ACCESS CONTROL FOR DATA BLOCKS IN A DISTRIBUTED FILESYSTEM

US 20160119349A1
Filed: 10/23/2014
Published: 04/28/2016
Est. Priority Date: 10/23/2014
Status: Active Grant

First Claim

Patent Images

1. A method for access control of data in a filesystem, comprising:

storing a map in a server, the map coupled to an agent executing in the server, the map associating access control rules, filenames in a namespace in a first filesystem, and owners of files;

determining a block filename in a namespace in a second filesystem, based on an I/O (input/output) request from a data node to the second filesystem regarding a data block;

determining a username of the I/O request;

determining a filename in the namespace in the first filesystem, based on the block filename in the namespace in the second filesystem; and

applying to the data block and the username an access control rule that the map associates with an owner of a file having the filename in the namespace in the first filesystem, wherein at least one action of the method is performed by a processor in the server.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for access control of data in a filesystem is provided. The method includes storing a map in a server, the map coupled to an agent, the map associating access control rules, filenames in a namespace in a first filesystem, and owners of files. The method includes determining a block filename in a namespace in a second filesystem, based on an I/O request from a data node to the second filesystem regarding a data block. The method includes determining a username of the I/O request and determining a filename in the namespace in the first filesystem, based on the block filename in the namespace in the second filesystem. The method includes applying to the data block and the username an access control rule that the map associates with an owner of a file having the filename in the namespace in the first filesystem.

Citations

20 Claims

1. A method for access control of data in a filesystem, comprising:
- storing a map in a server, the map coupled to an agent executing in the server, the map associating access control rules, filenames in a namespace in a first filesystem, and owners of files;
  
  determining a block filename in a namespace in a second filesystem, based on an I/O (input/output) request from a data node to the second filesystem regarding a data block;
  
  determining a username of the I/O request;
  
  determining a filename in the namespace in the first filesystem, based on the block filename in the namespace in the second filesystem; and
  
  applying to the data block and the username an access control rule that the map associates with an owner of a file having the filename in the namespace in the first filesystem, wherein at least one action of the method is performed by a processor in the server.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the map further associates encryption keys with the access control rules, the filenames in the namespace in the first filesystem and the owners of the files.
  - 3. The method of claim 1, wherein applying the access control rule to the data block includes allowing or denying access to the data block based on a comparison of the username of the I/O request and the owner of the file having the filename in the namespace in the first filesystem.
  - 4. The method of claim 1, wherein the I/O request spawns an I/O thread in the data node, and wherein the username is determined from the I/O thread.
  - 5. The method of claim 1, wherein applying the access control rule includes applying an encryption key to the data block, for encryption or decryption, the encryption key specified by the access control rule for use on the file having the owner and the filename in the namespace in the first filesystem.
  - 6. The method of claim 1, wherein determining the filename in the namespace in the first filesystem includes the agent applying a mapping module that maps block filenames, including pool IDs and block IDs, in the namespace in the second filesystem to filenames in the namespace in the first filesystem.

7. A tangible, non-transitory, computer-readable media having instructions thereupon which, when executed by a processor, cause the processor to perform a method comprising:
- establishing in a data node an I/O (input/output) thread associated with a username and regarding a data block, responsive to an I/O request, the data block having a block filename in a namespace in a local filesystem relative to the data node, the block filename having a pool ID (identifier) and a block ID, which identify the data block;
  
  mapping the block filename in the namespace in the local (second) filesystem to a filename in a further namespace relative to a name node and having a directory structure in a further (first) filesystem;
  
  associating an encryption key and an access control rule to the filename in the further namespace;
  
  passing the username from the data node to an agent; and
  
  applying, through the agent, the access control rule and the encryption key to the data block and the username
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The computer-readable media of claim 7, wherein the method further comprises:
    - determining that the access control rule is applicable to the data block by the association of the access control rule to the filename in the further namespace and the mapping the block filename in the namespace in the local filesystem to the filename in the further namespace.
  - 9. The computer-readable media of claim 7, wherein applying the access control rule includes:
    - determining, in accordance with the access control rule, whether access to the data block is allowed for the username; and
      
      applying the encryption key to the data block, for encryption or decryption, responsive to determining that access to the data block is allowed for the username.
  - 10. The computer-readable media of claim 7, wherein the mapping further comprises:
    - receiving, at the agent, the block filename from the data node;
      
      parsing the pool ID and the block ID from the block filename;
      
      mapping the pool ID to a hostname of the name node;
      
      connecting to the name node having the hostname;
      
      calling a function, with the pool ID and the block ID as input parameters to the function, to obtain the filename in the further namespace relative to the name node; and
      
      outputting the filename in the further namespace, from the name node to the agent.
  - 11. The computer-readable media of claim 7, wherein applying the access control rule and the encryption key further comprises:
    - receiving a call for I/O of the data block having the block filename from the data node;
      
      determining whether the encryption key is cached;
      
      determining whether the filename in the further namespace is cached;
      
      requesting to obtain the filename in the further namespace, based on the block filename in the namespace in the local filesystem, responsive to a determination that the filename in the further namespace is not cached;
      
      obtaining an encryption key based on the filename in the further namespace, responsive to a determination that the encryption key is not cached; and
      
      encrypting or decrypting the data block with the encryption key.
  - 12. The computer-readable media of claim 7, wherein the method further comprises:
    - pushing the access control rule from a data security manager to the agent;
      
      intercepting, at the agent, a call by the I/O thread to the local filesystem from the data node, regarding the data block;
      
      determining whether the filename in the further namespace is cached as associated to the block filename in the namespace in the local filesystem;
      
      requesting the filename in the further namespace, based on the block filename in the namespace in the local filesystem, responsive to determining that the filename in the further namespace is not cached; and
      
      obtaining the username from a thread context of the I/O thread.
  - 13. The computer-readable media of claim 7, wherein the method further comprises:
    - establishing a first map, in or coupled to the agent, that associates a plurality of filenames in the further namespace, a plurality of owners of files, and a plurality of access control rules relative to the plurality of owners and the plurality of filenames in the further namespace; and
      
      establishing a second map, in or coupled to the agent, that associates the plurality of filenames in the further namespace to a plurality of block filenames in the namespace in the local filesystem, wherein the first map and the second map support a secure filesystem having multitenancy in one or more name nodes and one or more data nodes.

14. A method for access control of data blocks in a filesystem, comprising:
- pushing a first map from a data security manager to an agent, the first map having a plurality of access control rules based on users and filenames in a first filesystem, the first map further having one or more encryption keys and associating the one or more encryption keys to the users and the filenames in the first filesystem;
  
  in an I/O (input/output) thread in a data node, sending a username to the agent through an I/O control (IOCTL) call;
  
  in the I/O thread, calling to a second filesystem regarding one or more blocks, the second filesystem having a namespace that references blocks by block filenames;
  
  in the agent, intercepting the calling to the second filesystem and obtaining a block filename;
  
  determining, through the agent, a filename of a file in the first filesystem corresponding to the block filenames in the second filesystem; and
  
  applying, through the agent, one of the plurality of access control rules, corresponding to the filename of the file in the first filesystem, against the username from the I/O control call.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method of claim 14, further comprising:
    - obtaining, through the agent, an encryption key based on the filename of the file in the first filesystem; and
      
      applying the encryption key to a data block having the block filename in the second filesystem.
  - 16. The method of claim 14, wherein determining, at the agent, a filename of a file in the first filesystem corresponding to the block filename in the second filesystem further comprises:
    - sending the block filename from kernel space to user space;
      
      parsing a pool ID (identifier) and a block ID from the block filename;
      
      mapping the pool ID to a hostname of a name node;
      
      connecting from the agent to a host having the hostname of the name node;
      
      sending from the agent the pool ID and the block ID to the host having the hostname of the name node, to request a filename of a file in the first filesystem, wherein the file in the first filesystem corresponds to the one or more blocks in the second filesystem; and
      
      returning from the host having the hostname of the name node to the agent the filename of the file in the first filesystem, responsive to the request for the filename of the file in the first filesystem.
  - 17. The method of claim 14, further comprising:
    - adding to a client application programming interface (API) or to a library of the first filesystem, a function defined to get a filename from the filenames in the first filesystem based on the pool ID and the block ID relative to the second filesystem.
  - 18. The method of claim 14, wherein the first filesystem is a Hadoop filesystem, the first filesystem is relative to the name node, and the second filesystem is local to the data node.
  - 19. The method of claim 14, wherein the method is implemented in software executing on one or more servers, and wherein the one or more servers comprises the agent, the first filesystem, the second filesystem, a plurality of name nodes, including the name node, and a plurality of data nodes, including the data node.
  - 20. The method of claim 14, wherein a second map is applied to the mapping, in the agent, the pool ID to a hostname of a name node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Thales DIS CPL USA, Inc. (Thales SA)
Original Assignee
Vormetric, Inc. (Thales SA)
Inventors
Xu, Feng, WANG, I-Ching, Sudarsan, Sri

Granted Patent

US 9,628,486 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/6218   to a system of files or obj...

H04L 63/06   for supporting key manageme...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 9/088   Usage controlling of secret...

ACCESS CONTROL FOR DATA BLOCKS IN A DISTRIBUTED FILESYSTEM

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

ACCESS CONTROL FOR DATA BLOCKS IN A DISTRIBUTED FILESYSTEM

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links