ACCESS CONTROL FOR DATA BLOCKS IN A DISTRIBUTED FILESYSTEM
First Claim
1. A method for access control of data in a filesystem, comprising:
- storing a map in a server, the map coupled to an agent executing in the server, the map associating access control rules, filenames in a namespace in a first filesystem, and owners of files;
determining a block filename in a namespace in a second filesystem, based on an I/O (input/output) request from a data node to the second filesystem regarding a data block;
determining a username of the I/O request;
determining a filename in the namespace in the first filesystem, based on the block filename in the namespace in the second filesystem; and
applying to the data block and the username an access control rule that the map associates with an owner of a file having the filename in the namespace in the first filesystem, wherein at least one action of the method is performed by a processor in the server.
4 Assignments
0 Petitions
Accused Products
Abstract
A method for access control of data in a filesystem is provided. The method includes storing a map in a server, the map coupled to an agent, the map associating access control rules, filenames in a namespace in a first filesystem, and owners of files. The method includes determining a block filename in a namespace in a second filesystem, based on an I/O request from a data node to the second filesystem regarding a data block. The method includes determining a username of the I/O request and determining a filename in the namespace in the first filesystem, based on the block filename in the namespace in the second filesystem. The method includes applying to the data block and the username an access control rule that the map associates with an owner of a file having the filename in the namespace in the first filesystem.
-
Citations
20 Claims
-
1. A method for access control of data in a filesystem, comprising:
-
storing a map in a server, the map coupled to an agent executing in the server, the map associating access control rules, filenames in a namespace in a first filesystem, and owners of files; determining a block filename in a namespace in a second filesystem, based on an I/O (input/output) request from a data node to the second filesystem regarding a data block; determining a username of the I/O request; determining a filename in the namespace in the first filesystem, based on the block filename in the namespace in the second filesystem; and applying to the data block and the username an access control rule that the map associates with an owner of a file having the filename in the namespace in the first filesystem, wherein at least one action of the method is performed by a processor in the server. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A tangible, non-transitory, computer-readable media having instructions thereupon which, when executed by a processor, cause the processor to perform a method comprising:
-
establishing in a data node an I/O (input/output) thread associated with a username and regarding a data block, responsive to an I/O request, the data block having a block filename in a namespace in a local filesystem relative to the data node, the block filename having a pool ID (identifier) and a block ID, which identify the data block; mapping the block filename in the namespace in the local (second) filesystem to a filename in a further namespace relative to a name node and having a directory structure in a further (first) filesystem; associating an encryption key and an access control rule to the filename in the further namespace; passing the username from the data node to an agent; and applying, through the agent, the access control rule and the encryption key to the data block and the username - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
-
14. A method for access control of data blocks in a filesystem, comprising:
-
pushing a first map from a data security manager to an agent, the first map having a plurality of access control rules based on users and filenames in a first filesystem, the first map further having one or more encryption keys and associating the one or more encryption keys to the users and the filenames in the first filesystem; in an I/O (input/output) thread in a data node, sending a username to the agent through an I/O control (IOCTL) call; in the I/O thread, calling to a second filesystem regarding one or more blocks, the second filesystem having a namespace that references blocks by block filenames; in the agent, intercepting the calling to the second filesystem and obtaining a block filename; determining, through the agent, a filename of a file in the first filesystem corresponding to the block filenames in the second filesystem; and applying, through the agent, one of the plurality of access control rules, corresponding to the filename of the file in the first filesystem, against the username from the I/O control call. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification