Updating dispersed storage network access control information

US 8,782,086 B2
Filed: 04/14/2010
Issued: 07/15/2014
Est. Priority Date: 08/27/2009
Status: Active Grant

First Claim

Patent Images

1. A method comprises:

receiving, by each dispersed storage (DS) of a set of DS units of a distributed computing system, a corresponding one of a set of access requests regarding a set of error coded data slices, wherein a data segment is encoded using an error coding algorithm to produce the set of error coded data slices, wherein each DS unit of the set of DS units stores a corresponding error coded data slice of the set of error coded data slices, wherein the corresponding one of the set of access requests is regarding the corresponding error coded data slice of the set of error coded data slices;

determining, via a computing core of each DS unit of the set of DS units, whether a local access control list is fresh with respect to the corresponding encoded data slices of the set of encoded data slices, wherein the local access control list includes access permissions;

when, for one of the set of DS units, the local access control list is not fresh with respect to a corresponding one or more of the encoded data slices;

requesting, by the one of the set of DS units, a fresh access control list from a DS managing unit, wherein the DS managing unit maintains an access control list for the distributed computing system;

storing, by the one of the set of DS units, the fresh access control list as the local access control list;

verifying, by each of the DS units in the set of DS units, the corresponding one of the set of access requests in accordance with the access permissions of corresponding local access control lists; and

executing, by the computing core of each of the DS units in the set of DS units, the corresponding one of the set of access requests regarding the corresponding error coded data slice when the corresponding one of the set of access requests are verified.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a dispersed storage network where slices of secure user data are stored on geographically separated storage units, a managing unit connected to the network may seek to broadcast and update secure access control list information across the network. Upon a target device receiving the broadcast the target device creates and sends an access control list change notification message to all other system devices that should have received the same broadcast if the broadcast is a valid request to update access control list information. The target device waits for responses from the other system devices to validate that the broadcast has been properly sent to a threshold number of other system devices before taking action to operationally change local data in accordance with the broadcast.

106 Citations

View as Search Results

13 Claims

1. A method comprises:
- receiving, by each dispersed storage (DS) of a set of DS units of a distributed computing system, a corresponding one of a set of access requests regarding a set of error coded data slices, wherein a data segment is encoded using an error coding algorithm to produce the set of error coded data slices, wherein each DS unit of the set of DS units stores a corresponding error coded data slice of the set of error coded data slices, wherein the corresponding one of the set of access requests is regarding the corresponding error coded data slice of the set of error coded data slices;
  
  determining, via a computing core of each DS unit of the set of DS units, whether a local access control list is fresh with respect to the corresponding encoded data slices of the set of encoded data slices, wherein the local access control list includes access permissions;
  
  when, for one of the set of DS units, the local access control list is not fresh with respect to a corresponding one or more of the encoded data slices;
  
  requesting, by the one of the set of DS units, a fresh access control list from a DS managing unit, wherein the DS managing unit maintains an access control list for the distributed computing system;
  
  storing, by the one of the set of DS units, the fresh access control list as the local access control list;
  
  verifying, by each of the DS units in the set of DS units, the corresponding one of the set of access requests in accordance with the access permissions of corresponding local access control lists; and
  
  executing, by the computing core of each of the DS units in the set of DS units, the corresponding one of the set of access requests regarding the corresponding error coded data slice when the corresponding one of the set of access requests are verified.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 wherein an access request of the set of access requests comprises one of:
    - a dispersed data write operation that instructs the DS unit to store the error coded data slice; and
      
      a dispersed data read operation that instructs the DS unit to read and output the error coded data slice.
  - 3. The method of claim 1 wherein the verifying the corresponding one of the set of access requests comprises:
    - sending, by the one of the set of DS units, an update notification to other DS units of the set of DS units regarding the fresh access control list;
      
      utilizing, by the one of the set of DS units, responses from at least some of the other DS units of the set of units to verify the fresh access control list; and
      
      utilizing, by one or more of the other DS units, the update notification regarding the fresh access control list to verify that a local DS unit access control list is correspondingly fresh.
  - 4. The method of claim 1, wherein the determining whether the local access control list is fresh comprises at least one of:
    - when a passage of time exceeds a threshold time since a last storage of the local access control list;
      
      verifying a checksum corresponding to the local access control list;
      
      verifying signatures; and
      
      detecting setting of one or more dirty bits of the local access control list.
  - 5. The method of claim 1 wherein the access permissions comprises:
    - a plurality of permissions in a permission list that indicates which valid users can perform which valid operations within a dispersed storage network.
  - 6. The method of claim 1 wherein the requesting the fresh access control list comprises:
    - sending a permissions list request based on at least one of a signed certificate from a certificate authority and private key of the one of the set of DS units.
  - 7. The method of claim 1 wherein the set of DS units comprises:
    - at least a read threshold number of DS units.

8. A dispersed storage (DS) unit of a set of DS units in a distributed computing system, the DS unit comprises:
- a network interface;
  
  memory; and
  
  a processing module operable to;
  
  receive, via the network interface, a corresponding one of a set of access requests regarding a corresponding one of a set of error coded data slices, wherein a data segment is encoded using an error coding algorithm to produce the set of error coded data slices, wherein each DS unit of the set of DS units stores a corresponding error coded data slice of the set of error coded data slices, wherein the corresponding one of the set of access requests is regarding the corresponding error coded data slice of the set of error coded data slices;
  
  determine whether a local access control list is fresh with respect to the corresponding one of the set of error coded data slices, wherein the local access control list includes access permissions;
  
  when, the local access control list is not fresh with respect to a corresponding one or more of the encoded data slices;
  
  request a fresh access control list from a DS managing unit, wherein the DS managing unit maintains an access control list for the distributed computing system;
  
  store the fresh access control list as the local access control list;
  
  verify the corresponding one of the set of access requests in accordance with the access permissions of the local access control lists; and
  
  execute the corresponding one of the set of access requests regarding the corresponding error coded data slice when the corresponding one of the set of access requests is verified.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The DS unit of claim 8, wherein the corresponding one of the set of access requests comprises one of:
    - a dispersed data write operation that instructs the DS unit to store the corresponding one of the set of error coded data slices.
  - 10. The DS unit of claim 8, wherein the processing module is further operable to verify the corresponding one of the set of access requests by:
    - sending, via the network interface, an update notification to other DS units of the set of DS units regarding the fresh access control list; and
      
      utilizing responses from at least some of the other DS units of the set of units to verify the fresh access control list.
  - 11. The DS unit of claim 8, wherein the processing module is further operable to determining whether the local access control list is fresh comprises at least one of:
    - when a passage of time exceeds a threshold time since a last storage of the local access control list;
      
      verifying a checksum corresponding to the local access control list;
      
      verifying signatures; and
      
      detecting setting of one or more dirty bits of the local access control list.
  - 12. The DS unit of claim 8, wherein the access permissions comprises:
    - a plurality of permissions in a permission list that indicates which valid users can perform which valid operations within a dispersed storage network.
  - 13. The DS unit of claim 8, wherein the processing module is further operable to request the fresh access control list by:
    - sending a permissions list request based on at least one of a signed certificate from a certificate authority and private key of the DS unit.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
Cleversafe Incorporated (International Business Machines Corporation)
Inventors
Resch, Jason K.
Primary Examiner(s)
CHANNAVAJJALA, SRIRAMA T

Application Number

US12/759,703
Publication Number

US 20110055277A1
Time in Patent Office

1,553 Days
Field of Search

707802-805, 707/813, 707821-829, 707783-787, 714 1- 3, 714 41- 421, 714/6.22, 714/6.24, 714/819, 711/114, 711/154, 711162-163, 709203-206, 709220-224
US Class Current

707/785
CPC Class Codes

G06F 11/1004   to protect a block of data ...

G06F 11/1024   Identification of the type ...

G06F 11/1092   Rebuilding, e.g. when physi...

G06F 12/1483   using an access-table, e.g....

G06F 13/00   Interconnection of, or tran...

G06F 15/16   Combinations of two or more...

G06F 16/00   Information retrieval; Data...

G06F 21/44   Program or device authentic...

H04L 63/0281   Proxies

H04L 63/0823   using certificates cryptogr...

H04L 63/0884   by delegation of authentica...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/20   for managing network securi...

H04L 67/1097   for distributed storage of ...

H04L 9/32   including means for verifyi...

H04L 9/3297   involving time stamps, e.g....

Updating dispersed storage network access control information

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

106 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Updating dispersed storage network access control information

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

106 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links