SECURE ISOLATION OF TENANT RESOURCES IN A MULTI-TENANT STORAGE SYSTEM USING A SECURITY GATEWAY

US 20140330869A1
Filed: 05/02/2013
Published: 11/06/2014
Est. Priority Date: 05/02/2013
Status: Active Grant

First Claim

Patent Images

1. A method of handling a client request in a hierarchical multi-tenant data storage system, the method comprising:

processing a request in subtasks, wherein a subtask is executed with a minimal set of privileges associated with a specific subtenant;

extracting a claimed n-level hierarchy of a tenant and sub-tenant identities from the request;

extracting authentication signatures or credentials that correspond to a level in the hierarchy;

for a first level in the hierarchy, sending the request to a dedicated subtenant authenticator with privilege to validate credentials for a subtenant at the first level; and

receiving a confirmation from the dedicated subtenant authenticator, whether the request is authentic.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Machines, systems and methods for handling a client request in a hierarchical multi-tenant data storage system, the method comprising processing a request in subtasks, wherein a subtask is executed with a minimal set of privileges associated with a specific subtenant; extracting a claimed n-level hierarchy of a tenant and sub-tenant identities from the request; extracting authentication signatures or credentials that correspond to a level in the hierarchy; for a first level in the hierarchy, sending the request to a dedicated subtenant authenticator with privilege to validate credentials for a subtenant at the first level; and receiving a confirmation from the dedicated subtenant authenticator, whether the request is authentic.

Citations

20 Claims

1. A method of handling a client request in a hierarchical multi-tenant data storage system, the method comprising:
- processing a request in subtasks, wherein a subtask is executed with a minimal set of privileges associated with a specific subtenant;
  
  extracting a claimed n-level hierarchy of a tenant and sub-tenant identities from the request;
  
  extracting authentication signatures or credentials that correspond to a level in the hierarchy;
  
  for a first level in the hierarchy, sending the request to a dedicated subtenant authenticator with privilege to validate credentials for a subtenant at the first level; and
  
  receiving a confirmation from the dedicated subtenant authenticator, whether the request is authentic.
- View Dependent Claims (2)
- - 2. The method of claim 1, wherein in response to receiving a confirmation that the request is authentic, the request is forwarded to one or more entities having a dedicated subtenant privilege for accessing a subset of the subtenant resources.

3. A method of maintaining resource isolation in a multi-tenant computing system, the method comprising:
- receiving a first request submitted by a first user in a multi-tenant computing system;
  
  extracting from the first request a first tenant ID associated with a tenant from among a plurality of tenants in the multi-tenant computing system, wherein the first tenant ID is utilized by a first request processor to determine resource access privileges associated with the first tenant ID; and
  
  servicing the first request by providing access to one or more target resources identified in the first request, in response to determining that the first tenant ID is associated with a first tenant with privileges to access the one or more target resources.
- View Dependent Claims (4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 4. The method of claim 3, wherein the security gateway determines that the first tenant ID is associated with a first tenant.
  - 5. The method of claim 3, wherein user credential data associated with the first request is examined by an authenticator to determine whether the first user is authorized to access the one or more target resources.
  - 6. The method of claim 5, wherein the authenticator determines that the first user is authorized to access the one or more target resources, in response to determining that the user credential data associated with the first request matches user credential data associated with the first tenant.
  - 7. The method of claim 3, wherein the security gateway utilizes one or more processes to service the first request by providing access to the one or more resources according to the first tenant privileges.
  - 8. The method of claim 7, wherein a first process is utilized to provide access to a first resource and a second process is utilized to provide access to a second resource.
  - 9. The method of claim 8, wherein the first process and the second process privileges are set so that the first process is exclusively dedicated to providing access to the first resource and the second process is exclusively dedicated to providing access to the second resource.
  - 10. The method of claim 3, wherein the first tenant ID is embedded in a header portion of a data communication packet that includes the first request.
  - 11. The method of claim 5, wherein a plurality of authenticators are utilized to authenticate a plurality of requests, wherein said requests are respectively associated with a plurality of tenant IDs.
  - 12. The method of claim 5, wherein a secure communication channel is established between the first request processor and the authenticator, wherein the user credential data is transferred over the secured communication channel to the authenticator.

13. A system of handling a client request in a hierarchical multi-tenant data storage system, the system comprising:
- a logic unit for processing a request in subtasks, wherein a subtask is executed with a minimal set of privileges associated with a specific subtenant;
  
  a logic unit for extracting a claimed n-level hierarchy of a tenant and sub-tenant identities from the request;
  
  a logic unit for extracting authentication signatures or credentials that correspond to a level in the hierarchy;
  
  for a first level in the hierarchy, a logic unit for sending the request to a dedicated subtenant authenticator with privilege to validate credentials for a subtenant at the first level; and
  
  a logic unit for receiving a confirmation from the dedicated subtenant authenticator, whether the request is authentic.
- View Dependent Claims (14)
- - 14. The system of claim 13, wherein in response to receiving a confirmation that the request is authentic, the request is forwarded to one or more entities having a dedicated subtenant privilege for accessing a subset of the subtenant resources.

15. A system of maintaining resource isolation in a multi-tenant computing system, the method comprising:
- a logic unit for receiving a first request submitted by a first user in a multi-tenant computing system;
  
  a logic unit for extracting from the first request a first tenant ID associated with a tenant from among a plurality of tenants in the multi-tenant computing system, wherein the first tenant ID is utilized by a first request processor to determine resource access privileges associated with the first tenant ID; and
  
  a logic unit for servicing the first request by providing access to one or more target resources identified in the first request, in response to determining that the first tenant ID is associated with a first tenant with privileges to access the one or more target resources.
- View Dependent Claims (16, 17)
- - 16. The system of claim 15, wherein the security gateway determines that the first tenant ID is associated with a first tenant.
  - 17. The system of claim 16, wherein user credential data associated with the first request is examined by an authenticator to determine whether the first user is authorized to access the one or more target resources.

18. A computer program product comprising logic code embedded in a data storage medium for maintaining resource isolation in a multi-tenant computing system, wherein execution of the logic code on a computer causes the computer to:
- receive a first request submitted by a first user in a multi-tenant computing system;
  
  extract from the first request a first tenant ID associated with a tenant from among a plurality of tenants in the multi-tenant computing system, wherein the first tenant ID is utilized by a first request processor to determine resource access privileges associated with the first tenant ID; and
  
  service the first request by providing access to one or more target resources identified in the first request, in response to determining that the first tenant ID is associated with a first tenant with privileges to access the one or more target resources.
- View Dependent Claims (19, 20)
- - 19. The computer program product of claim 18, wherein the security gateway determines that the first tenant ID is associated with a first tenant.
  - 20. The computer program product of claim 18, wherein user credential data associated with the first request is examined by an authenticator to determine whether the first user is authorized to access the one or more target resources.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Factor, Michael E., Hadas, David, Kolodner, Elliot K., Kurmus, Anil, Shulman-Peleg, Alexandra, Sorniotti, Alessandro

Granted Patent

US 9,411,973 B2
Time in Patent Office

Days
Field of Search
US Class Current

707/783
CPC Class Codes

G06F 16/176   Support for shared access t...

G06F 16/182   Distributed file systems

G06F 21/6218   to a system of files or obj...

G06F 21/6281   at program execution time, ...

G06F 2221/2145   Inheriting rights or proper...

G06F 9/00   Arrangements for program co...

G06F 9/46   Multiprogramming arrangements

H04L 63/08   for authentication of entit...

H04L 63/105   Multiple levels of security

SECURE ISOLATION OF TENANT RESOURCES IN A MULTI-TENANT STORAGE SYSTEM USING A SECURITY GATEWAY

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SECURE ISOLATION OF TENANT RESOURCES IN A MULTI-TENANT STORAGE SYSTEM USING A SECURITY GATEWAY

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links