Centralizing access request authorizations for storage systems

US 7,926,087 B1
Filed: 11/30/2007
Issued: 04/12/2011
Est. Priority Date: 11/30/2007
Status: Expired due to Fees

First Claim

Patent Images

1. A system for authorizing access requests for accessing a storage system, the system comprising:

an authorization module configured for determining authorization of access requests for a first storage system;

a first server system comprising a first application configured for;

sending an initiation request to the authorization module;

receiving an access request for accessing the first storage system;

sending an authorization request to the authorization module for authorizing the access request; and

only upon receiving an authorization of the access request from the authorization module, sending the access request to the first storage system;

the first storage system comprising a set of one or more storage devices, the first storage system configured for performing the access request received from the first application without determining authorization of the received access request; and

a network connecting the authorization module, first server system, and first storage system, wherein the authorization module resides and executes externally from the first server system and the first storage system, wherein the authorization module is further configured for generating a unique identifier and a password for the first application to connect with the first storage system and sending the unique identifier and password to the first application and the first storage system.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described herein is a centralized access request authorization system comprising an authorization module, one or more server systems, and a collection of one or more storage systems connected through a network. An application executing on a server system receives an access request for accessing the storage system collection and sends an authorization request to the authorization module for authorizing the access request. The application may be configured to only send the access request to the storage system collection if it first receives an authorization of the access request from the authorization module. Since the application is configured to do such, the storage system performs the access request without performing any authorization verification on the access request. The authorization module may receive authorization requests from a plurality of applications (executing on a plurality of server systems) and determine received authorization requests using a single repository of access permission information.

42 Citations

View as Search Results

18 Claims

1. A system for authorizing access requests for accessing a storage system, the system comprising:
- an authorization module configured for determining authorization of access requests for a first storage system;
  
  a first server system comprising a first application configured for;
  
  sending an initiation request to the authorization module;
  
  receiving an access request for accessing the first storage system;
  
  sending an authorization request to the authorization module for authorizing the access request; and
  
  only upon receiving an authorization of the access request from the authorization module, sending the access request to the first storage system;
  
  the first storage system comprising a set of one or more storage devices, the first storage system configured for performing the access request received from the first application without determining authorization of the received access request; and
  
  a network connecting the authorization module, first server system, and first storage system, wherein the authorization module resides and executes externally from the first server system and the first storage system, wherein the authorization module is further configured for generating a unique identifier and a password for the first application to connect with the first storage system and sending the unique identifier and password to the first application and the first storage system.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system of claim 1, wherein:
    - the access request is received from a user, the access request specifying an operation on a storage object stored on the first storage system; and
      
      the authorization module is further configured for only upon determining that the user is permitted to perform the specified operation on the specified storage object, sending an authorization of the access request to the first application.
  - 3. The system of claim 1, wherein the first server system further comprises a second application configured for:
    - supporting a set of one or more operations on the first storage system;
      
      receiving the access request from a user, the access request specifying an operation in the set of operations; and
      
      sending the access request to the first application.
  - 4. The system of claim 1, wherein:
    - the initiation request comprises credential information describing the first application; and
      
      the authorization module is further configured for generating and sending the unique identifier and password only upon determining that the credential information indicates that the first application is configured to only send the access request to the first storage system after receiving an authorization of the access request from the authorization module.
  - 5. The system of claim 1, wherein:
    - the first application is further configured for connecting with the first storage system using the unique identifier and password; and
      
      the first storage system is further configured for, after the connection is established with the first application, thereafter performing all access requests received from the first application without determining authorization of the received access requests.

6. A system for authorizing access requests for accessing a storage system, the system comprising:
- an authorization module configured for determining authorization of access requests for a first storage system;
  
  a first server system comprising;
  
  a first application configured for;
  
  receiving an access request for accessing the first storage system;
  
  sending an authorization request to the authorization module for authorizing the access request; and
  
  only upon receiving an authorization of the access request from the authorization module, sending the access request to the first storage system; and
  
  a second application configured for;
  
  supporting a set of one or more operations on the first storage system;
  
  receiving the access request from a user, the access request specifying an operation in the set of operations; and
  
  sending the access request to the first application;
  
  the first storage system comprising a set of one or more storage devices, the first storage system configured for performing the access request received from the first application without determining authorization of the received access request; and
  
  a network connecting the authorization module, first server system, and first storage system, wherein the authorization module resides and executes externally from the first server system and the first storage system,wherein;
  
  the first storage system comprises a first file system for organizing one or more storage objects stored on the first storage system;
  
  the first server system comprises a second file system for organizing the one or more storage objects; and
  
  the first application is further configured for;
  
  receiving, from the second application, the access request comprising a server address path to a storage object, the server address path being specified by the second file system; and
  
  mapping the server address path to a storage address path to the storage object, the storage address path being specified by the first file system.

7. A system for authorizing access requests for accessing a storage system, the system comprising:
- an authorization module configured for determining authorization of access requests for a first storage system;
  
  a first server system comprising a first application configured for;
  
  receiving an access request for accessing the first storage system;
  
  sending an authorization request to the authorization module for authorizing the access request; and
  
  only upon receiving an authorization of the access request from the authorization module, sending the access request to the first storage system;
  
  the first storage system comprising a set of one or more storage devices, the first storage system configured for performing the access request received from the first application without determining authorization of the received access request;
  
  a network connecting the authorization module, first server system, and first storage system, wherein the authorization module resides and executes externally from the first server system and the first storage system; and
  
  a second server system comprising a second application configured for;
  
  receiving an access request for accessing the first storage system;
  
  sending an authorization request to the authorization module for authorizing the access request; and
  
  only upon receiving an authorization of the access request from the authorization module, sending the access request to the first storage system, wherein;
  
  the first storage system is configured for performing the access request received from the second application without determining authorization of the received access request; and
  
  the network connects the authorization module, first and second server systems, and first storage system.

8. A system for authorizing access requests for accessing a storage system, the system comprising:
- an authorization module configured for determining authorization of access requests for a first storage system;
  
  a first server system comprising a first application configured for;
  
  receiving an access request for accessing the first storage system;
  
  sending an authorization request to the authorization module for authorizing the access request; and
  
  only upon receiving an authorization of the access request from the authorization module, sending the access request to the first storage system;
  
  the first storage system comprising a set of one or more storage devices, the first storage system configured for performing the access request received from the first application without determining authorization of the received access request;
  
  a network connecting the authorization module, first server system, and first storage system, wherein the authorization module resides and executes externally from the first server system and the first storage system; and
  
  a second storage system comprising a set of one or more storage devices, wherein;
  
  the authorization module is further configured for determining authorization of access requests for a second storage system;
  
  the first application is further configured for receiving an access request for accessing the second storage system, sending an authorization request to the authorization module for authorizing the access request, and only upon receiving an authorization of the access request from the authorization module, sending the access request to the second storage system;
  
  the second storage system is configured for performing the access request received from the first application without determining authorization of the received access request; and
  
  the network connects the authorization module, first server system, and first and second storage systems.

9. A method for authorizing access requests for accessing a storage system, the method comprising:
- providing an authorization module configured for determining authorization of access requests for a first storage system;
  
  providing a first server system comprising a first application configured for;
  
  sending an initiation request to the authorization module;
  
  receiving an access request for accessing the first storage system;
  
  sending an authorization request to the authorization module for authorizing the access request; and
  
  only upon receiving an authorization of the access request from the authorization module, sending the access request to the first storage system;
  
  providing the first storage system comprising a set of one or more storage devices, the first storage system configured for performing the access request received from the first application without determining authorization of the received access request; and
  
  providing a network connecting the authorization module, first server system, and first storage system, wherein the authorization module resides and executes externally from the first server system and the first storage system, wherein the authorization module is further configured for generating a unique identifier and a password for the first application to connect with the first storage system and sending the unique identifier and password to the first application and the first storage system.
- View Dependent Claims (10, 11, 12)
- - 10. The method of claim 9, wherein:
    - the access request is received from a user, the access request specifying an operation on a storage object stored on the first storage system; and
      
      the authorization module is further configured for;
      
      only upon determining that the user is permitted to perform the specified operation on the specified storage object, sending an authorization of the access request to the first application.
  - 11. The method of claim 9, whereinthe initiation request comprises credential information describing the first application;
    - andthe authorization module is further configured for;
      
      generating and sending the unique identifier and password only upon determining that the credential information indicates that the first application is configured to only send the access request to the first storage system after receiving an authorization of the access request from the authorization module.
  - 12. The method of claim 9, whereinthe first application is further configured for:
    - connecting with the first storage system using the unique identifier and password; and
      
      the first storage system is further configured for;
      
      after the connection is established with the first application, thereafter performing all access requests received from the first application without determining authorization of the received access requests.

13. A system for registering an application for using an authorization module for authorizing access requests for accessing a storage system, the system comprising:
- a server system comprising an application configured for sending an initiation request to the authorization module, the initiation request comprising credential information describing the application;
  
  the authorization module configured for;
  
  generating a unique identifier and a password for the application to connect with the storage system; and
  
  sending the unique identifier and password to the application and the storage system, wherein the authorization module generates and sends the unique identifier and password only upon determining that the credential information indicates that the application is configured to only send an access request to the storage system after receiving an authorization of the access request from the authorization module;
  
  the storage system comprising a set of one or more storage devices, the storage system configured for receiving and storing the unique identifier and password for the application; and
  
  a network connecting the authorization module, server system, and storage system, wherein the authorization module resides and executes externally from the server system and the storage system.
- View Dependent Claims (14, 15)
- - 14. The system of claim 13, wherein:
    - the application is further configured for connecting with the storage system using the unique identifier and password; and
      
      the storage system is further configured for, after the connection is established with the application, thereafter performing all access requests received from the application without determining authorization of the received access requests.
  - 15. The system of claim 13, wherein the application is configured for sending the initiation request to the authorization module automatically, without human initiation or intervention.

16. A method for registering an application for using an authorization module for authorizing access requests for accessing a storage system, the method comprising:
- providing a server system comprising an application configured for sending an initiation request to the authorization module, the initiation request comprising credential information describing the application;
  
  providing the authorization module configured for;
  
  generating a unique identifier and a password for the application to connect with the storage system; and
  
  sending the unique identifier and password to the application and the storage system, wherein the authorization module generates and sends the unique identifier and password only upon determining that the credential information indicates that the application is configured to only send an access request to the storage system after receiving an authorization of the access request from the authorization module;
  
  providing the storage system comprising a set of one or more storage devices, the storage system configured for receiving and storing the unique identifier and password for the application; and
  
  providing a network connecting the authorization module, server system, and storage system, wherein the authorization module resides and executes externally from the server system and the storage system.
- View Dependent Claims (17, 18)
- - 17. The method of claim 16, wherein:
    - the application is further configured for connecting with the storage system using the unique identifier and password; and
      
      the storage system is further configured for, after the connection is established with the application, thereafter performing all access requests received from the application without determining authorization of the received access requests.
  - 18. The method of claim 16, wherein the application is configured for sending the initiation request to the authorization module automatically, without human initiation or intervention.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NetApp, Inc.
Original Assignee
NetApp, Inc.
Inventors
Voll, James J, Surana, Anshu, Holl, James Hartwell II, Roussos, Konstantinos
Primary Examiner(s)
Song; Hosuk

Application Number

US11/948,270
Time in Patent Office

1,229 Days
Field of Search

713/150, 713165-168, 713/189, 713193-194, 726 2- 7, 709/225, 709/229, 380/44
US Class Current

726/2
CPC Class Codes

G06F 12/1458   by checking the subject acc...

G06F 21/6218   to a system of files or obj...

G06F 2221/2115   Third party

G06F 3/0622   in relation to access

G06F 3/0659   Command handling arrangemen...

G06F 3/067   Distributed or networked st...

H04L 63/0853   using an additional device,...

H04L 67/1097   for distributed storage of ...

Centralizing access request authorizations for storage systems

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

42 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Centralizing access request authorizations for storage systems

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

42 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links