SECURE ISOLATION OF TENANT RESOURCES IN A MULTI-TENANT STORAGE SYSTEM USING A SECURITY GATEWAY
First Claim
1. A method of handling a client request in a hierarchical multi-tenant data storage system, the method comprising:
- processing a request in subtasks, wherein a subtask is executed with a minimal set of privileges associated with a specific subtenant;
extracting a claimed n-level hierarchy of a tenant and sub-tenant identities from the request;
extracting authentication signatures or credentials that correspond to a level in the hierarchy;
for a first level in the hierarchy, sending the request to a dedicated subtenant authenticator with privilege to validate credentials for a subtenant at the first level; and
receiving a confirmation from the dedicated subtenant authenticator, whether the request is authentic.
1 Assignment
0 Petitions
Accused Products
Abstract
Machines, systems and methods for handling a client request in a hierarchical multi-tenant data storage system, the method comprising processing a request in subtasks, wherein a subtask is executed with a minimal set of privileges associated with a specific subtenant; extracting a claimed n-level hierarchy of a tenant and sub-tenant identities from the request; extracting authentication signatures or credentials that correspond to a level in the hierarchy; for a first level in the hierarchy, sending the request to a dedicated subtenant authenticator with privilege to validate credentials for a subtenant at the first level; and receiving a confirmation from the dedicated subtenant authenticator, whether the request is authentic.
-
Citations
20 Claims
-
1. A method of handling a client request in a hierarchical multi-tenant data storage system, the method comprising:
-
processing a request in subtasks, wherein a subtask is executed with a minimal set of privileges associated with a specific subtenant; extracting a claimed n-level hierarchy of a tenant and sub-tenant identities from the request; extracting authentication signatures or credentials that correspond to a level in the hierarchy; for a first level in the hierarchy, sending the request to a dedicated subtenant authenticator with privilege to validate credentials for a subtenant at the first level; and receiving a confirmation from the dedicated subtenant authenticator, whether the request is authentic. - View Dependent Claims (2)
-
-
3. A method of maintaining resource isolation in a multi-tenant computing system, the method comprising:
-
receiving a first request submitted by a first user in a multi-tenant computing system; extracting from the first request a first tenant ID associated with a tenant from among a plurality of tenants in the multi-tenant computing system, wherein the first tenant ID is utilized by a first request processor to determine resource access privileges associated with the first tenant ID; and servicing the first request by providing access to one or more target resources identified in the first request, in response to determining that the first tenant ID is associated with a first tenant with privileges to access the one or more target resources. - View Dependent Claims (4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system of handling a client request in a hierarchical multi-tenant data storage system, the system comprising:
-
a logic unit for processing a request in subtasks, wherein a subtask is executed with a minimal set of privileges associated with a specific subtenant; a logic unit for extracting a claimed n-level hierarchy of a tenant and sub-tenant identities from the request; a logic unit for extracting authentication signatures or credentials that correspond to a level in the hierarchy; for a first level in the hierarchy, a logic unit for sending the request to a dedicated subtenant authenticator with privilege to validate credentials for a subtenant at the first level; and a logic unit for receiving a confirmation from the dedicated subtenant authenticator, whether the request is authentic. - View Dependent Claims (14)
-
-
15. A system of maintaining resource isolation in a multi-tenant computing system, the method comprising:
-
a logic unit for receiving a first request submitted by a first user in a multi-tenant computing system; a logic unit for extracting from the first request a first tenant ID associated with a tenant from among a plurality of tenants in the multi-tenant computing system, wherein the first tenant ID is utilized by a first request processor to determine resource access privileges associated with the first tenant ID; and a logic unit for servicing the first request by providing access to one or more target resources identified in the first request, in response to determining that the first tenant ID is associated with a first tenant with privileges to access the one or more target resources. - View Dependent Claims (16, 17)
-
-
18. A computer program product comprising logic code embedded in a data storage medium for maintaining resource isolation in a multi-tenant computing system, wherein execution of the logic code on a computer causes the computer to:
-
receive a first request submitted by a first user in a multi-tenant computing system; extract from the first request a first tenant ID associated with a tenant from among a plurality of tenants in the multi-tenant computing system, wherein the first tenant ID is utilized by a first request processor to determine resource access privileges associated with the first tenant ID; and service the first request by providing access to one or more target resources identified in the first request, in response to determining that the first tenant ID is associated with a first tenant with privileges to access the one or more target resources. - View Dependent Claims (19, 20)
-
Specification