Controlling access in a dispersed storage network

US 9,390,283 B2
Filed: 01/30/2015
Issued: 07/12/2016
Est. Priority Date: 04/02/2014
Status: Expired due to Fees

First Claim

Patent Images

1. A method for execution by one or more processing modules of one or more computing devices of a dispersed storage network (DSN), the method comprises:

receiving, by a set of storage units, a plurality of sets of access requests from a plurality of requesting devices, wherein a requesting device of the plurality of requesting device generates a set of access requests of the plurality of sets of access requests regarding a particular type of data access;

for a first storage unit of the set of storage units;

receiving a first access request from each set of access requests of the plurality of access requests to produce a group of first access requests;

extracting a unique identifier from each first access request of the group of first access requests to produce a first group of unique identifiers;

for a unique identifier of the first group of unique identifiers, performing a deterministic function on the unique identifier to produce a first obfuscated identifier;

seeking a first obfuscated access permissions list based on the first obfuscated identifier;

when the first obfuscated access permissions list is found based on the first obfuscated identifier, recovering first access permissions from the first obfuscated access permissions list based on the first obfuscated identifier for a first requesting device of the plurality of requesting devices associated with the unique identifier of the first group of unique identifiers; and

processing the first access request for the first requesting device based on the recovered first access permissions; and

receiving, by the plurality of requesting devices, a set of access responses from the set of storage units for each set of access requests of the plurality of access requests for which a corresponding requesting device had favorable access permissions with at least a threshold number of storage units of the set of storage units.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method begins by a set of storage units of a dispersed storage network (DSN) receiving a set of access requests from a requesting device. The method continues with a first storage unit extracting a unique identifier from a first access request, performing a deterministic function on the unique identifier to produce a first obfuscated identifier, seeking a first obfuscated access permissions list, recovering first access permissions from the first obfuscated access permissions list, and processing the first access request based on the recovered first access permissions. The method continues with the requesting device receiving a set of access responses from the set of storage units for the set of access requests for which the requesting device had favorable access permissions with at least a threshold number of storage units.

Citations

18 Claims

1. A method for execution by one or more processing modules of one or more computing devices of a dispersed storage network (DSN), the method comprises:
- receiving, by a set of storage units, a plurality of sets of access requests from a plurality of requesting devices, wherein a requesting device of the plurality of requesting device generates a set of access requests of the plurality of sets of access requests regarding a particular type of data access;
  
  for a first storage unit of the set of storage units;
  
  receiving a first access request from each set of access requests of the plurality of access requests to produce a group of first access requests;
  
  extracting a unique identifier from each first access request of the group of first access requests to produce a first group of unique identifiers;
  
  for a unique identifier of the first group of unique identifiers, performing a deterministic function on the unique identifier to produce a first obfuscated identifier;
  
  seeking a first obfuscated access permissions list based on the first obfuscated identifier;
  
  when the first obfuscated access permissions list is found based on the first obfuscated identifier, recovering first access permissions from the first obfuscated access permissions list based on the first obfuscated identifier for a first requesting device of the plurality of requesting devices associated with the unique identifier of the first group of unique identifiers; and
  
  processing the first access request for the first requesting device based on the recovered first access permissions; and
  
  receiving, by the plurality of requesting devices, a set of access responses from the set of storage units for each set of access requests of the plurality of access requests for which a corresponding requesting device had favorable access permissions with at least a threshold number of storage units of the set of storage units.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 further comprises:
    - for a second storage unit of the set of storage units;
      
      receiving a second access request from each set of access requests of the plurality of access requests to produce a group of second access requests;
      
      extracting a unique identifier from each second access request of the group of second access requests to produce a second group of unique identifiers;
      
      for a unique identifier of the second group of unique identifiers, performing the deterministic function on the unique identifier of the second group of unique identifiers to produce a second obfuscated identifier;
      
      seeking a second obfuscated access permissions list based on the second obfuscated identifier;
      
      when the second obfuscated access permissions list is found based on the second obfuscated identifier, recovering second access permissions from the second obfuscated access permissions list based on the second obfuscated identifier for a second requesting device of the plurality of requesting devices associated with the unique identifier of the second group of unique identifiers; and
      
      processing the second access request for the second requesting device based on the recovered second access permissions.
  - 3. The method of claim 1, wherein the performing the deterministic function comprises one or more of:
    - performing a hash function on the unique identifier;
      
      performing a hash based message authentication code function on the unique identifier;
      
      performing a mask generating function on the unique identifier;
      
      performing a sponge function on the unique identifier; and
      
      performing a cyclic redundancy check function on the unique identifier.
  - 4. The method of claim 1 further comprises:
    - the first access request including a read request; and
      
      the threshold number corresponding to a read threshold number.
  - 5. The method of claim 1 further comprises:
    - the first access request including a write request; and
      
      the threshold number corresponding to a write threshold number.
  - 6. The method of claim 1 further comprises:
    - when the first obfuscated access permissions list is not found, sending a rejection response or ignoring the first access request.
  - 7. The method of claim 1 further comprises:
    - when the first obfuscated access permissions list is found, determining whether the first requesting device has permission for the first access request based on the recovered first access permissions.
  - 8. The method of claim 1 further comprises:
    - for the first storage unit of the set of storage units;
      
      for a second unique identifier of the first group of unique identifiers, performing the deterministic function on the second unique identifier to produce a second obfuscated identifier;
      
      seeking a second obfuscated access permissions list based on the second obfuscated identifier;
      
      when the second obfuscated access permissions list is found based on the second obfuscated identifier, recovering second access permissions from the second obfuscated access permissions list based on the second obfuscated identifier for a second requesting device of the plurality of requesting devices associated with the second unique identifier of the first group of unique identifiers; and
      
      processing a second access request for the second requesting device based on the recovered second access permissions.
  - 9. The method of claim 8, wherein the seeking the second obfuscated access permissions list comprises:
    - determining whether the second obfuscated identifier references the first obfuscated access permissions list; and
      
      when the second obfuscated identifier does reference the first obfuscated access permissions list, recovering the second access permissions from the first obfuscated access permissions list based on the second obfuscated identifier.

10. A computer readable storage medium comprises:
- at least one memory section that stores operational instructions that, when executed by one or more processing modules of one or more computing devices of a dispersed storage network (DSN), causes the one or more computing devices to;
  
  receive, by a set of storage units, a plurality of sets of access requests from a plurality of requesting devices, wherein a requesting device of the plurality of requesting device generates a set of access requests of the plurality of sets of access requests regarding a particular type of data access;
  
  for a first storage unit of the set of storage units;
  
  receive a first access request from each set of access requests of the plurality of access requests to produce a group of first access requests;
  
  extract a unique identifier from each first access request of the group of first access requests to produce a first group of unique identifiers;
  
  for a unique identifier of the first group of unique identifiers, perform a deterministic function on the unique identifier to produce a first obfuscated identifier;
  
  seek a first obfuscated access permissions list based on the first obfuscated identifier;
  
  when the first obfuscated access permissions list is found based on the first obfuscated identifier, recover first access permissions from the first obfuscated access permissions list based on the first obfuscated identifier for a first requesting device of the plurality of requesting devices associated with the unique identifier of the first group of unique identifiers; and
  
  process the first access request for the first requesting device based on the recovered first access permissions; and
  
  receive, by the plurality of requesting devices, a set of access responses from the set of storage units for each set of access requests of the plurality of access requests for which a corresponding requesting device had favorable access permissions with at least a threshold number of storage units of the set of storage units.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The computer readable storage medium of claim 10 further comprises:
    - the at least one memory section stores further operational instructions that, when executed by the one or more processing modules, causes the one or more computing devices of the DSN to;
      
      for a second storage unit of the set of storage units;
      
      receive a second access request from each set of access requests of the plurality of access requests to produce a group of second access requests;
      
      extract a unique identifier from each second access request of the group of second access requests to produce a second group of unique identifiers;
      
      for a unique identifier of the second group of unique identifiers, perform the deterministic function on the unique identifier of the second group of unique identifiers to produce a second obfuscated identifier;
      
      seek a second obfuscated access permissions list based on the second obfuscated identifier;
      
      when the second obfuscated access permissions list is found based on the second obfuscated identifier, recover second access permissions from the second obfuscated access permissions list based on the second obfuscated identifier for a second requesting device of the plurality of requesting devices associated with the unique identifier of the second group of unique identifiers; and
      
      process the second access request for the second requesting device based on the recovered second access permissions.
  - 12. The computer readable storage medium of claim 10, wherein the one or more processing modules functions to execute the operational instructions stored by the at least one memory section to cause the one or more computing devices of the DSN to perform the deterministic function by one or more of:
    - performing a hash function on the unique identifier;
      
      performing a hash based message authentication code function on the unique identifier;
      
      performing a mask generating function on the unique identifier;
      
      performing a sponge function on the unique identifier; and
      
      performing a cyclic redundancy check function on the unique identifier.
  - 13. The computer readable storage medium of claim 10 further comprises:
    - the first access request including a read request; and
      
      the threshold number corresponding to a read threshold number.
  - 14. The computer readable storage medium of claim 10 further comprises:
    - the first access request including a write request; and
      
      the threshold number corresponding to a write threshold number.
  - 15. The computer readable storage medium of claim 10 further comprises:
    - the at least one memory section stores further operational instructions that, when executed by the one or more processing modules, causes the one or more computing devices of the DSN to;
      
      when the first obfuscated access permissions list is not found, send a rejection response or ignore the first access request.
  - 16. The computer readable storage medium of claim 10 further comprises:
    - the at least one memory section stores further operational instructions that, when executed by the one or more processing modules, causes the one or more computing devices of the DSN to;
      
      when the first obfuscated access permissions list is found, determine whether the first requesting device has permission for the first access request based on the recovered first access permissions.
  - 17. The computer readable storage medium of claim 10 further comprises:
    - the at least one memory section stores further operational instructions that, when executed by the one or more processing modules, causes the one or more computing devices of the DSN to;
      
      for the first storage unit of the set of storage units;
      
      for a second unique identifier of the first group of unique identifiers, perform the deterministic function on the second unique identifier to produce a second obfuscated identifier;
      
      seek a second obfuscated access permissions list based on the second obfuscated identifier;
      
      when the second obfuscated access permissions list is found based on the second obfuscated identifier, recover second access permissions from the second obfuscated access permissions list based on the second obfuscated identifier for a second requesting device of the plurality of requesting devices associated with the second unique identifier of the first group of unique identifiers; and
      
      process a second access request for the second requesting device based on the recovered second access permissions.
  - 18. The computer readable storage medium of claim 17, wherein the one or more processing modules functions to execute the operational instructions stored by the at least one memory section to cause the one or more computing devices of the DSN to seek the second obfuscated access permissions list by:
    - determining whether the second obfuscated identifier references the first obfuscated access permissions list; and
      
      when the second obfuscated identifier does reference the first obfuscated access permissions list, recovering the second access permissions from the first obfuscated access permissions list based on the second obfuscated identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
International Business Machines Corporation
Inventors
Resch, Jason K., Leggette, Wesley
Primary Examiner(s)
Paliwal, Yogesh

Application Number

US14/610,331
Publication Number

US 20150286833A1
Time in Patent Office

529 Days
Field of Search

726/29
US Class Current

1/1
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 21/6254   by anonymising data, e.g. d...

G06F 21/6272   by registering files or doc...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/0823   using certificates cryptogr...

H04L 63/101   Access control lists [ACL]

H04L 63/104   Grouping of entities

H04L 63/12   Applying verification of th...

H04L 63/20   for managing network securi...

H04L 67/1097   for distributed storage of ...

Controlling access in a dispersed storage network

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Controlling access in a dispersed storage network

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links