when operable within the computing device, further causes the computing device to;
      
      when the data access request type is restricted, reject the data access request.
  - 15. The DS module of claim 12, wherein the hierarchical data access control information further comprises:
    - a plurality of sets of folder access control files, wherein a set of folder access control files of the plurality of sets of folder access control files is associated with the logical memory access control file, wherein a folder access control file of the set of folder access control files includes the list of data access restrictions for one or more of the users of the list of users of the logical memory access control file regarding data objects stored within a corresponding folder of the particular logical memory space, wherein a sub-set of data object access control files of the set of data object access control files is associated with the folder access control file.
  - 16. The DS module of claim 12, wherein the second module functions to obtain the corresponding data object access control file by one of:
    - retrieving a first portion of the data object from network memory, wherein the first portion includes the corresponding data object access control file; and
      
      retrieving the corresponding data object access control file from the network memory as a separate file.

17. A dispersed storage (DS) module comprises:
- a first module, when operable within a computing device, causes the computing device to;
  
  interpret a data access request to determine whether a data object corresponding to a data object identifier of the data access request is stored in a network memory, wherein the data access request includes a data access request type, the data object identifier, and a user identifier of a user of a user device; and
  
  when the data object corresponding to the data object identifier is not stored in the network memory, access, based on the user identifier, hierarchical data access control information to retrieve a logical memory access control file of a plurality of logical memory access control files, wherein the logical memory access control file includes a list of users that have access to a particular logical memory space of the network memory and a list of corresponding access rights to data stored within the particular logical memory space; and
  
  a second module, when operable within the computing device, causes the computing device to;
  
  determine, based on the logical memory access control file, whether the user device has corresponding access rights to initially write the data object into the particular logical memory space; and
  
  when the user device has the corresponding access rights to initially write the data object into the particular logical memory space;
  
  create a data object access control file for the data object, wherein the data object access control file includes a list of data access restrictions for one or more users of the list of users of the logical memory access control file; and
  
  link the data object access control file to the logical memory access control file.
- View Dependent Claims (18, 19, 20, 21, 22)
- - 18. The DS module of claim 17 further comprises:
    - a third module, when operable within the computing device, causes the computing device to;
      
      update the logical memory access control file by at least one of;
      
      adding a new user to the list of users and new corresponding access rights to the list of corresponding access rights;
      
      deleting an older user from the list of users and deleting the corresponding access rights from the list of corresponding access rights; and
      
      editing the corresponding access rights of the user device in the list of corresponding access rights.
  - 19. The DS module of claim 17 further comprises:
    - a third module, when operable within the computing device, causes the computing device to;
      
      update the data object access control file by at least one of;
      
      adding new data access restrictions to the list of data access restrictions for another one or more of the users of the list of users of the logical memory access control file;
      
      adding the new data access restrictions to the list of data access restrictions for the one or more of the users of the list of users of the logical memory access control file; and
      
      deleting one or more data access restrictions from the list of data access restrictions for the one or more of the users of the list of users of the logical memory access control file.
  - 20. The DS module of claim 17 further comprises:
    - the second module, when operable within the computing device, further causes the computing device to;
      
      when the data object corresponding to the data object identifier is stored in the network memory and the data access request type is a delete the data object;
      
      determine, based on the logical memory access control file, whether the user device has corresponding access rights to delete the data object;
      
      when the user device has corresponding access rights to delete the data object, delete the data object access control file and the data object; and
      
      delete linking of the data object access control file to the logical memory access control file.
  - 21. The DS module of claim 17 further comprises:
    - the second module, when operable within the computing device, further causes the computing device to;
      
      link the data object access control file to a folder access control file of a set of folder access control files of a plurality of sets of folder access control files, wherein the set of folder access control files is associated with the logical memory access control file, wherein the folder access control file includes the list of data access restrictions for one or more of the users of the list of users of the logical memory access control file regarding data objects stored within a corresponding folder of the particular logical memory space, wherein a sub-set of data object access control files of a set of data object access control files is associated with the folder access control file.
  - 22. The DS module of claim 17 further comprises:
    - the second module, when operable within the computing device, further causes the computing device to;
      
      store the data object access control file with the data object in the network memory;
      
      orstore the data object access control file as a separate file in the network memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
Cleversafe Incorporated (International Business Machines Corporation)
Inventors
Leggette, Wesley, Young, Jesse Louis, Resch, Jason K.

Granted Patent

US 9,936,020 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/28
CPC Class Codes

G06F 11/1076   Parity data used in redunda...

G06F 21/6218   to a system of files or obj...

H04L 67/1097   for distributed storage of ...

ACCESS CONTROL OF DATA IN A DISPERSED STORAGE NETWORK

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

ACCESS CONTROL OF DATA IN A DISPERSED STORAGE NETWORK

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links