System and method for applying a file system security model to a query system

US 7,562,216 B2
Filed: 06/28/2004
Issued: 07/14/2009
Est. Priority Date: 06/28/2004
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a storage device configured to store file system content items including a plurality of files and metadata records associated with said files, wherein each of said files is associated with a respective file identity;

a file system configured to manage application accesses to said storage device, to store said file system content items to said storage device, and to implement a first security model, wherein said first security model is configured to control access to said file system content items, wherein said file system is further configured to implement a file system application programming interface (API), wherein said file system API is configured to receive a request from an application distinct from said file system to access one or more particular ones of said plurality of files, wherein said request is dependent upon respective file identities of said one or more particular files;

a query system configured to query said file system content items in response to receiving, via a query API, a query directed to said file system content items from said application, wherein said query is formulated in a query language, wherein to query said file system content items, said query system is further configured to evaluate said query, and wherein said query system is distinct from said file system; and

security mapping functionality configured to apply said first security model to said query system such that application accesses to said file system content via said query API occur dependent upon security information included in said first security model.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for applying a file system security model to a query system. In one embodiment, the system may include a storage device configured to store data and a file system configured to manage access to the storage device, to store file system content, and to implement a first security model, where the first security model is configured to control access to the file system content. The system may further include a query system configured to query the file system content, and security mapping functionality configured to apply the first security model to the query system.

Citations

27 Claims

1. A system, comprising:
- a storage device configured to store file system content items including a plurality of files and metadata records associated with said files, wherein each of said files is associated with a respective file identity;
  
  a file system configured to manage application accesses to said storage device, to store said file system content items to said storage device, and to implement a first security model, wherein said first security model is configured to control access to said file system content items, wherein said file system is further configured to implement a file system application programming interface (API), wherein said file system API is configured to receive a request from an application distinct from said file system to access one or more particular ones of said plurality of files, wherein said request is dependent upon respective file identities of said one or more particular files;
  
  a query system configured to query said file system content items in response to receiving, via a query API, a query directed to said file system content items from said application, wherein said query is formulated in a query language, wherein to query said file system content items, said query system is further configured to evaluate said query, and wherein said query system is distinct from said file system; and
  
  security mapping functionality configured to apply said first security model to said query system such that application accesses to said file system content via said query API occur dependent upon security information included in said first security model.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system as recited in claim 1, wherein said security mapping functionality includes a security converter corresponding to said first security model, wherein to apply said first security model to said query system, said security converter is further configured to map security information corresponding to a given file system content item to a queryable format, and wherein said query system is further configured to store said mapped security information.
  - 3. The system as recited in claim 2, wherein in response to a given query, said query system is further configured to select said given file system content item according to said given query and to convey to said security converter an indication of said given file system content item along with corresponding mapped security information, wherein said security converter is further configured to determine whether a credential of a requestor of said given query satisfies said corresponding mapped security information, and wherein said security mapping functionality is further configured to return said given file system content item to said requestor only if said credential satisfies corresponding mapped security information.
  - 4. The system as recited in claim 3, wherein said query system is further configured to store said mapped security information in an index and to select said given file system content item according to said index.
  - 5. The system as recited in claim 2, wherein said file system is further configured to implement a plurality of security models each configured to control access to a respective portion of said file system content items, and wherein said security mapping functionality includes a respective security converter corresponding to each of said plurality of security models.
  - 6. The system as recited in claim 1, wherein said query system is configured to implement a second security model, and wherein to apply said first security model to said query system, said query system is further configured to map said first security model to said second security model.
  - 7. The system as recited in claim 6, wherein said security mapping functionality includes a security data dictionary implemented within said query system, and wherein said second security model includes a plurality of users, a plurality of roles, and a plurality of capabilities.
  - 8. The system as recited in claim 1, wherein at least a portion of said file system content items is stored in a data format compliant with a version of Extensible Markup Language (XML) format, and wherein said query system is configured to evaluate a version of XML Query (XQuery) language.
  - 9. The system as recited in claim 1, wherein said first security model includes functionality compliant with a version of Kerberos authentication protocol, a version of Lightweight Directory Access Protocol (LDAP), a version of Network Information Service (NIS) protocol, a version of Local Area Network Manager (LAN Manager) protocol, or a version of Active Directory protocol.

10. A method, comprising:
- storing file system content items to a storage device, wherein said file system content items include a plurality of files and metadata records associated with said files, wherein each of said files is associated with a respective file identity;
  
  a file system managing application accesses to said storage device, storing said file system content items to said storage device, and implementing a first security model, wherein said first security model is configured to control access to said file system content items;
  
  said file system receiving, via a file system application programming interface (API), a request from an application distinct from said file system to access one or more particular ones of said plurality of files, wherein said request is dependent upon respective file identities of said one or more particular files;
  
  a query system querying said file system content items in response to receiving, via a query API, a query directed to said file system content items from said application, wherein said query is formulated in a query language, wherein querying said file system content items comprises evaluating said query, and wherein said query system is distinct from said file system; and
  
  security mapping functionality applying said first security model to a query system configured to query said file system content such that application accesses to said file system content via said query API occur dependent upon security information included in said first security model.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method as recited in claim 10, wherein said security mapping functionality applying said first security model to said query system includes mapping security information corresponding to a given file system content item to a queryable format, and wherein the method further comprises said query system storing said mapped security information.
  - 12. The method as recited in claim 11, further comprising:
    - in response to a given query, said query system selecting said given file system content item according to said given query;
      
      determining whether a credential of a requestor of said given query satisfies mapped security information corresponding to said given file system content item; and
      
      returning said given file system content item to said requestor only if said credential satisfies corresponding mapped security information.
  - 13. The method as recited in claim 12, further comprising storing said mapped security information in an index, and wherein selecting said given file system content item according to said given query includes selecting said given file system content item according to said index.
  - 14. The method as recited in claim 11, further comprising:
    - implementing a plurality of security models each configured to control access to a respective portion of said file system content items; and
      
      applying each of said plurality of security models to said query system.
  - 15. The method as recited in claim 10, wherein said query system is configured to implement a second security model, and wherein applying said first security model to said query system includes mapping said first security model to said second security model.
  - 16. The method as recited in claim 15, wherein said second security model includes a plurality of users, a plurality of roles, and a plurality of capabilities.
  - 17. The method as recited in claim 10, wherein at least a portion of said file system content items is stored in a data format compliant with a version of Extensible Markup Language (XML) format, and wherein said query system is configured to evaluate a version of XML Query (XQuery) language.
  - 18. The method as recited in claim 10, wherein said first security model includes functionality compliant with a version of Kerberos authentication protocol, a version of Lightweight Directory Access Protocol (LDAP), a version of Network Information Service (NIS) protocol, a version of Local Area Network Manager (LAN Manager) protocol, or a version of Active Directory protocol.

19. A computer-accessible storage medium comprising program instructions, wherein the program instructions are executable to implement:
- storing file system content items to a storage device, wherein said file system content items include a plurality of files and metadata records associated with said files, wherein each of said files is associated with a respective file identity;
  
  a file system managing application accesses to said storage device, storing said file system content items to said storage device, and implementing a first security model, wherein said first security model is configured to control access to said file system content items;
  
  said file system receiving, via a file system application programming interface (API), a request from an application distinct from said file system to access one or more particular ones of said plurality of files, wherein said request is dependent upon respective file identities of said one or more particular files;
  
  a query system querying said file system content items in response to receiving, via a query API, a query directed to said file system content items from said application, wherein said query is formulated in a query language, wherein querying said file system content items comprises evaluating said query, and wherein said query system is distinct from said file system; and
  
  security mapping functionality applying said first security model to a query system configured to query said file system content such that application accesses to said file system content via said query API occur dependent upon security information included in said first security model.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The computer-accessible storage medium as recited in claim 19, wherein said security mapping functionality applying said first security model to said query system includes mapping security information corresponding to a given file system content item to a queryable format, and wherein said program instructions are further executable to implement said query system storing said mapped security information.
  - 21. The computer-accessible storage medium as recited in claim 20, wherein the program instructions are further executable to:
    - implement a plurality of security models each configured to control access to a respective portion of said file system content items; and
      
      apply each of said plurality of security models to said query system.
  - 22. The computer-accessible storage medium as recited in claim 19, wherein the program instructions are further executable to implement:
    - in response to a given query, said query system selecting said given file system content item according to said given query;
      
      determining whether a credential of a requestor of said given query satisfies mapped security information corresponding to said given file system content item; and
      
      returning said given file system content item to said requestor only if said credential satisfies corresponding mapped security information.
  - 23. The computer-accessible storage medium as recited in claim 22, wherein the program instructions are further executable to store said mapped security information in an index, and wherein selecting said given file system content item according to said given query includes selecting said given file system content item according to said index.
  - 24. The computer-accessible storage medium as recited in claim 19, wherein said query system is configured to implement a second security model, and wherein applying said first security model to said query system includes mapping said first security model to said second security model.
  - 25. The computer-accessible storage medium as recited in claim 24, wherein said second security model includes a plurality of users, a plurality of roles, and a plurality of capabilities.
  - 26. The computer-accessible storage medium as recited in claim 19, wherein at least a portion of said file system content items is stored in a data format compliant with a version of Extensible Markup Language (XML) format, and wherein said query system is configured to evaluate a version of XML Query (XQuery) language.
  - 27. The computer-accessible storage medium as recited in claim 19, wherein said first security model includes functionality compliant with a version of Kerberos authentication protocol, a version of Lightweight Directory Access Protocol (LDAP), a version of Network Information Service (NIS) protocol, a version of Local Area Network Manager (LAN Manager) protocol, or a version of Active Directory protocol.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Veritas Technologies, LLC (Whitehouse Group Ltd.)
Original Assignee
Symantec Operating Corporation (Gen Digital Inc.)
Inventors
Premo, Nur, Borthakur, Dhrubajyoti, Pasqua, Joseph
Primary Examiner(s)
COLIN, CARL G

Application Number

US10/878,826
Publication Number

US 20050289354A1
Time in Patent Office

1,842 Days
Field of Search

726/2, 726/5, 726/7, 726/18, 713/165, 713/166
US Class Current

713/165
CPC Class Codes

G06F 21/6227   where protection concerns t...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

System and method for applying a file system security model to a query system

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for applying a file system security model to a query system

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links