Processing a dispersed storage network access request utilizing certificate chain validation information

US 8,627,066 B2
Filed: 11/03/2011
Issued: 01/07/2014
Est. Priority Date: 11/03/2011
Status: Active Grant

First Claim

Patent Images

1. A method for execution by one or more processing devices of one or more computers of a dispersed storage network, the method comprises:

receiving, by the one or more processing device of one or more computers, a dispersed storage network (DSN) access request that includes a requester identifier (ID), wherein the requester ID is associated with a certificate chain;

when the certificate chain is valid, accessing registry information for the DSN, wherein the registry information includes a plurality of access control lists, wherein an access control list of the plurality of access control lists includes a plurality of entries, andwherein an entry of the plurality of entries includes a realm ID, a subject name ID, and a set of permissions;

identifying one of the plurality of access control lists based on at least one of information associated with the requester ID and information associated with the certificate chain;

identifying one or more entries of the one of the plurality of access control lists based on the information associated with the certificate chain to produce one or more identified entries; and

generating, for the DSN access request, permissions from one or more sets of permissions associated with the one or more identified entries.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method begins by a processing module receiving a dispersed storage network (DSN) access request that includes a requester identifier (ID), wherein the requester ID is associated with a certificate chain. When the certificate chain is valid, the method continues with the processing module accessing registry information for the DSN. The method continues with the processing module identifying one of a plurality of access control lists based on at least one of information associated with the requester ID and information associated with the certificate chain, identifying one or more entries of the one of the plurality of access control lists based on the information associated with the certificate chain to produce one or more identified entries, and generating, for the DSN access request, permissions from one or more sets of permissions associated with the one or more identified entries.

79 Citations

18 Claims

1. A method for execution by one or more processing devices of one or more computers of a dispersed storage network, the method comprises:
- receiving, by the one or more processing device of one or more computers, a dispersed storage network (DSN) access request that includes a requester identifier (ID), wherein the requester ID is associated with a certificate chain;
  
  when the certificate chain is valid, accessing registry information for the DSN, wherein the registry information includes a plurality of access control lists, wherein an access control list of the plurality of access control lists includes a plurality of entries, andwherein an entry of the plurality of entries includes a realm ID, a subject name ID, and a set of permissions;
  
  identifying one of the plurality of access control lists based on at least one of information associated with the requester ID and information associated with the certificate chain;
  
  identifying one or more entries of the one of the plurality of access control lists based on the information associated with the certificate chain to produce one or more identified entries; and
  
  generating, for the DSN access request, permissions from one or more sets of permissions associated with the one or more identified entries.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 further comprises:
    - obtaining certificate chain validation information associated with the DSN access request, wherein the certificate chain validation information includes a realm identifier (ID), identity of a plurality of trusted certificate authorities (CA), and an indication of validity of an associated certificate chain; and
      
      validating the certificate chain based on the certificate chain validation information.
  - 3. The method of claim 1, wherein the information associated with the requester ID comprises one or more of:
    - the requester ID;
      
      a vault ID;
      
      an access control list ID; and
      
      request type of the DSN access request.
  - 4. The method of claim 1, wherein the information associated with the certificate chain comprises one or more of:
    - realm ID; and
      
      a subject name of a trusted certificate authority (CA).
  - 5. The method of claim 1, wherein the registry information further comprises:
    - a plurality of network certificates, wherein a network certificate of the plurality of network certificates maintains information regarding association of a realm to a plurality of certificate authorities; and
      
      a plurality of vault records, wherein a vault record of the plurality of vault records includes the access control list and vault parameters.
  - 6. The method of claim 1, wherein the generating permissions for the DSN access request comprises:
    - aggregating a plurality of sets of permissions associated with a plurality of identified entries of the one or more identified entries;
      
      orselecting one of the one or more sets permissions.
  - 7. The method of claim 1 further comprises at least one of:
    - indicating that the DSN access request is not allowed when the permissions do not allow the DSN access request; and
      
      sending a rejection message to a requesting entity associated with the requester ID.
  - 8. The method of claim 1 further comprises:
    - executing the DSN access request in accordance with the permissions.
  - 9. The method of claim 1, wherein the permissions comprises one or more of:
    - allowed DSN access types;
      
      allowed requesting entities;
      
      time based access;
      
      security level access;
      
      wild card access; and
      
      realm access.

10. A computer comprises:
- an interface;
  
  a memory; and
  
  a processing module operable to;
  
  receive, via the interface, a dispersed storage network (DSN) access request that includes a requester identifier (ID), wherein the requester ID is associated with a certificate chain;
  
  when the certificate chain is valid, access registry information for the DSN, wherein the registry information includes a plurality of access control lists, wherein an access control list of the plurality of access control lists includes a plurality of entries, and wherein an entry of the plurality of entries includes a realm ID, a subject name ID, and a set of permissions;
  
  identify one of the plurality of access control lists based on at least one of information associated with the requester ID and information associated with the certificate chain;
  
  identify one or more entries of the one of the plurality of access control lists based on the information associated with the certificate chain to produce one or more identified entries; and
  
  generate, for the DSN access request, permissions from one or more sets of permissions associated with the one or more identified entries.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The computer of claim 10, wherein the processing module further functions to:
    - obtain certificate chain validation information associated with the DSN access request, wherein the certificate chain validation information includes a realm identifier (ID), identity of a plurality of trusted certificate authorities (CA), and an indication of validity of an associated certificate chain; and
      
      validate the certificate chain based on the certificate chain validation information.
  - 12. The computer of claim 10, wherein the information associated with the requester ID includes one or more of:
    - the requester ID;
      
      a vault ID;
      
      an access control list ID; and
      
      request type of the DSN access request.
  - 13. The computer of claim 10, wherein the information associated with the certificate chain includes one or more of:
    - realm ID; and
      
      a subject name of a trusted certificate authority (CA).
  - 14. The computer of claim 10, wherein the registry information further includes:
    - a plurality of network certificates, wherein a network certificate of the plurality of network certificates maintains information regarding association of a realm to a plurality of certificate authorities; and
      
      a plurality of vault records, wherein a vault record of the plurality of vault records includes the access control list and vault parameters.
  - 15. The computer of claim 10, wherein the processing module functions to generate permissions for the DSN access request by:
    - aggregating a plurality of sets of permissions associated with a plurality of identified entries of the one or more identified entries;
      
      orselecting one of the one or more sets permissions.
  - 16. The computer of claim 10, wherein the processing module further functions to:
    - indicate that the DSN access request is not allowed when the permissions do not allow the DSN access request; and
      
      send, via the interface, a rejection message to a requesting entity associated with the requester ID.
  - 17. The computer of claim 10, wherein the processing module further functions to:
    - execute the DSN access request in accordance with the permissions.
  - 18. The computer of claim 10, wherein the permissions comprises one or more of:
    - allowed DSN access types;
      
      allowed requesting entities;
      
      time based access;
      
      security level access;
      
      wild card access; and
      
      realm access.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
Cleversafe Incorporated (International Business Machines Corporation)
Inventors
Resch, Jason K., Leggette, Wesley, Cilfone, Bart
Primary Examiner(s)
Orgad, Edan
Assistant Examiner(s)
Wang, Harris

Application Number

US13/288,116
Publication Number

US 20130117560A1
Time in Patent Office

796 Days
Field of Search

713/157
US Class Current

713/157
CPC Class Codes

H04L 63/0823 using certificates cryptogr...

H04L 9/3265 using certificate chains, t...

Processing a dispersed storage network access request utilizing certificate chain validation information

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

79 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Processing a dispersed storage network access request utilizing certificate chain validation information

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

79 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links