System and method for implementing access controls using file protocol rule sets

US 7,707,618 B1
Filed: 05/28/2004
Issued: 04/27/2010
Est. Priority Date: 05/28/2004
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving a data access request directed to a data container, the data access request having a file handle;

examining a field of the file handle to identify the data container to which the data access request is directed;

determining, in response to identifying the data container to which the data access request is directed, a location of the data container and a rule set associated with the data container; and

processing the data access request utilizing one or more rules contained within the rule set associated with the data container.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for limiting access using file-level protocol rule sets. A rule set, comprising of an ordered set of rules, is associated with a virtual file system (VFS). When a data access request is received, the network address of the client originating the data access request is utilized to select a matching rule from the rule set for use in determining access to the VFS. The selected rule is then processed to determine if the data access request is permitted.

Citations

53 Claims

1. A method, comprising:
- receiving a data access request directed to a data container, the data access request having a file handle;
  
  examining a field of the file handle to identify the data container to which the data access request is directed;
  
  determining, in response to identifying the data container to which the data access request is directed, a location of the data container and a rule set associated with the data container; and
  
  processing the data access request utilizing one or more rules contained within the rule set associated with the data container.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1 wherein the data container is a virtual file system.
  - 3. The method of claim 1 wherein the data container is a volume.
  - 4. The method of claim 1 further comprising:
    - ordering the rule set as an ordered list of rules.
  - 5. The method of claim 4 wherein each rule of the rule set comprises a network address, a mask and one or more authentication strength requirements.
  - 6. The method of claim 5 wherein the one or more authentication strength requirements is for read access.
  - 7. The method of claim 5 wherein the one or more authentication strength requirements is for write access.
  - 8. The method of claim 5 wherein the one or more authentication strength requirements is for root access.
  - 9. The method of claim 1 wherein at least one rule of the rule set is a netgroup name.
  - 10. The method of claim 9 wherein the netgroup name has at least the one or more authentication strength requirements for read access.
  - 11. The method of claim 9 wherein the netgroup name has at least the one or more authentication strength requirements for write access.
  - 12. The method of claim 9 wherein the netgroup name has at least the one or more authentication strength requirements for root access.
  - 13. The method of claim 1 further comprising:
    - (a) selecting a first rule in the rule set;
      
      (b) determining if the received data access request matches the selected rule;
      
      (c) in response to the selected rule not matching the data access request, determining if an additional rule exists in the rule set;
      
      (d) in response to determining that the additional rule exists in the rule set, selecting a next rule in the export rule set and looping to step (b); and
      
      (e) in response to determining that the additional rule does not exist in the rule set, denying access to the data access request.
  - 14. The method of claim 1 further comprising:
    - (a) determining if the rule set is empty;
      
      (b) in response to determining that the rule set is empty, utilizing a default rule;
      
      (c) in response to determining that the rule set is not empty, selecting a first rule in the rule set;
      
      (d) determining if the received data access request matches the selected rule;
      
      (e) in response to the selected rule not matching the data access request, determining if an additional rule exists in the rule set;
      
      (f) in response to determining that the additional rule exists in the rule set, selecting a next rule in the rule set and looping to step (d); and
      
      (g) in response to determining that the additional rule does not exist in the rule set, denying access to the data access request.

15. A system, comprising:
- means for receiving a data access request directed to a data container, the data access request having a file handle;
  
  means for examining a field of the file handle to identify the data container to which the data access request is directed;
  
  means for determining, in response to identifying the data container to which the data access request is directed, a location of the data container and a rule set associated with the data container; and
  
  means for processing the data access request utilizing one or more rules contained within the rule set associated with the data container.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 16. The system of claim 15 further comprising:
    - the data container configured as a virtual file system.
  - 17. The system of claim 15 further comprising:
    - the data container configured as a volume.
  - 18. The system of claim 15 further comprising:
    - the rule set configured as an ordered list of rules.
  - 19. The system of claim 15 further comprising:
    - each rule of the rule set configured to have a network address, a mask and one or more authentication strength requirements.
  - 20. The system of claim 19 further comprising:
    - the one or more authentication strength requirements configured to be for read access.
  - 21. The system of claim 19 further comprising:
    - the one or more authentication strength requirements configured to be for write access.
  - 22. The system of claim 19 further comprising:
    - the one or more authentication strength requirements configured to be for root access.
  - 23. The system of claim 15 further comprising:
    - each rule of the rule set configured to have a netgroup name associated with the one or more authentication strength requirements.
  - 24. The system of claim 23 wherein the netgroup name as at least the one or more authentication strength requirements configured to be for read access.
  - 25. The system of claim 23 the one or more authentication strength requirements configured to be for write access.
  - 26. The system of claim 23 the one or more authentication strength requirements configured to be for root access.

27. A computer readable medium containing executable program instructions executed by a processor, comprising:
- program instructions that receive a data access request directed to a data container, the data access request having a file handle;
  
  program instructions that examine a field of the file handle to identify the data container to which the data access request is directed;
  
  program instructions that determine, in response to identifying the data container to which the data access request is directed, a location of the data container and a rule set associated with the data container; and
  
  program instructions that process the data access request utilizing one or more rules contained within the rule set associated with the data container.

28. A system, comprising:
- the system configured to receive a data access request directed to a data container, the data access request having a file handle;
  
  the system further configured to examine a field of the file handle to identify the data container to which the data access request is directed;
  
  the system further configured to determine, in response to identifying the data container to which the data access request is directed, a location of the data container and a rule set associated with the data container; and
  
  the system further configured to process the data access request utilizing one or more rules contained within the rule set associated with the data container.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 29. The system of claim 28 wherein the rule set comprises one or more ordered set of rules configured to have a network address, a mask and one or more authentication strength requirements.
  - 30. The system of claim 28 further comprising:
    - (a) the system further configured to select a first rule in the rule set;
      
      (b) the system further configured to determine if the received data access request matches the selected rule;
      
      (c) in response to the selected rule not matching the data access request, the system further configured to determine if an additional rule exists in the rule set;
      
      (d) in response to determining that the additional rule exists in the rule set, the system further configured to select a next rule in the rule set and looping to step (b); and
      
      (e) in response to determining that the additional rule does not exist in the rule set, the system further configured to deny access to the data access request.
  - 31. The system of claim 28 further comprising:
    - (a) the system further configured to determine if the rule set is empty;
      
      (b) in response to determining that the rule set is empty, the system further configured to utilize a default rule;
      
      (c) in response to determining that the rule set is not empty, the system further configured to select a first rule in the rule set;
      
      (d) the system further configured to determine if the received data access request matches the selected rule;
      
      (e) in response to the selected rule not matching the data access request, the system further configured to determine if an additional rule exists in the rule set;
      
      (f) in response to determining that the additional rule exists in the rule set, the system further configured to select a next rule in the rule set and looping to step (d); and
      
      (g) in response to determining that the additional rule does not exist in the rule set, the system further configured to deny access to the data access request.
  - 32. The system of claim 29 further comprising:
    - the one or more authentication strength requirements configured to be for write access.
  - 33. The system of claim 29 further comprising:
    - the one or more authentication strength requirements configured to be for root access.
  - 34. The system of claim 28 further comprising:
    - each of the ordered set of rules configured to contain a netgroup name associated with the one or more authentication strength requirements.
  - 35. The system of claim 34 the one or more authentication strength requirements configured to be for read access.
  - 36. The system of claim 34 the one or more authentication strength requirements configured to be for write access.
  - 37. The system of claim 34 the one or more authentication strength configured to be for root access.
  - 38. The system of claim 28 further comprising:
    - a file protocol server configured to select a first rule that matches a network address of a client issuing the data access request.

39. A method for limiting access to a data container, comprising:
- receiving a data access request directed to the data container, the data access request having a file handle;
  
  examining a field of the file handle to identify location of the data container to which the data access request is directed;
  
  identifying a rule set associated with the data container that was identified by the examination of the file handle;
  
  determining if a network address of the received data access request is in the rule set to permit access to the data container;
  
  determining, in response to the network address being in the rule set, if a type of access desired by the data access request has a required authentication level; and
  
  processing the data access request in response to having permission to access the data container and having the required authentication level of the type of access desired.
- View Dependent Claims (40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51)
- - 40. The method of claim 39 further comprising:
    - associating a network address and an access rule with one or more rules in the rule set.
  - 41. The method of claim 39 further comprising:
    - storing the rule set in a Virtual File System Location Database (VLDB).
  - 42. The method of claim 39 further comprising:
    - ordering rules of the rule set from most specific to least specific.
  - 43. The method of claim 39 further comprising:
    - identifying a predefined identifier with the data container; and
      
      inheriting, by the data container, the rule set associated with the predefined identifier.
  - 44. The method of claim 39 further comprising:
    - caching an identified rule from the rule set for the network address for later data access requests.
  - 45. The method of claim 44 further comprising:
    - flushing the cache when new contents of the rule set are obtained.
  - 46. The method of claim 39 wherein the data container is a virtual file system.
  - 47. The method of claim 39 wherein one or more rules of the rule set comprises a network address, a mask and one or more authentication strength requirements.
  - 48. The method of claim 47 wherein at least one of the authentication strength requirements is for read/write access.
  - 49. The method of claim 39 wherein at least one rule of the rule set comprises a netgroup name associated with one or more authentication strength requirements.
  - 50. The method of claim 39 further comprising:
    - (a) selecting a first rule in the rule set;
      
      (b) determining if the received data access request matches the selected rule;
      
      (c) in response to the selected rule not matching the data access request, determining if an additional rule exists in the rule set;
      
      (d) in response to determining that the additional rule exists in the rule set, selecting a next rule in the rule set and looping to step (b); and
      
      (e) in response to determining that the additional rule does not exist in the rule set, denying access to the data access request.
  - 51. The method of claim 39 further comprising:
    - (a) determining if the rule set is empty;
      
      (b) in response to determining that the rule set is empty, utilizing a default rule;
      
      (c) in response to determining that the rule set is not empty, selecting a first rule in the rule set;
      
      (d) determining if the received data access request matches the selected rule;
      
      (e) in response to the selected rule not matching the data access request, determining if an additional rule exists in the rule set;
      
      (f) in response to determining that the additional rule exists in the rule set, selecting a next rule in the rule set and looping to step (d); and
      
      (g) in response to determining that the additional rule does not exist in the rule set, denying access to the data access request.

52. A computer readable medium containing executable program instructions executed by a processor, comprising:
- program instructions that receive a data access request directed to a data container, the data access request having a file handle;
  
  program instructions that examine a field of the file handle to identify a location of the data container to which the data access request is directed;
  
  program instructions that identify a rule set associated with the data container identified by the examination of the file handle;
  
  program instructions that determine if a network address of the received data access request is in the rule set to permit access to the data container;
  
  program instructions that determine, in response to the network address being in the rule set, if a type of access desired by the data access request has a required authentication level; and
  
  program instructions that process the data access request in response to having permission to access the data container and having the required authentication level of the type of access desired.

53. A system for limiting access to a data container, comprising:
- the system configured to receive a data access request directed to the data container, the data access request having a file handle;
  
  the system further configured to examine the file handle to identify a location of the data container to which the data access request is directed;
  
  the system further configured to identify a rule set associated with the mount point identified by the examination of the file handle;
  
  the system further configured to determine if a network address of the received data access request is in the rule set to permit access to the data container;
  
  the system further configured to determine, in response to the network address being in the rule set, if a type of access desired by the data access request has a required authentication level; and
  
  is the system further configured to process the data access request in response to having permission to access the data container and having the required authentication level of the type of access desired.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NetApp, Inc.
Original Assignee
NetApp, Inc.
Inventors
Cox, Benjamin T. H., Nydick, Daniel S.
Primary Examiner(s)
Kim; Jung
Assistant Examiner(s)
Lemma; Samson B

Application Number

US10/856,142
Time in Patent Office

2,160 Days
Field of Search

726/2, 726/1, 726/14, 726/27, 713/165
US Class Current

726/1
CPC Class Codes

G06F 16/10   File systems; File servers

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

System and method for implementing access controls using file protocol rule sets

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

53 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for implementing access controls using file protocol rule sets

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

53 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links