Secure isolation of tenant resources in a multi-tenant storage system using a security gateway
First Claim
1. A method of handling a client request in a hierarchical multi-tenant data storage system, the method comprising:
- processing a request in subtasks, wherein a subtask is executed with a minimal set of privileges associated with a specific subtenant;
extracting a claimed n-level hierarchy of a tenant and sub-tenant identities from the request;
extracting authentication signatures or credentials that correspond to a level in the hierarchy;
for a first level in the hierarchy, spawning a dedicated subtenant authenticator;
for a first level in the hierarchy, sending the request to a dedicated subtenant authenticator, wherein the dedicated subtenant authenticator is privileged to validate credentials for a subtenant at only the first level; and
receiving a confirmation from the dedicated subtenant authenticator, whether the request is authentic.
1 Assignment
0 Petitions
Accused Products
Abstract
Machines, systems and methods for handling a client request in a hierarchical multi-tenant data storage system, the method comprising processing a request in subtasks, wherein a subtask is executed with a minimal set of privileges associated with a specific subtenant; extracting a claimed n-level hierarchy of a tenant and sub-tenant identities from the request; extracting authentication signatures or credentials that correspond to a level in the hierarchy; for a first level in the hierarchy, sending the request to a dedicated subtenant authenticator with privilege to validate credentials for a subtenant at the first level; and receiving a confirmation from the dedicated subtenant authenticator, whether the request is authentic.
-
Citations
6 Claims
-
1. A method of handling a client request in a hierarchical multi-tenant data storage system, the method comprising:
-
processing a request in subtasks, wherein a subtask is executed with a minimal set of privileges associated with a specific subtenant; extracting a claimed n-level hierarchy of a tenant and sub-tenant identities from the request; extracting authentication signatures or credentials that correspond to a level in the hierarchy; for a first level in the hierarchy, spawning a dedicated subtenant authenticator; for a first level in the hierarchy, sending the request to a dedicated subtenant authenticator, wherein the dedicated subtenant authenticator is privileged to validate credentials for a subtenant at only the first level; and receiving a confirmation from the dedicated subtenant authenticator, whether the request is authentic. - View Dependent Claims (2)
-
-
3. A computer system comprising:
-
one or more processors; one or more non-transitory computer readable storage media; computer program instructions; the computer program instructions being stored on the one or more non-transitory computer readable storage media; the computer program instructions comprising instructions to; process a request in subtasks, wherein a subtask is executed with a minimal set of privileges associated with a specific subtenant; extract a claimed n-level hierarchy of a tenant and sub-tenant identities from the request extract authentication signatures or credentials that correspond to a level in the hierarchy; for a first level in the hierarchy, spawn a dedicated subtenant authenticator; for the first level in the hierarchy, send the request to dedicated subtenant authenticator, wherein the dedicated subtenant authenticator is privileged to validate credentials for a subtenant at only the first level; and receive a confirmation from the dedicated subtenant authenticator, whether the request is authentic. - View Dependent Claims (4)
-
-
5. A computer program product comprising logic code embedded in a non-transitory data storage medium for maintaining resource isolation in a multi-tenant computing system, wherein execution of the logic code on a computer causes the computer to:
-
process a request in subtasks, wherein a subtask is executed with a minimal set of privileges associated with a specific subtenant; extract a claimed n-level hierarchy of a tenant and sub-tenant identities from the request; extract authentication signatures or credentials that correspond to a level in the hierarchy; for a first level in the hierarchy, spawn a dedicated subtenant authenticator; for the first level in the hierarchy, send the request to dedicated subtenant authenticator, wherein the dedicated subtenant authenticator is privileged to validate credentials for a subtenant at only the first level; and receive a confirmation from the dedicated subtenant authenticator, whether the request is authentic. - View Dependent Claims (6)
-
Specification