Centralized role-based access control for storage servers

US 7,913,300 B1
Filed: 04/08/2005
Issued: 03/22/2011
Est. Priority Date: 04/08/2005
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

operating a network server which communicates with a storage server through a network, wherein the network server includes a management application for controlling management tasks associated with the storage server;

using the network server to proxy requests to access a plurality of APIs of the storage server, the requests being from a client application which is external to the storage server and the network server, wherein using the network server to proxy a request to access a given API of the plurality of APIs includes;

in the network server, storing a set of access privileges for a plurality of users, including a user of the client application;

receiving from the client application a first API call for accessing the given API of the storage server, the first API call having associated therewith a first set of security credentials not associated with the storage server;

based on the first set of security credentials, determining whether the user of the client application is authorized to access the management application of the network server;

if the user is an authorized user of the management application, then using the network server to look up a second set of security credentials associated with the storage server, and sending a second API call, for accessing the given API to the storage server with the second set of security credentials;

receiving a result of executing the given API from the storage server;

looking up a set of access privileges associated with the user of the client application;

filtering the result of executing the given API based on the set of access privileges associated with the user of the client application; and

providing the filtered result to the client application as a response to the first API call; and

using the network server to provide access to a selected subset of the plurality of APIs of the storage server based on a role associated with the client application.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Centralized role-based access control (RBAC) for storage servers can include operating multiple storage servers, each configured to provide a set of clients with access to stored data, and using a separate network server to provide centralized RBAC. The network server may include an API proxy to proxy requests to access individual APIs of a storage server by an application which is external to the network server and the storage server and may control access to the individual APIs of the storage servers on a per-API, per-user and per-object basis. The API proxy may filter responses to API calls based on the access privileges of the user of the application which sent the API call. In some embodiments, the network server may implement a Windows domain server, an LDAP server or the like to evaluate security credentials of administrative users on behalf of multiple storage servers.

269 Citations

13 Claims

1. A method comprising:
- operating a network server which communicates with a storage server through a network, wherein the network server includes a management application for controlling management tasks associated with the storage server;
  
  using the network server to proxy requests to access a plurality of APIs of the storage server, the requests being from a client application which is external to the storage server and the network server, wherein using the network server to proxy a request to access a given API of the plurality of APIs includes;
  
  in the network server, storing a set of access privileges for a plurality of users, including a user of the client application;
  
  receiving from the client application a first API call for accessing the given API of the storage server, the first API call having associated therewith a first set of security credentials not associated with the storage server;
  
  based on the first set of security credentials, determining whether the user of the client application is authorized to access the management application of the network server;
  
  if the user is an authorized user of the management application, then using the network server to look up a second set of security credentials associated with the storage server, and sending a second API call, for accessing the given API to the storage server with the second set of security credentials;
  
  receiving a result of executing the given API from the storage server;
  
  looking up a set of access privileges associated with the user of the client application;
  
  filtering the result of executing the given API based on the set of access privileges associated with the user of the client application; and
  
  providing the filtered result to the client application as a response to the first API call; and
  
  using the network server to provide access to a selected subset of the plurality of APIs of the storage server based on a role associated with the client application.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A method as recited in claim 1, wherein using the network server to provide access to a selected subset of the plurality of APIs of the storage server based on a role associated with the client application comprises:
    - providing access control on a per-user basis for a plurality of users.
  - 3. A method as recited in claim 2, wherein using the network server to provide access to a selected subset of the plurality of APIs of the storage server based on a role associated with the client application comprises:
    - using the network server to control access to individual objects maintained by the storage server.
  - 4. A method as recited in claim 3, wherein using the network server to proxy requests to access a plurality of APIs of the storage server comprises implementing a tunneling API in the proxy to proxy API calls to the storage server transparently to the client application.
  - 5. A method as recited in claim 1, further comprising;
    - receiving a query of capabilities of a user from the client application; and
      
      sending to the client application a response indicating capabilities of the user.
  - 6. A method as recited in claim 1, wherein the result comprises a set of objects, and wherein at least one object, of the set of objects is not included in the filtered result.
  - 7. A method as recited in claim 1, further comprising, in the network server:
    - receiving an API call from the client application;
      
      in response to the API call, dynamically selecting the storage server to receive the API call, from among a plurality of storage servers; and
      
      proxying the API call to the storage server.

8. A processing system comprising:
- a processor;
  
  a network interface through which to communicate with a plurality of storage servers over a network; and
  
  a storage facility storing;
  
  a storage management application, for execution by the processor, to enable remote management of the storage servers by a user, and an API proxy, for execution by the processor, to proxy requests to access a plurality of APIs of the storage servers on a per-API basis, the requests originating from a client application which is external to the processing system and the storage servers, including providing access control to a selected subset of the plurality of APIs of the storage server based on a role associated with the client application, wherein the API proxy further is to;
  
  in the API proxy, store a set of access privileges for a plurality of users, including a user of the client application;
  
  receive from the client application an API call for accessing an API of a given storage server of the plurality of storage servers, the API having associated therewith a first set of security credentials not associated with the given storage server;
  
  based on the first set of security credentials, determining whether the user of the client application is authorized to access the storage management application of the storage facility;
  
  if the user is an authorized user of the storage management application, then looking up a second set of security credentials associated with the given storage server, and sending a second API call, for accessing the API, to the given storage server with the second set of security credentials;
  
  receiving a result of executing the API from the storage server;
  
  looking up a set of access privileges associated with the user of the client application;
  
  filtering the result of executing the API based on the set of access privileges associated with the user of the client application; and
  
  providing the filtered result to the client application as a response to the first API call.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. A processing system as recited in claim 8, wherein the proxy implements a tunneling API to proxy the requests to access the individual APIs to the storage servers, transparently to the client application.
  - 10. A processing system as recited in claim 8, wherein the processing system provides centralized control of access to individual APIs of the storage servers by a plurality of applications which are external to the processing system and the storage servers.
  - 11. A processing system as recited in claim 8, wherein the processing system maintains, and is operable to evaluate, a set of security credentials for use in accessing at least-one of the storage servers.
  - 12. A processing system as recited in claim 8, wherein the processing system comprises both an access policy decision point (PDP) and an access policy enforcement point (PEP) for purposes, of controlling access:
    - to the storage servers.
  - 13. A processing system as recited in claim 8, wherein the result comprises a set of objects, and wherein at least one object of the set of the objects is omitted from the filtered result.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NetApp, Inc.
Original Assignee
NetApp, Inc.
Inventors
Thompson, Timothy J., Klinkner, Steven R., Yoder, Alan G., Swartzlander, Benjamin B., Flank, Joshua H.
Primary Examiner(s)
Srivastava; Vivek
Assistant Examiner(s)
SONG, HEE K

Application Number

US11/102,422
Time in Patent Office

2,174 Days
Field of Search

726/11, 726/12, 726/27, 726/2, 726/17, 726/21, 726/28, 726/29, 726/30, 713/165, 713169-181, 713182-186, 713/201, 711/161, 709/316, 709/202, 709/224, 707/102
US Class Current

726/12
CPC Class Codes

G06F 21/41   where a single sign-on prov...

G06F 21/6218   to a system of files or obj...

G06F 2221/2115   Third party

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

G06F 9/468   Specific access rights for ...

H04L 63/0281   Proxies

H04L 63/102   Entity profiles

Centralized role-based access control for storage servers

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

269 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Centralized role-based access control for storage servers

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

269 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links