Dynamic server-managed access control for a distributed file system

US 6,122,631 A
Filed: 03/28/1997
Issued: 09/19/2000
Est. Priority Date: 03/28/1997
Status: Expired due to Term

First Claim

Patent Images

1. In an information handling system having objects that are accessed by a requester, a method of controlling access to said objects, comprising the steps of:

storing a list of valid tokens;

receiving an access request from a requester, said request containing an identifier specifying a requested object;

comparing said identifier with said list of valid tokens to determine whether said identifier corresponds to a valid token from said list;

if said identifier corresponds to a valid token from said list, granting said requester access to said requested object; and

if said identifier does not correspond to a valid token from said list, denying said requester access to said requested object.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for providing dynamically controlling access to files in a client/server system. A client wanting access to a file first requests a token from an object server. The object server generates the token as a function of the file name and ephemeral information and provides the token to both the client and the file system. Upon receiving the token from the object server, the client presents an access request to the file system, using the token rather than the file name as an identifier. The file system compares the received identifier with the file names in the specified directory as well as with a list of valid tokens that it maintains. If the identifier corresponds to a valid token for a file in the directory, the access request is granted. Otherwise, the access request is denied. The procedure is transparent to the client, which uses the token in the same manner as it would use a regular file name.

190 Citations

13 Claims

1. In an information handling system having objects that are accessed by a requester, a method of controlling access to said objects, comprising the steps of:
- storing a list of valid tokens;
  
  receiving an access request from a requester, said request containing an identifier specifying a requested object;
  
  comparing said identifier with said list of valid tokens to determine whether said identifier corresponds to a valid token from said list;
  
  if said identifier corresponds to a valid token from said list, granting said requester access to said requested object; and
  
  if said identifier does not correspond to a valid token from said list, denying said requester access to said requested object.
- View Dependent Claims (2)
- - 2. The method of claim 1, comprising the further steps of:
    - storing a list of names of said objects;
      
      comparing said identifier with said list of names of said objects to determine whether said identifier corresponds to a name of one of said objects; and
      
      if said identifier corresponds to a name of one of said objects, denying said requester access to said requested object.

3. In an information handling system in which a requester requests an identifier of an object being accessed and then requests access to said object using said identifier, a method of dynamically controlling access to said object, comprising the steps of:
- in response to a request from a requester for an identifier of said object, dynamically generating a token and providing said token to said requester as said identifier of said object;
  
  storing a list of tokens that have been previously generated; and
  
  in response to a request from a requestor for access to an object identified by an identifier, comparing said identifier with the tokens in said list and granting access to said object only if said identifier matches one of the tokens in said list.
- View Dependent Claims (4, 5, 6, 7, 8, 9)
- - 4. The method of claim 3 in which said object has a name, said token being generated as a function of said name of said object.
  - 5. The method of claim 4 in which said token is generated as a function of said name of said object and ephemeral information.
  - 6. The method of claim 4 in which said access request is received at a predetermined time, said token being generated as a function of said name of said object and said predetermined time.
  - 7. The method of claim 4 in which said token is generated as a cryptographic function of said name of said object and ephemeral information.
  - 8. The method of claim 3 in which said generated token is added to said list of previously generated tokens.
  - 9. The method of claim 3 in which each of said tokens has an indication of the time at which the token was generated, said comparing step including the step of checking said indication to determine whether said token is still valid.

10. In an information handling system having objects that are accessed by a requestor, apparatus for controlling access to said objects, comprising the steps of:
- means for storing a list of valid tokens;
  
  means for receiving an access request from a requester, said request containing an identifier specifying a requested object;
  
  means for comparing said identifier with said list of valid tokens to determine whether said identifier corresponds to a valid token from said list;
  
  means responsive to an identifier corresponding to a valid token from said list for granting said requester access to said requested object; and
  
  means responsive to an identifier not corresponding to a valid token from said list for denying said requestor access to said requested object.

11. In an information handling system in which a requestor requests an identifier of an object being accessed and then requests access to said object using said identifier, apparatus for dynamically controlling access to said object, comprising:
- means responsive to a request from a requestor for an identifier of said object for dynamically generating a token and providing said token to said requester as said identifier of said object;
  
  means for storing a list of tokens that have been generated by said token generating means; and
  
  means responsive to a request from a requester for access to an object identified by an identifier for comparing said identifier with the tokens in said list and for granting access to said object only if said identifier matches one of the tokens in said list.

12. A program storage device readable by a machine, tangibly embodying a program of instructions executable by the machine to perform method steps for controlling access to objects in an information handling system having objects that are accessed by a requester, said method steps comprising:
- storing a list of valid tokens;
  
  receiving an access request from a requestor, said request containing an identifier specifying a requested object;
  
  comparing said identifier with said list of valid tokens to determine whether said identifier corresponds to a valid token from said list;
  
  if said identifier corresponds to a valid token from said list, granting said requestor access to said requested object; and
  
  if said identifier does not correspond to a valid token from said list, denying said requestor access to said requested object.

13. A program storage device readable by a machine, tangibly embodying a program of instructions executable by the machine to perform method steps for dynamically controlling access to an object in an information handling system in which a requester requests an identifier of an object being accessed and then requests access to said object using said identifier, said method steps comprising:
- in response to a request from a requester for an identifier of said object, dynamically generating a token and providing said token to said requester as said identifier of said object;
  
  storing a list of tokens that have been previously generated; and
  
  in response to a request from a requester for access to an object identified by an identifier, comparing said identifier with the tokens in said list and granting access to said object only if said identifier matches one of the tokens in said list.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Brady, John L., Caffrey, James M., Sanchez, Roberto J., Williams, Joseph A., Iatridis, Matthew C., Whalen, Madeline R., Berbec, Robert R., Fenaroli, Arthur P., Crimi, Joanne T., Puchkoff, Gary S.
Primary Examiner(s)
Kulik, Paul V.

Application Number

US08/825,303
Time in Patent Office

1,271 Days
Field of Search

707/200, 707/8, 707/201, 707/203, 707/10, 707/103, 707/9, 380/25
US Class Current

1/1
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 9/52   Program synchronisation; Mu...

Y10S 707/99939   Privileged access

Dynamic server-managed access control for a distributed file system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

190 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic server-managed access control for a distributed file system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

190 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links