Method and apparatus for local access authorization of cached resources

US 7,506,102 B2
Filed: 03/28/2006
Issued: 03/17/2009
Est. Priority Date: 03/28/2006
Status: Active Grant

First Claim

Patent Images

1. An apparatus, comprising:

one or more processors;

one or more computer-readable volatile or non-volatile media operable to store a cache; and

one or more sequences of instructions which are stored in the one or more computer-readable volatile or non-volatile media and which, when executed by the one or more processors, cause the one or more processors to perform;

receiving a first request to perform an operation on a first object that is stored in the cache;

based on the first request, determining an entity identifier associated with an entity that sent the first request, an operation identifier associated with the operation, and an Access Control List (ACL) associated with the first object;

accessing a record that includes at least the operation identifier, the ACL, and an authorization indicator, wherein the authorization indicator indicates whether the entity has previously successfully performed the operation on any object that is different than the first object and that is also associated with the ACL; and

based on the authorization indicator included in the record, determining whether to authorize the entity to perform the operation on the first object without evaluating any permissions and access rights that are stored in the ACL.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus is disclosed for local access authorization of cached resources. A first request to perform an operation on a first object that is stored in a cache is received. An entity identifier associated with the entity that sent the first request, an operation identifier associated with the operation, and an Access Control List (ACL) associated with the first object are determined based on the first request. A record that includes at least the operation identifier, the ACL, and an authorization indicator is accessed. The authorization indicator indicates whether the entity has previously successfully performed the operation on any object in the cache that is associated with the ACL. Based on the authorization indicator included in the record, a determination is made whether to authorize the entity to perform the operation on the first object.

96 Citations

View as Search Results

38 Claims

1. An apparatus, comprising:
- one or more processors;
  
  one or more computer-readable volatile or non-volatile media operable to store a cache; and
  
  one or more sequences of instructions which are stored in the one or more computer-readable volatile or non-volatile media and which, when executed by the one or more processors, cause the one or more processors to perform;
  
  receiving a first request to perform an operation on a first object that is stored in the cache;
  
  based on the first request, determining an entity identifier associated with an entity that sent the first request, an operation identifier associated with the operation, and an Access Control List (ACL) associated with the first object;
  
  accessing a record that includes at least the operation identifier, the ACL, and an authorization indicator, wherein the authorization indicator indicates whether the entity has previously successfully performed the operation on any object that is different than the first object and that is also associated with the ACL; and
  
  based on the authorization indicator included in the record, determining whether to authorize the entity to perform the operation on the first object without evaluating any permissions and access rights that are stored in the ACL.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The apparatus of claim 1, wherein the one or more sequences of instructions that cause the one or more processors to perform accessing the record comprise sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform:
    - based on the entity identifier, the operation identifier, and the ACL, determining whether the record is stored in an authorization cache; and
      
      if the record is not stored in the authorization cache, then performing the steps of;
      
      sending an authorization request to a remote server, wherein the remote server is configured to authorize performing the operation on objects associated with the ACL;
      
      receiving a response from the remote server, wherein the response indicates whether the remote server authorizes the entity to perform the operation on the first object;
      
      based at least on the response, generating the authorization indicator; and
      
      creating and storing the record in the authorization cache.
  - 3. The apparatus of claim 2, further comprising sequences of instructions which are stored in the one or more computer-readable volatile or non-volatile media and which, when executed by the one or more processors, cause the one or more processors to perform:
    - receiving, from the entity, a second request to perform the operation on a second object that is stored in the cache, wherein the second object is also associated with the ACL;
      
      based on the entity identifier, the operation identifier, and the ACL, locating the record in the authorization cache; and
      
      based on the authorization indicator included in the record, determining whether to authorize the entity to perform the operation on the second object.
  - 4. The apparatus of claim 3, wherein the second object is the same as the first object.
  - 5. The apparatus of claim 1, wherein:
    - the record further includes a time-to-live indicator, wherein the time-to-live indicator indicates whether the authorization indicator has expired; and
      
      the one or more sequences of instructions that cause the one or more processors to perform accessing the record comprise sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform;
      
      locating the record in an authorization cache based on the entity identifier, the operation identifier, and the ACL;
      
      determining whether the time-to-live indicator stored in the record indicates that the authorization indicator has expired; and
      
      if the authorization indicator has expired, then performing the steps of;
      
      sending an authorization request to a remote server, wherein the remote server is configured to authorize performing the operation on objects associated with the ACL;
      
      receiving a response from the remote server, wherein the response indicates whether the remote server authorizes the entity to perform the operation on the first object;
      
      based at least on the response, generating a new authorization indicator; and
      
      storing the new authorization indicator in the record.
  - 6. The apparatus of claim 5, further comprising sequences of instructions which are stored in the one or more computer-readable volatile or non-volatile media and which, when executed by the one or more processors, cause the one or more processors to perform setting the time-to-live indicator to indicate that the authorization indicator has expired in response to at least one of:
    - receiving a notification that the ACL was changed relative to a particular object that was associated with the ACL;
      
      detecting that the entity identifier was changed; and
      
      an expiration of a certain period of time.
  - 7. The apparatus of claim 1, wherein the entity is any one of a user, a client, an application, and a process that is capable of being uniquely identified based on the first request.
  - 8. The apparatus of claim 1, wherein the first request is received from a client that is communicatively connected to the apparatus over a Local Area Network (LAN).
  - 9. The apparatus of claim 1, wherein:
    - the cache stores a plurality of file system objects, wherein the first object is one of the plurality of file system objects; and
      
      the first object is any one of a file and a directory.
  - 10. The apparatus of claim 1, wherein the operation is one of a plurality of operations that are supported by any one of a Common Internet File System Protocol (CIFS), a Network File System (NFS) protocol, and a Web-based Distributed Authoring and Versioning (WebDAV) protocol.
  - 11. The apparatus of claim 1, wherein the apparatus is communicatively connected to a remote server over a Wide Area Network (WAN), wherein the remote server is configured to authorize performing the operation on objects associated with the ACL.
  - 12. The apparatus of claim 1, further comprising sequences of instructions which are stored in the one or more computer-readable volatile or non-volatile media and which, when executed by the one or more processors, cause the one or more processors to execute a server that is configured to authorize performing the operation on objects associated with the ACL.
  - 13. The apparatus of claim 1, further comprising sequences of instructions which are stored in the one or more computer-readable volatile or non-volatile media and which, when executed by the one or more processors, cause the one or more processors to perform storing a plurality of distinct ACLs in the cache, wherein:
    - the plurality of distinct ACLs includes the ACL; and
      
      for each object stored in the cache, the cache stores a reference to a particular ACL of the plurality of distinct ACLs that is associated with that object.

14. An apparatus for local access authorization of cached resources, comprising:
- one or more processors;
  
  one or more computer-readable volatile or non-volatile media operable to store a cache, wherein the cache includes an authorization cache; and
  
  one or more sequences of instructions which are stored in the one or more computer-readable volatile or non-volatile media and which, when executed by the one or more processors, cause the one or more processors to perform;
  
  receiving, from an entity, a first request to perform an operation on a first object that is stored in the cache;
  
  performing the operation on the first object, wherein performing the operation comprises;
  
  sending an authorization request to a remote authorization server, wherein the remote authorization server is capable of authorizing the entity to perform the operation on the first object; and
  
  receiving a response from the remote authorization server, wherein the response indicates whether the remote authorization server authorizes the entity to perform the operation on the first object;
  
  generating an authorization indicator based at least on the response, wherein the authorization indicator indicates whether the operation was successfully performed on the first object;
  
  storing, in the authorization cache, a record that includes an entity identifier associated with the entity, an operation identifier associated with the operation, an Access Control List (ACL) associated with the first object, and the authorization indicator;
  
  receiving a second request from the entity to perform the operation on a second object that is stored in the cache, wherein the second object is also associated with the ACL and wherein the second object is different than the first object;
  
  determining the entity identifier, the operation identifier, and the ACL based on information included in the second request;
  
  based on the entity identifier, the operation identifier, and the ACL, locating the record in the authorization cache; and
  
  based on the authorization indicator stored in the record, determining whether to authorize the entity to perform the operation on the second object without evaluating any permissions and access rights that are stored in the ACL.
- View Dependent Claims (15, 16)
- - 15. The apparatus of claim 14, wherein:
    - the one or more stored sequences of instructions comprise sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform executing a local proxy server that manages the cache;
      
      the local proxy server is communicatively connected to one or more clients over a first Local Area Network (LAN), wherein a particular client of the one or more clients sends the first request and the second request;
      
      the local proxy server is communicatively connected to a remote proxy server over a Wide Area Network (WAN); and
      
      the remote proxy server is communicatively connected to the remote authorization server over a second LAN.
  - 16. The apparatus of claim 14, wherein:
    - the one or more stored sequences of instructions comprise sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform executing a local cache server that manages the cache; and
      
      the local cache server is communicatively connected to the remote authorization server over a Local Area Network (LAN).

17. An apparatus for local access authorization of cached resources, comprising:
- means for receiving a first request to perform an operation on a first object that is stored in a cache;
  
  means for determining, based on the first request, an entity identifier associated with an entity that sent the first request, an operation identifier associated with the operation, and an Access Control List (ACL) associated with the first object;
  
  means for accessing a record that includes at least the operation identifier, the ACL, and an authorization indicator, wherein the authorization indicator indicates whether the entity has previously successfully performed the operation on any object that is different than the first object and that is also associated with the ACL; and
  
  means for determining, based on the authorization indicator included in the record, whether to authorize the entity to perform the operation on the first object without evaluating any permissions and access rights that are stored in the ACL.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 18. The apparatus of claim 17, wherein the means for accessing the record comprise:
    - means for determining whether the record is stored in an authorization cache based on the entity identifier, the operation identifier, and the ACL;
      
      wherein, if the record is not stored in the authorization cache, the means for accessing the record comprise;
      
      means for sending an authorization request to a remote server, wherein the remote server is configured to authorize performing the operation on objects associated with the ACL;
      
      means for receiving a response from the remote server, wherein the response indicates whether the remote server authorizes the entity to perform the operation on the first object;
      
      means for generating the authorization indicator based at least on the response; and
      
      means for creating and storing the record in the authorization cache.
  - 19. The apparatus of claim 18, further comprising:
    - means for receiving, from the entity, a second request to perform the operation on a second object that is stored in the cache, wherein the second object is also associated with the ACL;
      
      means for locating the record in the authorization cache based on the entity identifier, the operation identifier, and the ACL; and
      
      means for determining, based on the authorization indicator included in the record, whether to authorize the entity to perform the operation on the second object.
  - 20. The apparatus of claim 19, wherein the second object is the same as the first object.
  - 21. The apparatus of claim 17, wherein:
    - the record further includes a time-to-live indicator, wherein the time-to-live indicator indicates whether the authorization indicator has expired; and
      
      the apparatus further comprises;
      
      means for locating the record in an authorization cache based on the entity identifier, the operation identifier, and the ACL; and
      
      means for determining whether the time-to-live indicator stored in the record indicates that the authorization indicator has expired;
      
      wherein, if the authorization indicator has expired, the apparatus further comprises;
      
      means for sending an authorization request to a remote server, wherein the remote server is configured to authorize performing the operation on objects associated with the ACL;
      
      means for receiving a response from the remote server, wherein the response indicates whether the remote server authorizes the entity to perform the operation on the first object;
      
      means for generating a new authorization indicator based at least on the response; and
      
      means for storing the new authorization indicator in the record.
  - 22. The apparatus of claim 21, further comprising means for setting the time-to-live indicator to indicate that the authorization indicator has expired in response to at least one of:
    - receiving a notification that the ACL was changed relative to a particular object that was associated with the ACL;
      
      detecting that the entity identifier was changed; and
      
      an expiration of a certain period of time.
  - 23. The apparatus of claim 17, wherein the entity is any one of a user, a client, an application, and a process that is capable of being uniquely identified based on the first request.
  - 24. The apparatus of claim 17, wherein the first request is received from a client that is communicatively connected to the apparatus over a Local Area Network (LAN).
  - 25. The apparatus of claim 17, wherein:
    - the cache stores a plurality of file system objects, wherein the first object is one of the plurality of file system objects; and
      
      the first object is any one of a file and a directory.
  - 26. The apparatus of claim 17, wherein the operation is one of a plurality of operations that are supported by any one of a Common Internet File System Protocol (CIFS), a Network File System (NFS) protocol, and a Web-based Distributed Authoring and Versioning (WebDAV) protocol.
  - 27. The apparatus of claim 17, wherein the apparatus is communicatively connected to a remote server over a Wide Area Network (WAN), wherein the remote server is configured to authorize performing the operation on objects associated with the ACL.
  - 28. The apparatus of claim 17, further comprising means for executing a server that is configured to authorize performing the operation on objects associated with the ACL.
  - 29. The apparatus of claim 17, further comprising means for storing a plurality of distinct ACLs in the cache, wherein:
    - the plurality of distinct ACLs includes the ACL; and
      
      for each object stored in the cache, the cache stores a reference to a particular ACL of the plurality of distinct ACLs that is associated with that object.

30. A method of local access authorization of cached resources, the method comprising the computer-implemented steps of:
- receiving a first request to perform an operation on a first object that is stored in a cache;
  
  based on the first request, determining an entity identifier associated with an entity that sent the first request, an operation identifier associated with the operation, and an Access Control List (ACL) associated with the first object;
  
  accessing a record that includes at least the operation identifier, the ACL, and an authorization indicator, wherein the authorization indicator indicates whether the entity has previously successfully performed the operation on any object that is different than the first object and that is also associated with the ACL; and
  
  based on the authorization indicator included in the record, determining whether to authorize the entity to perform the operation on the first object without evaluating any permissions and access rights that are stored in the ACL.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38)
- - 31. A method as recited in claim 30, wherein accessing the record comprises:
    - based on the entity identifier, the operation identifier, and the ACL, determining whether the record is stored in an authorization cache; and
      
      if the record is not stored in the authorization cache, then performing the steps of;
      
      sending an authorization request to a remote server, wherein the remote server is configured to authorize performing the operation on objects associated with the ACL;
      
      receiving a response from the remote server, wherein the response indicates whether the remote server authorizes the entity to perform the operation on the first object;
      
      based at least on the response, generating the authorization indicator; and
      
      creating and storing the record in the authorization cache.
  - 32. A method as recited in claim 31, further comprising:
    - receiving, from the entity, a second request to perform the operation on a second object that is stored in the cache, wherein the second object is also associated with the ACL;
      
      based on the entity identifier, the operation identifier, and the ACL, locating the record in the authorization cache; and
      
      based on the authorization indicator included in the record, determining whether to authorize the entity to perform the operation on the second object.
  - 33. A method as recited in claim 30, wherein:
    - the record further includes a time-to-live indicator, wherein the time-to-live indicator indicates whether the authorization indicator has expired; and
      
      the step of accessing the record comprises;
      
      locating the record in an authorization cache based on the entity identifier, the operation identifier, and the ACL;
      
      determining whether the time-to-live indicator stored in the record indicates that the authorization indicator has expired; and
      
      if the authorization indicator has expired, then performing the steps of;
      
      sending an authorization request to a remote server, wherein the remote server is configured to authorize performing the operation on objects associated with the ACL;
      
      receiving a response from the remote server, wherein the response indicates whether the remote server authorizes the entity to perform the operation on the first object;
      
      based at least on the response, generating a new authorization indicator; and
      
      storing the new authorization indicator in the record.
  - 34. A method as recited in claim 33, further comprising setting the time-to-live indicator to indicate that the authorization indicator has expired in response to at least one of:
    - receiving a notification that the ACL was changed relative to a particular object that was associated with the ACL;
      
      detecting that the entity identifier was changed; and
      
      an expiration of a certain period of time.
  - 35. A method as recited in claim 30, wherein the entity is any one of a user, a client, an application, and a process that is capable of being uniquely identified based on the first request.
  - 36. A method as recited in claim 30, wherein the first request is received from a client that is communicatively connected to the apparatus over a Local Area Network (LAN).
  - 37. A method as recited in claim 30, wherein:
    - the cache stores a plurality of file system objects, wherein the first object is one of the plurality of file system objects;
      
      the first object is any one of a file and a directory; and
      
      the operation is one of a plurality of operations that are supported by any one of a Common Internet File System Protocol (CIFS), a Network File System (NFS) protocol, and a Web-based Distributed Authoring and Versioning (WebDAV) protocol.
  - 38. A method as recited in claim 30, further comprising storing a plurality of distinct ACLs in the cache, wherein:
    - the plurality of distinct ACLs includes the ACL; and
      
      for each object stored in the cache, the cache stores a reference to a particular ACL of the plurality of distinct ACLs that is associated with that object.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Kaminsky, Daniel, Lev-Ran, Etai
Primary Examiner(s)
Bataille; Pierre-Michel
Assistant Examiner(s)
Krofcheck; Michael C

Application Number

US11/392,317
Publication Number

US 20070233957A1
Time in Patent Office

1,085 Days
Field of Search

711/118, 707/9, 726/4, 726/17, 726/21
US Class Current

711/118
CPC Class Codes

G06F 12/1458   by checking the subject acc...

H04L 63/10   for controlling access to d...

Y10S 707/99939   Privileged access

Method and apparatus for local access authorization of cached resources

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

96 Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for local access authorization of cached resources

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

96 Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links