VERIFYING AUTHORIZED ACCESS IN A DISPERSED STORAGE NETWORK

US 20170060459A1
Filed: 07/25/2016
Published: 03/02/2017
Est. Priority Date: 08/31/2015
Status: Active Grant

First Claim

Patent Images

1. A method for execution by a dispersed storage and task (DST) execution unit that includes a processor, the method comprises:

receiving an access request from a computing device via a network, wherein the access request includes an authorization token;

generating authorization data based on the access request;

executing the access request and transmitting a result of the access request to the computing device via the network when the authorization data includes a verification indicator; and

generating an invalid token notification for transmission to the computing device when the authorization data includes an invalid token indicator.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for execution by a dispersed storage and task (DST) execution unit that includes a processor includes receiving an access request that includes an authorization token from a computing device via a network. Authorization data is generated based on the access request. The access request is executed and a result of the access request is transmitted to the computing device via the network when the authorization data includes a verification indicator. An invalid token notification is generated for transmission to the computing device when the authorization data includes an invalid token indicator.

Citations

20 Claims

1. A method for execution by a dispersed storage and task (DST) execution unit that includes a processor, the method comprises:
- receiving an access request from a computing device via a network, wherein the access request includes an authorization token;
  
  generating authorization data based on the access request;
  
  executing the access request and transmitting a result of the access request to the computing device via the network when the authorization data includes a verification indicator; and
  
  generating an invalid token notification for transmission to the computing device when the authorization data includes an invalid token indicator.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the access request originated from a requesting entity communicating with the computing device via the network, wherein the authorization token includes a digital signature of the requesting entity, and wherein generating the authorization data includes determining if the requesting entity is an authorized requesting entity.
  - 3. The method of claim 1, wherein the authorization token includes an identifier associated with the computing device, and wherein generating the authorization data includes determining if the computing device is an authorized computing device.
  - 4. The method of claim 1, wherein the authorization token indicates at least one identifier associated with at least one corresponding data object, and wherein generating the authorization data includes determining if the access request is authorized for the at least one corresponding data object.
  - 5. The method of claim 1, wherein the authorization token indicates a time window, and wherein generating the authorization data includes determining if a current time is inside the time window.
  - 6. The method of claim 1, wherein the authorization token corresponds to an encoded data slice corresponding to a data object, and wherein the authorization token is one of a plurality of authorization tokens generated by the computing device corresponding to a plurality of stored encoded data slices corresponding to the data object.
  - 7. The method of claim 1, wherein the access request includes a request to write content originating from a requesting entity, and wherein generating the authorization data includes determining if the computing device changed the content originating from the requesting entity.
  - 8. The method of claim 7, wherein the access request includes a request to write an encoded data slice generated by the computing device that includes the content, wherein the authorization token includes a copy of the encoded data slice generated by the requesting entity, and wherein generating the authorization data includes determining if the encoded data slice generated by the computing device matches the copy of the encoded data slice generated by the requesting entity.

9. A processing system of a dispersed storage and task (DST) execution unit comprises:
- at least one processor;
  
  a memory that stores operational instructions, that when executed by the at least one processor cause the processing system to;
  
  receive an access request from a computing device via a network, wherein the access request includes an authorization token;
  
  generate authorization data based on the access request;
  
  execute the access request and transmit a result of the access request to the computing device via the network when the authorization data includes a verification indicator; and
  
  generate an invalid token notification for transmission to the computing device when the authorization data includes an invalid token indicator.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The processing system of claim 9, wherein the access request originated from a requesting entity communicating with the computing device via the network, wherein the authorization token includes a digital signature of the requesting entity, and wherein generating the authorization data includes determining if the requesting entity is an authorized requesting entity.
  - 11. The processing system of claim 9, wherein the authorization token includes an identifier associated with the computing device, and wherein generating the authorization data includes determining if the computing device is an authorized computing device.
  - 12. The processing system of claim 9, wherein the authorization token indicates at least one identifier associated with at least one corresponding data object, and wherein generating the authorization data includes determining if the access request is authorized for the at least one corresponding data object.
  - 13. The processing system of claim 9, wherein the authorization token indicates a time window, and wherein generating the authorization data includes determining if a current time is inside the time window.
  - 14. The processing system of claim 9, wherein the authorization token corresponds to an encoded data slice corresponding to a data object, and wherein the authorization token is one of a plurality of authorization tokens generated by the computing device corresponding to a plurality of stored encoded data slices corresponding to the data object.
  - 15. The processing system of claim 9, wherein the access request includes a request to write content originating from a requesting entity, and wherein generating the authorization data includes determining if the computing device changed the content originating from the requesting entity.
  - 16. The processing system of claim 15, wherein the access request includes a request to write an encoded data slice generated by the computing device that includes the content, wherein the authorization token includes a copy of the encoded data slice generated by the requesting entity, and wherein generating the authorization data includes determining if the encoded data slice generated by the computing device matches the copy of the encoded data slice generated by the requesting entity.

17. A non-transitory computer readable storage medium comprises:
- at least one memory section that stores operational instructions that, when executed by a processing system of a dispersed storage network (DSN) that includes a processor and a memory, causes the processing system to;
  
  receive an access request from a computing device via a network, wherein the access request includes an authorization token;
  
  generate authorization data based on the access request;
  
  execute the access request and transmit a result of the access request to the computing device via the network when the authorization data includes a verification indicator; and
  
  generate an invalid token notification for transmission to the computing device when the authorization data includes an invalid token indicator.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory computer readable storage medium of claim 17, wherein the access request originated from a requesting entity communicating with the computing device via the network, wherein the authorization token includes a digital signature of the requesting entity, and wherein generating the authorization data includes determining if the requesting entity is an authorized requesting entity.
  - 19. The non-transitory computer readable storage medium of claim 17, wherein the authorization token includes an identifier associated with the computing device, and wherein generating the authorization data includes determining if the computing device is an authorized computing device.
  - 20. The non-transitory computer readable storage medium of claim 17, wherein the access request includes a request to write content originating from a requesting entity, and wherein generating the authorization data includes determining if the computing device changed the content originating from the requesting entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
International Business Machines Corporation
Inventors
Kaczmarek, Joseph M., Khadiwala, Ravi V., Resch, Jason K.

Granted Patent

US 10,466,914 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 11/1076   Parity data used in redunda...

G06F 11/1092   Rebuilding, e.g. when physi...

G06F 11/3034   where the computing system ...

G06F 11/3409   for performance assessment

G06F 12/1408   by using cryptography for d...

G06F 2212/1052   Security improvement

G06F 3/061   Improving I/O performance

G06F 3/0611   in relation to response time

G06F 3/0619   in relation to data integri...

G06F 3/0622   in relation to access

G06F 3/0635   by changing the path, e.g. ...

G06F 3/0637   Permissions

G06F 3/064   Management of blocks

G06F 3/0644   Management of space entitie...

G06F 3/0659   Command handling arrangemen...

G06F 3/0665   at area level, e.g. provisi...

G06F 3/067   Distributed or networked st...

G06F 3/0689   Disk arrays, e.g. RAID, JBOD

H03M 13/1515   Reed-Solomon codes

H03M 13/3761   using code combining, i.e. ...

H04L 67/1097 : for distributed storage of ...

View All

VERIFYING AUTHORIZED ACCESS IN A DISPERSED STORAGE NETWORK

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

VERIFYING AUTHORIZED ACCESS IN A DISPERSED STORAGE NETWORK

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links