Secure storage access using third party capability tokens
First Claim
1. A method, comprising:
- a storage device negotiating a plurality of revocable token identifiers with an access server,wherein the access server, in response to receiving from a client an access request for one or more blocks in a specific storage volume, issues to the client an access token comprising;
one of the revocable token identifiers for the requested one or more blocks, anda token for the specific volume,such that the access token is a layered token granting access permission to the specific volume and to one or more specific blocks or one or more ranges of blocks of data within the specific volume; and
the storage device, in response to receiving from the client a storage request including the issued access token, granting the storage request if the access token includes the token for the specific volume and one of the revocable token identifiers.
5 Assignments
0 Petitions
Accused Products
Abstract
A method for revocable token identifiers may be employed in a shared storage environment. An access server may generate access tokens and include revocable token identifiers previously obtained from storage devices. When clients present access tokens to storage devices during storage requests, storage devices may check the validity of access tokens by verifying that the revocable token identifiers were previously issued to the access server. An access server may request that the storage device revoke revocable token identifiers. Storage devices may deny any future storage requests including revoked token identifiers. Additionally, an access token may include instructions specifying operations for a storage device to perform in conjunction with a storage request. A trusted server may issue grantor tokens granting permissions for access servers to use when issuing access tokens. An access server may then include such a grantor token in access tokens that it generates and issues to clients.
-
Citations
24 Claims
-
1. A method, comprising:
-
a storage device negotiating a plurality of revocable token identifiers with an access server, wherein the access server, in response to receiving from a client an access request for one or more blocks in a specific storage volume, issues to the client an access token comprising; one of the revocable token identifiers for the requested one or more blocks, and a token for the specific volume, such that the access token is a layered token granting access permission to the specific volume and to one or more specific blocks or one or more ranges of blocks of data within the specific volume; and the storage device, in response to receiving from the client a storage request including the issued access token, granting the storage request if the access token includes the token for the specific volume and one of the revocable token identifiers. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A device, comprising:
-
a processor; and a memory comprising program instructions configured to; negotiate a plurality of revocable token identifiers with a storage device; in response to receiving from a client an access request for one or more blocks in a specific storage volume, issue to the client an access token comprising; one of the revocable token identifiers for the requested one or more blocks, and a token for the specific volume, such that the access token is a layered token granting access permission at both the volume-level and the block-level to the one or more blocks of data within the specific volume; and wherein the storage device is configured to in response to receiving from the client a storage request including the issued access token, grant the storage request if the access token includes the token for the specific volume and one of the revocable token identifiers. - View Dependent Claims (17, 18, 19, 20, 21, 22)
-
-
23. A non-transitory computer accessible medium, comprising program instructions configured to implement:
- (emphasis added)
receiving from a storage device one or more revocable token identifiers; in response to receiving from a client an access request for one or more blocks in a specific storage volume, issue to the client an access token comprising; one of the revocable token identifiers for the requested one or more blocks, and a token for the specific volume, such that the access token is a layered token granting access permission to the specific blocks or one or more ranges of blocks of data within the specific volume; and wherein the storage device is configured to in response to receiving from the client a storage request including the issued access token, grant the storage request if the access token includes the token for the specific volume and one of the revocable token identifiers.
- (emphasis added)
-
24. A system, comprising one or more devices configured to implement:
-
negotiating a plurality of revocable token identifiers with an access server; receiving from the storage device one or more revocable token identifiers; in response to receiving from a client an access request for one or more blocks in a specific storage volume, issuing to the client an access token comprising; one of the revocable token identifiers for the requested one or more blocks, and a token for the specific volume, such that the access token is a layered token granting access permission to the specific volume and to one or more specific blocks or one or more ranges of blocks of data within the specific volume; and in response to receiving from the client a storage request including the issued access token, granting the storage request if the access token includes the token for the specific volume and one of the revocable token identifiers.
-
Specification