Method and apparatus for validation of application data on a storage system
First Claim
Patent Images
1. A data access method between a first data processing system and a second data processing system, said second data processing system having a storage of data that is accessed by said first data processing system and which same storage of data is not maintained at said first data processing system, the method comprising:
- maintaining a data structure at said first data processing system, said data structure comprising access control information received from said second data processing system, said access control information corresponding to a plurality of files stored on said second data processing system and including file identifiers of the plurality of files and user identifiers of users who can access the files, wherein said access control information is available at each of said first and second data processing systems;
receiving a data I/O request from an application-level program executing on said first data processing system, said data I/O request including first file identification information;
retrieving first access control information from said data structure at said first data processing system based upon said first file identification information;
generating a data access request including data which is associated with said data I/O request, said first access control information, and said first file identification information appended to said data; and
communicating said data access request from said first data processing system to said second data processing system, wherein said second data processing system selectively performs a data operation based on a comparison of the first access control information included with the data request and second access control information available at the second data processing system.
1 Assignment
0 Petitions
Accused Products
Abstract
An authentication processing method and system includes an access control list on both a client system and a storage server system. The access control list stores authentication information for individual files. The authentication information is accessed and used to authenticate an application when the application requests access to a file. The client system adds information from the access control list to a data request sent to the storage server system. The storage server system controls access to the requested file based upon the information included with the data request and the access control list on the storage server system.
-
Citations
19 Claims
-
1. A data access method between a first data processing system and a second data processing system, said second data processing system having a storage of data that is accessed by said first data processing system and which same storage of data is not maintained at said first data processing system, the method comprising:
-
maintaining a data structure at said first data processing system, said data structure comprising access control information received from said second data processing system, said access control information corresponding to a plurality of files stored on said second data processing system and including file identifiers of the plurality of files and user identifiers of users who can access the files, wherein said access control information is available at each of said first and second data processing systems; receiving a data I/O request from an application-level program executing on said first data processing system, said data I/O request including first file identification information; retrieving first access control information from said data structure at said first data processing system based upon said first file identification information; generating a data access request including data which is associated with said data I/O request, said first access control information, and said first file identification information appended to said data; and communicating said data access request from said first data processing system to said second data processing system, wherein said second data processing system selectively performs a data operation based on a comparison of the first access control information included with the data request and second access control information available at the second data processing system. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method for accessing information, said information being stored in a second data processing system, the method comprising:
-
establishing second access control data in the second data processing system, the second access control data corresponding to a plurality of files stored in the second data processing system which same plurality of files is not stored in the first data processing system; uploading first access control data from the second data processing system to a first data processing system in response to an upload request, the first access control data corresponding to the second access control data at a first time, wherein the first data processing system maintains the first access control data and the second data processing system maintains the second access control data, and wherein said first and second access control data comprise file identifiers of files and corresponding user identifiers of users who can access said files; receiving a data request from the first data processing system including first access control information selected from the first access control data and file identification information; obtaining second access control information from the second access control data at a second time based on said file identification information; comparing said first access control information from the data request corresponding to the first time and the second access control information corresponding to the second time, wherein if said comparison between said first and second access control information produces a no match outcome, then communicating an error message to said first processing system indicative of a negative comparison; and wherein if said comparison between said first and second access control information produces a match outcome, then performing a data operation in accordance with said data request and communicating a result of said data operation to said first processing system. - View Dependent Claims (7, 8, 9, 10, 11)
-
-
12. A method for communicating data between a first system and a second system, wherein said first system comprises system-level programs and application-level programs, said system-level programs providing system services, said application-level programs accessing said system services via said system-level programs, said data being stored in a storage system of said second system, the method comprising:
-
receiving an open operation request from an application-level program at said first system, said open operation request including first file identification information that identifies a first file; obtaining first access control information associated with said first file from a storage area of said first system, said first system receiving the first access control information from said second system, wherein said access control information includes identifiers of said stored data and corresponding user identifiers of users who can access said stored data; communicating a data request to said second system to service said open operation request, said data request including said first access control information and said first file identification information; in said second system, obtaining second access control information including a candidate password that is associated with said first file, wherein said first system maintains said first access control information and said second system maintains said second access control information, said first and second access control information corresponding to files stored in the storage system of said second system and not in said first system; and if said second access control information matches said first access control information, then performing a data access operation on said storage system of said second system to service said data request and communicating a result of said data request service to said first system. - View Dependent Claims (13, 14, 15)
-
-
16. A method for exchanging data between a first data processing system and a second data processing system, said data being stored in a storage system of said second data processing system and accessed independently of data stored in the first data processing system, the method comprising:
-
receiving, in said first data processing system, a data access request; obtaining, in said first data processing system, first access control information that is associated with a file that is the target of said data access request, the first access control information including corresponding user identifiers of users who can access said file, said first data processing system receiving said first access control information from said second data processing system and storing a copy thereof; and if said data access request includes a write operation, then communicating a write request to said second data processing system to service said write operation, said write request including a data component comprising said write-data and said first access control information, wherein said second data processing system responds to receiving said write request by; obtaining second access control information from a storage of said second data processing system associated with the target of said write request; obtaining said first access control information from said data component; and based on a comparison between said first access control information and said second access control information, selectively writing said write-data to said storage system, and wherein if said data access request includes a read operation, then communicating a read request to said second data processing system to service said read operation, wherein in response to said second data processing system receiving said read request, then; accessing read-data from said storage system; obtaining second access control information associated with a file that is the target of said read operation; and communicating a read result to said first data processing system, said read result including a data component comprising said read-data and said second access control information, wherein said first data processing system obtains said second access control information from said data component, wherein said first data processing system selectively communicates a positive response to said application-level program based on a comparison between said first access control information and said second access control information performed at said first data processing system. - View Dependent Claims (17)
-
-
18. A storage server system comprising:
-
a data processing portion; a storage component; a communication interface for communication over a data network; and program code, said program code configured to operate said data processing portion to; upload access control information from the storage server system to a client system, the access control information to a plurality of files stored in the storage server system which same plurality of files is not maintained at the client system, wherein the client system stores a copy of the access control information; receive a data request from the client system, said data request including access control information from the client system and file identification information, said access control information and file identification information corresponding to an open operation performed by an application-level program at the client system; obtain local access control information that is stored in said data storage server based on said file identification information, said local access control information stored at said data storage server and comprising a candidate password that is associated with a file identified by said file identification information; communicate an error message to said client system indicative of a negative comparison between said access control information with said local access control information, if a comparison between said access control information and said local access control information produces a no match outcome; and perform a data operation in accordance with said data request and communicate a result of said data operation to said client system, if a comparison between said access control information and said local access control information produces a match outcome. - View Dependent Claims (19)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeHitachi, Ltd.
-
Original AssigneeHitachi, Ltd.
-
InventorsKano, Yoshiki
-
Primary Examiner(s)Moazzami; Nasser G
-
Assistant Examiner(s)ABEDIN, SHANTO
-
Application NumberUS10/866,413Publication NumberTime in Patent Office1,832 DaysField of Search713/185, 713/200, 713/165, 713/168, 713/193, 705/44, 726/2, 726/5, 726/6, 726/26, 726/27, 709/219, 709/229US Class Current726/27CPC Class CodesG06F 21/6218 to a system of files or obj...G06F 2221/2141 Access rights, e.g. capabil...H04L 63/08 for authentication of entit...H04L 63/101 Access control lists [ACL]
