Centralized role-based access control for storage servers
First Claim
1. A method comprising:
- operating a network server which communicates with a storage server through a network, wherein the network server includes a management application for controlling management tasks associated with the storage server;
using the network server to proxy requests to access a plurality of APIs of the storage server, the requests being from a client application which is external to the storage server and the network server, wherein using the network server to proxy a request to access a given API of the plurality of APIs includes;
in the network server, storing a set of access privileges for a plurality of users, including a user of the client application;
receiving from the client application a first API call for accessing the given API of the storage server, the first API call having associated therewith a first set of security credentials not associated with the storage server;
based on the first set of security credentials, determining whether the user of the client application is authorized to access the management application of the network server;
if the user is an authorized user of the management application, then using the network server to look up a second set of security credentials associated with the storage server, and sending a second API call, for accessing the given API to the storage server with the second set of security credentials;
receiving a result of executing the given API from the storage server;
looking up a set of access privileges associated with the user of the client application;
filtering the result of executing the given API based on the set of access privileges associated with the user of the client application; and
providing the filtered result to the client application as a response to the first API call; and
using the network server to provide access to a selected subset of the plurality of APIs of the storage server based on a role associated with the client application.
2 Assignments
0 Petitions
Accused Products
Abstract
Centralized role-based access control (RBAC) for storage servers can include operating multiple storage servers, each configured to provide a set of clients with access to stored data, and using a separate network server to provide centralized RBAC. The network server may include an API proxy to proxy requests to access individual APIs of a storage server by an application which is external to the network server and the storage server and may control access to the individual APIs of the storage servers on a per-API, per-user and per-object basis. The API proxy may filter responses to API calls based on the access privileges of the user of the application which sent the API call. In some embodiments, the network server may implement a Windows domain server, an LDAP server or the like to evaluate security credentials of administrative users on behalf of multiple storage servers.
269 Citations
13 Claims
-
1. A method comprising:
-
operating a network server which communicates with a storage server through a network, wherein the network server includes a management application for controlling management tasks associated with the storage server; using the network server to proxy requests to access a plurality of APIs of the storage server, the requests being from a client application which is external to the storage server and the network server, wherein using the network server to proxy a request to access a given API of the plurality of APIs includes; in the network server, storing a set of access privileges for a plurality of users, including a user of the client application; receiving from the client application a first API call for accessing the given API of the storage server, the first API call having associated therewith a first set of security credentials not associated with the storage server; based on the first set of security credentials, determining whether the user of the client application is authorized to access the management application of the network server; if the user is an authorized user of the management application, then using the network server to look up a second set of security credentials associated with the storage server, and sending a second API call, for accessing the given API to the storage server with the second set of security credentials; receiving a result of executing the given API from the storage server; looking up a set of access privileges associated with the user of the client application; filtering the result of executing the given API based on the set of access privileges associated with the user of the client application; and providing the filtered result to the client application as a response to the first API call; and using the network server to provide access to a selected subset of the plurality of APIs of the storage server based on a role associated with the client application. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A processing system comprising:
-
a processor; a network interface through which to communicate with a plurality of storage servers over a network; and a storage facility storing; a storage management application, for execution by the processor, to enable remote management of the storage servers by a user, and an API proxy, for execution by the processor, to proxy requests to access a plurality of APIs of the storage servers on a per-API basis, the requests originating from a client application which is external to the processing system and the storage servers, including providing access control to a selected subset of the plurality of APIs of the storage server based on a role associated with the client application, wherein the API proxy further is to; in the API proxy, store a set of access privileges for a plurality of users, including a user of the client application; receive from the client application an API call for accessing an API of a given storage server of the plurality of storage servers, the API having associated therewith a first set of security credentials not associated with the given storage server; based on the first set of security credentials, determining whether the user of the client application is authorized to access the storage management application of the storage facility; if the user is an authorized user of the storage management application, then looking up a second set of security credentials associated with the given storage server, and sending a second API call, for accessing the API, to the given storage server with the second set of security credentials; receiving a result of executing the API from the storage server; looking up a set of access privileges associated with the user of the client application; filtering the result of executing the API based on the set of access privileges associated with the user of the client application; and providing the filtered result to the client application as a response to the first API call. - View Dependent Claims (9, 10, 11, 12, 13)
-
Specification