Role-based access control

US 7,653,934 B1
Filed: 07/14/2004
Issued: 01/26/2010
Est. Priority Date: 07/14/2004
Status: Active Grant

First Claim

Patent Images

1. In a computer cluster having a plurality of nodes configured for executing a plurality of software packages, a computer-implemented method of authorizing a user request from a user to perform an action with respect to one of at least one of said plurality of nodes and at least one of said plurality of packages, said user request being received from a host coupled to communicate with said cluster, the computer-implemented method comprising:

consulting an authorization map to ascertain a role associated with said user, said authorization map being kept in a memory space in one of said plurality of nodes; and

if said role associated with said user includes a granted privilege, which is not a root user privilege and is not a normal user privilege, that is higher than a privilege required to perform said user request, authorizing said user to perform said action.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for authorizing a user request from a user to perform an action with respect to one of at least one of the plurality of nodes and at least one of the plurality of packages of a cluster is disclosed. The user request is received from a host coupled to communicate with the cluster. The method includes consulting an authorization map to ascertain a role associated with the user. The authorization map is kept in a memory space in one of the plurality of nodes. The method further includes authorizing the user to perform the action if the role associated with the user includes a granted privilege that is higher than a privilege required to perform the user request.

16 Citations

View as Search Results

43 Claims

1. In a computer cluster having a plurality of nodes configured for executing a plurality of software packages, a computer-implemented method of authorizing a user request from a user to perform an action with respect to one of at least one of said plurality of nodes and at least one of said plurality of packages, said user request being received from a host coupled to communicate with said cluster, the computer-implemented method comprising:
- consulting an authorization map to ascertain a role associated with said user, said authorization map being kept in a memory space in one of said plurality of nodes; and
  
  if said role associated with said user includes a granted privilege, which is not a root user privilege and is not a normal user privilege, that is higher than a privilege required to perform said user request, authorizing said user to perform said action.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1 wherein said authorization map includes at least three different roles, each of said at least three different roles having a different level of privilege.
  - 3. The method of claim 2 wherein said at least three different roles include at least one of a cluster-wide package administration role, a per-package administration role, and a full-administration role.
  - 4. The method of claim 3 wherein said cluster-wide package administration role is configured to permit said user to perform an administrative task with respect to any package in said cluster.
  - 5. The method of claim 3 wherein said per-package administration role is configured to permit said user to perform an administrative task with respect to a specific package in said cluster.
  - 6. The method of claim 3 wherein said full administration role is configured to permit said user to perform any administrative task with respect to one of any node and any package in said cluster.
  - 7. The method of claim 2 wherein said at least three different roles include at least one of a monitor role, an administration role, and a configuration role.
  - 8. The method of claim 7 wherein said monitor role is configured to permit said user to monitor one of a node in said plurality of nodes and a package in said plurality of packages without being able to perform an administrative task with respect to any node in said plurality of node or with respect to any package in said plurality of packages.
  - 9. The method of claim 7 wherein said administration role is configured to permit said user to perform an administration task with respect to one of a node in said plurality of nodes and a package in said plurality of packages without being able to perform a configuration task with respect to any node in said plurality of node or with respect to any package in said plurality of packages.
  - 10. The method of claim 7 wherein said configuration role is configured to permit said user to perform a configuration task with respect to one of a node in said plurality of nodes and a package in said plurality of packages.
  - 11. The method of claim 2 wherein said at least three different roles include a monitor role, an administration role, and a configure role.
  - 12. The method of claim 11 wherein said configuration role, said administration role, and said monitor role are hierarchical, with said configuration role including all privileges associated with said administration role and with said administration role including all privileges associated with said monitor role.
  - 13. The method of claim 1 wherein a role associated with a given user in said authorization map is dependent upon an identity of said host through which said user request is received.
  - 14. The method of claim 1 wherein said user is associated with at least two different roles in said authorization map, a first role in said two different roles being associated with a first host identity, said second role in said at least two different roles being associated with a second host identity.
  - 15. The method of claim 1 wherein said authorization map is automatically replicated among said plurality of nodes when a change is made to said authorization map.
  - 16. The method of claim 1 wherein said authorization map is set up when said cluster is originally set up.
  - 17. The method of claim 1 wherein at least one role in said authorization map is associated with privileges that are between root user privileges and a normal user privileges.

18. An article of manufacture comprising a program storage medium having computer readable code embodied therein, said computer readable code being configured to authorize a user request from a user of a computer cluster having a plurality of nodes configured for executing a plurality of software packages, said user request involves a request to perform an action with respect to one of at least one of said plurality of nodes and at least one of said plurality of packages, the computer readable code comprising:
- computer readable code which consults an authorization map to ascertain a role associated with said user, said authorization map being kept in a memory space in one of said plurality of nodes; and
  
  computer readable code which authorizes said user to perform said action if said role associated with said user includes a granted privilege, which is not a root user privilege and is not a normal user privilege, that is higher than a privilege required to perform said user request.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26)
- - 19. The article of manufacture of claim 18 wherein said authorization map includes at least three different roles, each of said at least three different roles having a different level of privilege.
  - 20. The article of manufacture of claim 19 wherein said at least three different roles include at least one of a monitor role, an administration role, and a configuration role.
  - 21. The article of manufacture of claim 20 wherein said monitor role is configured to permit said user to monitor one of a node in said plurality of nodes and a package in said plurality of packages without being able to perform an administrative task with respect to any node in said plurality of node or with respect to any package in said plurality of packages.
  - 22. The article of manufacture of claim 20 wherein said administration role is configured to permit said user to perform an administration task with respect to one of a node in said plurality of nodes and a package in said plurality of packages without being able to perform a configuration task with respect to any node in said plurality of node or with respect to any package in said plurality of packages.
  - 23. The article of manufacture of claim 20 wherein said configuration role is configured to permit said user to perform a configuration task with respect to one of a node in said plurality of nodes and a package in said plurality of packages.
  - 24. The article of manufacture of claim 18 wherein a role associated with a given user in said authorization map is dependent upon an identity of said host through which said user request is received.
  - 25. The article of manufacture of claim 18 wherein said user is associated with at least two different roles in said authorization map, a first role in said two different roles being associated with a first host identity, said second role in said at least two different roles being associated with a second host identity.
  - 26. The article of manufacture of claim 18 further including computer readable code for automatically replicating said authorization map when a change is made to said authorization map.

27. A computer cluster having a plurality of nodes configured for executing a plurality of software packages, said computer cluster having an arrangement for authorizing a user request from a user to perform an action with respect to one of at least one of said plurality of nodes and at least one of said plurality of packages, said user request being received from a host coupled to communicate with said cluster, the computer cluster comprising:
- a computer having an arrangement which includes an authorization map having data pertaining to roles associated with users, at least one role of said roles in said authorization map is associated with privileges different from privileges associated with a Unix root user, said privileges associated with said at least one role being also different from privileges associated with a Unix normal user, said authorization map being kept in a memory space in one of said plurality of nodes.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43)
- - 28. The computer cluster of claim 27 wherein at least a set of roles of said roles being hierarchical in nature, a higher privilege role in said set of roles including privileges associated with a lower privilege role in said set of roles.
  - 29. The computer cluster of claim 27 wherein said authorization map includes at least three different roles, each of said at least three different roles having a different level of privilege.
  - 30. The computer cluster of claim 29 wherein said at least three different roles include at least one of a cluster-wide package administration role, a per-package administration role, and a full-administration role.
  - 31. The computer cluster of claim 30 wherein said cluster-wide package administration role is configured to permit said user to perform an administrative task with respect to any package in said cluster.
  - 32. The computer cluster of claim 30 wherein said per-package administration role is configured to permit said user to perform an administrative task with respect to a specific package in said cluster.
  - 33. The computer cluster of claim 30 wherein said full administration role is configured to permit said user to perform any administrative task with respect to one of any node and any package in said cluster.
  - 34. The computer cluster of claim 29 wherein said at least three different roles include at least one of a monitor role, an administration role, and a configuration role.
  - 35. The computer cluster of claim 34 wherein said monitor role is configured to permit said user to monitor one of a node in said plurality of nodes and a package in said plurality of packages without being able to perform an administrative task with respect to any node in said plurality of node or with respect to any package in said plurality of packages.
  - 36. The computer cluster of claim 34 wherein said administration role is configured to permit said user to perform an administration task with respect to one of a node in said plurality of nodes and a package in said plurality of packages without being able to perform a configuration task with respect to any node in said plurality of node or with respect to any package in said plurality of packages.
  - 37. The computer cluster of claim 34 wherein said configuration role is configured to permit said user to perform a configuration task with respect to one of a node in said plurality of nodes and a package in said plurality of packages.
  - 38. The computer cluster of claim 29 wherein said at least three different roles include a monitor role, an administration role, and a configure role.
  - 39. The computer cluster of claim 38 wherein said configuration role, said administration role, and said monitor role are hierarchical, with said configuration role including all privileges associated with said administration role and with said administration role including all privileges associated with said monitor role.
  - 40. The computer cluster of claim 27 wherein a role associated with a given user in said authorization map is dependent upon an identity of said host through which said user request is received.
  - 41. The computer cluster of claim 27 wherein said user is associated with at least two different roles in said authorization map, a first role in said two different roles being associated with a first host identity, said second role in said at least two different roles being associated with a second host identity.
  - 42. The computer cluster of claim 27 wherein said authorization map is automatically replicated among said plurality of nodes when a change is made to said authorization map.
  - 43. The computer cluster of claim 27 wherein said authorization map is set up when said cluster is originally set up.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Snowflake, Inc.
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Joshi, Shaila
Primary Examiner(s)
Vu; Kimyen
Assistant Examiner(s)
Zee; Edward

Application Number

US10/892,077
Time in Patent Office

2,022 Days
Field of Search

726 4- 7, 726/28, 726/29
US Class Current

726/6
CPC Class Codes

G06F 21/6218 to a system of files or obj...

Role-based access control

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

16 Citations

43 Claims

Specification

Solutions

Use Cases

Quick Links

Role-based access control

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

43 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links