Dynamic file access control and management
First Claim
1. A method performed by a proxy server, the method comprising:
- receiving, over a first network connection, a Network File System (NFS) based request from a client machine for a data block of a data file from a remote network attached storage system, the request having an associated user, the data block having a fixed preconfigured size associated with the data file;
requesting, from an authentication server, an access policy associated with the associated user;
receiving, from the authentication server, the access policy associated with the associated user;
determining, from the access policy associated with the associated user and metadata associated with the data file, the metadata being stored on the remote network attached storage system, if the associated user has the authority to access the data file; and
if the associated user has the authority to access the data file, then;
establishing a set of usage rights based on the access policy associated with the associated user and the metadata associated with the data file;
requesting, over a second network connection, from the network attached storage system, the data block of the data file;
receiving, over the second network connection, from the network attached storage system, the data block of the data file;
encrypting the received data block, such that only an authorized client module executing on the client machine by the associated user can decrypt the encrypted received data block;
encapsulating within a packet;
the encrypted received data block; and
the established set of usage rights; and
sending, over a secure channel, the packet to the client machine such that only the authorized client module can access the encrypted received data block and only when such access is in accordance with the established set of usage rights, said authorized client module running transparently to the associated user, logically interposed between an application layer and an operating system kernel layer.
16 Assignments
0 Petitions
Accused Products
Abstract
A dynamic file access control and management system and method in accordance with the present invention may be a proxy file management system that includes one or more file system proxy servers that provide selective access and usage management to files available from one or more file systems or sources. The present invention may embody a secure transport protocol that tunnels distributed file systems, application independent usage controls connected to files on end-user computers, dynamically merging secondary content to a requested file, and applying bandwidth management to any of the foregoing. Embodied in the various implementations of the present invention is enhanced file security. Preferably, the proxy file management system is transparent to an end-user. A dynamic content management system may also be included that selectively adds content to requested files.
598 Citations
20 Claims
-
1. A method performed by a proxy server, the method comprising:
-
receiving, over a first network connection, a Network File System (NFS) based request from a client machine for a data block of a data file from a remote network attached storage system, the request having an associated user, the data block having a fixed preconfigured size associated with the data file; requesting, from an authentication server, an access policy associated with the associated user; receiving, from the authentication server, the access policy associated with the associated user; determining, from the access policy associated with the associated user and metadata associated with the data file, the metadata being stored on the remote network attached storage system, if the associated user has the authority to access the data file; and if the associated user has the authority to access the data file, then; establishing a set of usage rights based on the access policy associated with the associated user and the metadata associated with the data file; requesting, over a second network connection, from the network attached storage system, the data block of the data file; receiving, over the second network connection, from the network attached storage system, the data block of the data file; encrypting the received data block, such that only an authorized client module executing on the client machine by the associated user can decrypt the encrypted received data block; encapsulating within a packet; the encrypted received data block; and the established set of usage rights; and sending, over a secure channel, the packet to the client machine such that only the authorized client module can access the encrypted received data block and only when such access is in accordance with the established set of usage rights, said authorized client module running transparently to the associated user, logically interposed between an application layer and an operating system kernel layer. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A proxy server, comprising:
-
processing circuitry; and network communications circuitry; the processing circuitry and network communications circuitry being operative together to perform a method including; receiving, over a first network connection, a Network File System (NFS) based request from a client machine for a data block of a data file from a remote network attached storage system, the request having an associated user, the data block having a fixed preconfigured size associated with the data file; requesting, from an authentication server, an access policy associated with the associated user; receiving, from the authentication server, the access policy associated with the associated user; determining, from the access policy associated with the associated user and metadata associated with the data file, the metadata being stored on the remote network attached storage system, if the associated user has the authority to access the data file; and if the associated user has the authority to access the data file, then; establishing a set of usage rights based on the access policy associated with the associated user and the metadata associated with the data file; requesting, over a second network connection, from the network attached storage system, the data block of the data file; receiving, over the second network connection, from the network attached storage system, the data block of the data file; encrypting the received data block, such that only an authorized client module executing on the client machine by the associated user can decrypt the encrypted received data block; encapsulating within a packet; the encrypted received data block; and the established set of usage rights; and sending, over a secure channel, the packet to the client machine such that only the authorized client module can access the encrypted received data block and only when such access is in accordance with the established set of usage rights, said authorized client module running transparently to the associated user, logically interposed between an application layer and an operating system kernel layer. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification