Access control in a dispersed storage network

US 9,092,148 B2
Filed: 03/24/2014
Issued: 07/28/2015
Est. Priority Date: 03/15/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprises:

dispersed storage error encoding data in accordance with dispersed storage error encoding parameters to produce a plurality of sets of encoded data slices;

determining access control information for the plurality of sets of encoded data slices;

determining whether one or more encoded data slices of the plurality of sets of encoded data slices has individual access control information;

when the one or more encoded data slices has individual access control information;

creating a plurality of sets of appended slices by;

appending corresponding individual access control information to each of the one or more encoded data slices;

appending a representation of the access control information to remaining encoded data slices of the plurality of sets of encoded data slices; and

outputting the plurality of sets of appended slices to storage units of a dispersed storage network.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method begins dispersed storage error encoding data in accordance with dispersed storage error encoding parameters to produce a plurality of set of encoded data slices. The method continues by determining access control information for the plurality of sets of encoded data slices. The method continues by determining whether one or more encoded data slices of the plurality of sets of encoded data slices has individual access control information. The method continues when the one or more encoded data slices has individual access control information by creating a plurality of sets of appended slices, which is done by appending corresponding individual access control information to each of the one or more encoded data slices and appending a representation of the access control information to remaining encoded data slices of the plurality of sets of encoded data slices. The method continues by outputting the appended slices.

Citations

19 Claims

1. A method comprises:
- dispersed storage error encoding data in accordance with dispersed storage error encoding parameters to produce a plurality of sets of encoded data slices;
  
  determining access control information for the plurality of sets of encoded data slices;
  
  determining whether one or more encoded data slices of the plurality of sets of encoded data slices has individual access control information;
  
  when the one or more encoded data slices has individual access control information;
  
  creating a plurality of sets of appended slices by;
  
  appending corresponding individual access control information to each of the one or more encoded data slices;
  
  appending a representation of the access control information to remaining encoded data slices of the plurality of sets of encoded data slices; and
  
  outputting the plurality of sets of appended slices to storage units of a dispersed storage network.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the representation of the access control information comprises at least one of:
    - the access control information; and
      
      a set of access control data derived from the access control information.
  - 3. The method of claim 1, wherein the individual access control information comprises at least one of:
    - access control information regarding access to a unique encoded data slice of the plurality of sets of encoded data slices; and
      
      access control information regarding access to a subset of encoded data slices of the plurality of sets of encoded data slices.
  - 4. The method of claim 1 further comprises:
    - when the one or more encoded data slices does not have individual access control information;
      
      creating the plurality of sets of appended slices by appending the representation of the access control information to the plurality of sets of encoded data slices; and
      
      outputting the plurality of sets of appended slices to the storage units.
  - 5. The method of claim 1, wherein the access control information comprises at least one of:
    - a set of requester identifiers allowed to access the data,a set of requester identifiers disallowed to access the data,one or more requester identifiers allowed to access an encoded data slice of the set of encoded data slices associated with an allowed slice name,one or more requester identifiers disallowed to access the encoded data slice of the set of encoded data slices associated with a disallowed slice name,a read privilege indicator on a per requester identifier basis or on a set of requester identifiers basis;
      
      a write privilege indicator on the per requester identifier basis or on the set of requester identifiers basis;
      
      a replace privilege indicator on the per requester identifier basis or on the set of requester identifiers basis;
      
      a modify privilege indicator on the per requester identifier basis or on the set of requester identifiers basis;
      
      a delete privilege indicator on the per requester identifier basis or on the set of requester identifiers basis;
      
      a list privilege indicator on the per requester identifier basis or on the set of requester identifiers basis; and
      
      a rebuild privilege indicator on the per requester identifier basis or on the set of requester identifiers basis.
  - 6. The method of claim 1, wherein the determining the access control information comprises at least one of:
    - receiving the access control information as part of a data storage request regarding the data; and
      
      retrieving the access control information based on at least one of a data identifier, a requester identifier, a data type, an analysis of the data, a priority indicator, a security indicator, a performance indicator, a vault lookup, a list, a command, a message, and a predetermination.

7. A computing device comprises:
- an interface;
  
  memory; and
  
  a processing module operably coupled to the interface and the memory, wherein the processing module is operable to;
  
  dispersed storage error encode data in accordance with dispersed storage error encoding parameters to produce a plurality of sets of encoded data slices;
  
  determine access control information for the plurality of sets of encoded data slices;
  
  determine whether one or more encoded data slices of the plurality of sets of encoded data slices has individual access control information;
  
  when the one or more encoded data slices has individual access control information;
  
  create a plurality of sets of appended slices by;
  
  appending corresponding individual access control information to each of the one or more encoded data slices;
  
  appending a representation of the access control information to remaining encoded data slices of the plurality of sets of encoded data slices; and
  
  output, via the interface, the plurality of sets of appended slices to storage units of a dispersed storage network.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computing device of claim 7, wherein the representation of the access control information comprises at least one of:
    - the access control information; and
      
      a set of access control data derived from the access control information.
  - 9. The computing device of claim 7, wherein the individual access control information comprises at least one of:
    - access control information regarding access to a unique encoded data slice of the plurality of sets of encoded data slices; and
      
      access control information regarding access to a subset of encoded data slices of the plurality of sets of encoded data slices.
  - 10. The computing device of claim 7, wherein the processing module is further operable to:
    - when the one or more encoded data slices does not have individual access control information;
      
      creating the plurality of sets of appended slices by appending the representation of the access control information to the plurality of sets of encoded data slices; and
      
      outputting the plurality of sets of appended slices to the storage units.
  - 11. The computing device of claim 7, wherein the access control information comprises at least one of:
    - a set of requester identifiers allowed to access the data,a set of requester identifiers disallowed to access the data,one or more requester identifiers allowed to access an encoded data slice of the set of encoded data slices associated with an allowed slice name,one or more requester identifiers disallowed to access the encoded data slice of the set of encoded data slices associated with a disallowed slice name,a read privilege indicator on a per requester identifier basis or on a set of requester identifiers basis;
      
      a write privilege indicator on the per requester identifier basis or on the set of requester identifiers basis;
      
      a replace privilege indicator on the per requester identifier basis or on the set of requester identifiers basis;
      
      a modify privilege indicator on the per requester identifier basis or on the set of requester identifiers basis;
      
      a delete privilege indicator on the per requester identifier basis or on the set of requester identifiers basis;
      
      a list privilege indicator on the per requester identifier basis or on the set of requester identifiers basis; and
      
      a rebuild privilege indicator on the per requester identifier basis or on the set of requester identifiers basis.
  - 12. The computing device of claim 7, wherein the processing module is further operable to determine the access control information by at least one of:
    - receiving the access control information as part of a data storage request regarding the data; and
      
      retrieving the access control information based on at least one of a data identifier, a requester identifier, a data type, an analysis of the data, a priority indicator, a security indicator, a performance indicator, a vault lookup, a list, a command, a message, and a predetermination.

13. A computer readable memory device comprises:
- a first memory section that stores operational instructions that, when executed by a processing module of a first computing device, causes the processing module of the first computing device to;
  
  dispersed storage error encode data in accordance with dispersed storage error encoding parameters to produce a plurality of sets of encoded data slices;
  
  a second memory section that stores operational instructions that, when executed by the processing module of the first computing device, causes the processing module of the first computing device to;
  
  determine access control information for the plurality of sets of encoded data slices;
  
  determine whether one or more encoded data slices of the plurality of sets of encoded data slices has individual access control information;
  
  when the one or more encoded data slices has individual access control information;
  
  create a plurality of sets of appended slices by;
  
  appending corresponding individual access control information to each of the one or more encoded data slices;
  
  appending a representation of the access control information to remaining encoded data slices of the plurality of sets of encoded data slices; and
  
  output, via interface of the first computing device, the plurality of sets of appended slices to storage units of a dispersed storage network; and
  
  a third memory section that stores operational instructions that, when executed by a processing module of a second computing device, causes the processing module of the second computing device to;
  
  receive a slice access request message that includes a slice name, a type of access request, and a requester identifier (ID) regarding an encoded data slice of the plurality of sets of encoded data slices;
  
  obtain access control information for the encoded data slice based on at least one of the slice name and the requester ID;
  
  determine whether the slice access request message is allowable based on the access control information for the encoded data slice; and
  
  when the slice access request message is allowable, accessing the encoded data slice in accordance with the slice access request message.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The computer readable memory device of claim 13, wherein the third memory section further stores operational instructions that, when executed by the processing module of the second computing device, causes the processing module of the second computing device to:
    - output, via an interface of the second computing device, a slice access denial response message when the slice access request message compares is not allowable.
  - 15. The computer readable memory device of claim 13, wherein the representation of the access control information comprises at least one of:
    - the access control information; and
      
      a set of access control data derived from the access control information.
  - 16. The computer readable memory device of claim 13, wherein the individual access control information comprises at least one of:
    - access control information regarding access to a unique encoded data slice of the plurality of sets of encoded data slices; and
      
      access control information regarding access to a subset of encoded data slices of the plurality of sets of encoded data slices.
  - 17. The computer readable memory device of claim 13, wherein the second memory section further stores operational instructions that, when executed by the processing module of the first computing device, causes the processing module of the first computing device to:
    - when the one or more encoded data slices does not have individual access control information;
      
      creating the plurality of sets of appended slices by appending the representation of the access control information to the plurality of sets of encoded data slices; and
      
      outputting the plurality of sets of appended slices to the storage units.
  - 18. The computer readable memory device of claim 13, wherein the access control information comprises at least one of:
    - a set of requester identifiers allowed to access the data,a set of requester identifiers disallowed to access the data,one or more requester identifiers allowed to access an encoded data slice of the set of encoded data slices associated with an allowed slice name,one or more requester identifiers disallowed to access the encoded data slice of the set of encoded data slices associated with a disallowed slice name,a read privilege indicator on a per requester identifier basis or on a set of requester identifiers basis;
      
      a write privilege indicator on the per requester identifier basis or on the set of requester identifiers basis;
      
      a replace privilege indicator on the per requester identifier basis or on the set of requester identifiers basis;
      
      a modify privilege indicator on the per requester identifier basis or on the set of requester identifiers basis;
      
      a delete privilege indicator on the per requester identifier basis or on the set of requester identifiers basis;
      
      a list privilege indicator on the per requester identifier basis or on the set of requester identifiers basis; and
      
      a rebuild privilege indicator on the per requester identifier basis or on the set of requester identifiers basis.
  - 19. The computer readable memory device of claim 13, wherein the second memory section further stores operational instructions that, when executed by the processing module of the first computing device, causes the processing module of the first computing device to determine the access control information by at least one of:
    - receiving the access control information as part of a data storage request regarding the data; and
      
      retrieving the access control information based on at least one of a data identifier, a requester identifier, a data type, an analysis of the data, a priority indicator, a security indicator, a performance indicator, a vault lookup, a list, a command, a message, and a predetermination.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
Cleversafe Incorporated (International Business Machines Corporation)
Inventors
Leggette, Wesley
Primary Examiner(s)
Verbrugge, Kevin

Application Number

US14/223,219
Publication Number

US 20140208396A1
Time in Patent Office

491 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 11/2094   Redundant storage or storag...

G06F 12/1425   the protection being physic...

G06F 3/0619   in relation to data integri...

G06F 3/0638   Organizing or formatting or...

G06F 3/0689   Disk arrays, e.g. RAID, JBOD

H04L 63/10   for controlling access to d...

Access control in a dispersed storage network

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Access control in a dispersed storage network

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links