Network device management interface having fine-grain access control using regular expressions

US 7,774,367 B1
Filed: 08/20/2007
Issued: 08/10/2010
Est. Priority Date: 07/28/2003
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

storing configuration data for a device, wherein the configuration data is arranged in the form of a multi-level configuration hierarchy having a plurality of objects, each of the objects having a textual label and representing a portion of the configuration data;

storing authorization data defining a coarse-grain access control attribute defining access control rights to a first set of one or more objects at and below a level of the hierarchy, and a fine-grain access control attribute and an associated regular expression defining a textual pattern that identifies a second set of one or more of the objects within the configuration hierarchy;

applying the regular expression to a command to determine whether the command requests access to any of the objects within the second set; and

controlling access to configuration data of the device based on the determination by;

allowing access to the configuration data when the coarse-grain access control attribute does not allow access to a requested portion of the configuration data and the regular expression of the fine-grain access control attribute identifies a match between the command and the textual pattern; and

denying access to the configuration data when the coarse-grain access control attribute allows access to a requested portion of the configuration data and the regular expression of the fine-grain access control attribute identifies a match between the command and the textual pattern.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for controlling access to resources within a device are described. A device is described, for example, that includes a computer-readable medium and a management interface. The computer-readable medium stores configuration data and authorization data. The authorization data defines an access control attribute and an associated regular expression specifying a textual pattern. The management interface receives a text-based command to access the configuration data of the device, evaluates the command using the regular expression, and controls access to the configuration data based on the evaluation.

Citations

14 Claims

1. A method comprising:
- storing configuration data for a device, wherein the configuration data is arranged in the form of a multi-level configuration hierarchy having a plurality of objects, each of the objects having a textual label and representing a portion of the configuration data;
  
  storing authorization data defining a coarse-grain access control attribute defining access control rights to a first set of one or more objects at and below a level of the hierarchy, and a fine-grain access control attribute and an associated regular expression defining a textual pattern that identifies a second set of one or more of the objects within the configuration hierarchy;
  
  applying the regular expression to a command to determine whether the command requests access to any of the objects within the second set; and
  
  controlling access to configuration data of the device based on the determination by;
  
  allowing access to the configuration data when the coarse-grain access control attribute does not allow access to a requested portion of the configuration data and the regular expression of the fine-grain access control attribute identifies a match between the command and the textual pattern; and
  
  denying access to the configuration data when the coarse-grain access control attribute allows access to a requested portion of the configuration data and the regular expression of the fine-grain access control attribute identifies a match between the command and the textual pattern.

2. A device comprising:
- a computer-readable medium storing configuration data and authorization data, wherein the authorization data defines a fine-grain access control attribute and an associated regular expression specifying a textual pattern, and wherein the authorization data further includes a coarse-grain access control attribute defining access control rights for respective groups of resources provided by the device; and
  
  a management interface that receives a text-based command to access the configuration data, wherein the management interface evaluates the command using the regular expression and controls access to the configuration data based on the coarse-grain access control attribute and the evaluation of the regular expression,wherein the management interface allows access to the configuration data when the coarse-grain access control attribute does not allow access to a requested portion of the configuration data and the regular expression of the fine-grain access control attribute identifies a match between the command and the textual pattern, andwherein the management interface denies access to the configuration data when the coarse-grain access control attribute allows access to a requested portion of the configuration data and the regular expression of the fine-grain access control attribute identifies a match between the command and the textual pattern.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10)
- - 3. The device of claim 2, wherein the coarse-grain access control attribute comprises a set of permission bits, and each of the permission bits is associated with a respective group of the resources.
  - 4. The device of claim 2, wherein the configuration data is arranged in the form of a multi-level configuration hierarchy having a plurality of objects, and each of the objects represents a portion of the configuration data that relates to one or more resources of the device.
  - 5. The device of claim 4, wherein the objects have respective textual labels and the regular expression defines the textual pattern to match the textual labels of a set of one or more of the objects within the configuration hierarchy.
  - 6. The device of claim 5, wherein the management interface applies the regular expression to the command to determine whether the command specifies any of the objects within the set.
  - 7. The device of claim 5, wherein the management interface pre-process the regular expression to automatically insert one or more meta-characters into the regular expression based on the hierarchical arrangement of the configuration data.
  - 8. The device of claim 2, wherein the management interface comprises a command line interface to receive the command from a client, and the management interface evaluates the command with regular expression in real-time as the client enters the command.
  - 9. The device of claim 8, wherein the management interface evaluates the command with the regular expression each time the client enters a token indicating a textual break within the command.
  - 10. The device of claim 2, wherein the device comprises a router.

11. A device comprising:
- a computer-readable medium comprising;
  
  configuration data arranged in the form of a multi-level configuration hierarchy having a plurality of objects, each of the objects having a textual label and representing a portion of the configuration data, andauthorization data that defines a coarse-grain access control attribute defining access control rights to a first set of one or more objects at and below a level of the hierarchy, the authorization data further defining a fine-grain access control attribute and an associated regular expression specifying a textual pattern, wherein the textual pattern identifies a second set of one or more of the objects within the configuration hierarchy; and
  
  a management interface that applies the regular expression to a command to determine whether the command requests access to any of the objects within the set, and controls access to the configuration data based on the determination,wherein the management interface allows access to the configuration data when the coarse-grain access control attribute does not allow access to a requested portion of the configuration data and the regular expression of the fine-grain access control attribute identifies a match between the command and the textual pattern, andwherein the management interface denies access to the configuration data when the coarse-grain access control attribute allows access to a requested portion of the configuration data and the regular expression of the fine-grain access control attribute identifies a match between the command and the textual pattern.

12. A device comprising:
- a computer-readable medium that stores configuration data, wherein the configuration data defines a coarse-grain access control attribute that defines access control rights for respective groups of resources provided by the device,a command line interface to receive a command from a client; and
  
  a management interface that receives input defining a fine-grain access control attribute and an associated regular expression that specifies a textual pattern, wherein the management interface pre-processes the regular expression to automatically insert one or more meta-characters into the regular expression, and stores the access control attribute and the pre-processed regular expression as authorization data to control access to the configuration data, wherein the management interface evaluates the command in real-time using the pre-processed regular expression as the client enters the command, and wherein, before the command has been fully received, the management interface denies access to the configuration data when the coarse-grain access control attribute allows access to a requested portion of the configuration data and the regular expression of the fine-grain access control attribute identifies a match between a portion of the command that has been processed in real time and the textual pattern.

13. A device comprising:
- a computer-readable medium storing configuration data and authorization data, wherein the authorization data defines;
  
  a fine-grain access control attribute and an associated regular expression specifying a textual pattern, anda coarse-grain access control attribute that defines access control rights for respective groups of resources provided by the device; and
  
  a management interface that evaluates a command received from a client using the regular expression of the fine-grain access control attribute, and controls access to the configuration data based on the coarse-grain access control attribute and the evaluation of the command, wherein the management interface allows access to the configuration data when the coarse-grain access control attribute does not allow access to a requested portion of the configuration data and the regular expression of the fine-grain access control attribute identifies a match between the command and the textual pattern.

14. A device comprising:
- a computer-readable medium storing configuration data and authorization data, wherein the authorization data defines;
  
  a fine-grain access control attribute and an associated regular expression specifying a textual pattern, anda coarse-grain access control attribute that defines access control rights for respective groups of resources provided by the device; and
  
  a management interface that evaluates a command received from a client using the regular expression of the fine-grain access control attribute, and controls access to the configuration data based on the coarse-grain access control attribute and the evaluation of the command, wherein the management interface denies access to the configuration data when the coarse-grain access control attribute allows access to a requested portion of the configuration data and the regular expression of the fine-grain access control attribute identifies a match between the command and the textual pattern.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Enns, Robert P., Trostler, Mark E.
Primary Examiner(s)
Mofiz; Apu M
Assistant Examiner(s)
DAYE, CHELCIE L

Application Number

US11/841,410
Time in Patent Office

1,086 Days
Field of Search

707/6, 707/9, 707/103, 707/786, 709/225, 709/229
US Class Current

707/786
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/104   Grouping of entities

Network device management interface having fine-grain access control using regular expressions

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Network device management interface having fine-grain access control using regular expressions

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links