Secure isolation of tenant resources in a multi-tenant storage system using a security gateway

US 9,411,973 B2
Filed: 05/02/2013
Issued: 08/09/2016
Est. Priority Date: 05/02/2013
Status: Expired due to Fees

First Claim

Patent Images

1. A method of handling a client request in a hierarchical multi-tenant data storage system, the method comprising:

processing a request in subtasks, wherein a subtask is executed with a minimal set of privileges associated with a specific subtenant;

extracting a claimed n-level hierarchy of a tenant and sub-tenant identities from the request;

extracting authentication signatures or credentials that correspond to a level in the hierarchy;

for a first level in the hierarchy, spawning a dedicated subtenant authenticator;

for a first level in the hierarchy, sending the request to a dedicated subtenant authenticator, wherein the dedicated subtenant authenticator is privileged to validate credentials for a subtenant at only the first level; and

receiving a confirmation from the dedicated subtenant authenticator, whether the request is authentic.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Machines, systems and methods for handling a client request in a hierarchical multi-tenant data storage system, the method comprising processing a request in subtasks, wherein a subtask is executed with a minimal set of privileges associated with a specific subtenant; extracting a claimed n-level hierarchy of a tenant and sub-tenant identities from the request; extracting authentication signatures or credentials that correspond to a level in the hierarchy; for a first level in the hierarchy, sending the request to a dedicated subtenant authenticator with privilege to validate credentials for a subtenant at the first level; and receiving a confirmation from the dedicated subtenant authenticator, whether the request is authentic.

Citations

6 Claims

1. A method of handling a client request in a hierarchical multi-tenant data storage system, the method comprising:
- processing a request in subtasks, wherein a subtask is executed with a minimal set of privileges associated with a specific subtenant;
  
  extracting a claimed n-level hierarchy of a tenant and sub-tenant identities from the request;
  
  extracting authentication signatures or credentials that correspond to a level in the hierarchy;
  
  for a first level in the hierarchy, spawning a dedicated subtenant authenticator;
  
  for a first level in the hierarchy, sending the request to a dedicated subtenant authenticator, wherein the dedicated subtenant authenticator is privileged to validate credentials for a subtenant at only the first level; and
  
  receiving a confirmation from the dedicated subtenant authenticator, whether the request is authentic.
- View Dependent Claims (2)
- - 2. The method of claim 1, wherein in response to receiving a confirmation that the request is authentic, the request is forwarded to one or more entities having a dedicated subtenant privilege for accessing a subset of the subtenant resources.

3. A computer system comprising:
- one or more processors;
  
  one or more non-transitory computer readable storage media;
  
  computer program instructions;
  
  the computer program instructions being stored on the one or more non-transitory computer readable storage media;
  
  the computer program instructions comprising instructions to;
  
  process a request in subtasks, wherein a subtask is executed with a minimal set of privileges associated with a specific subtenant;
  
  extract a claimed n-level hierarchy of a tenant and sub-tenant identities from the requestextract authentication signatures or credentials that correspond to a level in the hierarchy;
  
  for a first level in the hierarchy, spawn a dedicated subtenant authenticator;
  
  for the first level in the hierarchy, send the request to dedicated subtenant authenticator, wherein the dedicated subtenant authenticator is privileged to validate credentials for a subtenant at only the first level; and
  
  receive a confirmation from the dedicated subtenant authenticator, whether the request is authentic.
- View Dependent Claims (4)
- - 4. The system of claim 3, wherein in response to receiving a confirmation that the request is authentic, the request is forwarded to one or more entities having a dedicated subtenant privilege for accessing a subset of the subtenant resources.

5. A computer program product comprising logic code embedded in a non-transitory data storage medium for maintaining resource isolation in a multi-tenant computing system, wherein execution of the logic code on a computer causes the computer to:
- process a request in subtasks, wherein a subtask is executed with a minimal set of privileges associated with a specific subtenant;
  
  extract a claimed n-level hierarchy of a tenant and sub-tenant identities from the request;
  
  extract authentication signatures or credentials that correspond to a level in the hierarchy;
  
  for a first level in the hierarchy, spawn a dedicated subtenant authenticator;
  
  for the first level in the hierarchy, send the request to dedicated subtenant authenticator, wherein the dedicated subtenant authenticator is privileged to validate credentials for a subtenant at only the first level; and
  
  receive a confirmation from the dedicated subtenant authenticator, whether the request is authentic.
- View Dependent Claims (6)
- - 6. The computer program product of claim 5, wherein in response to receiving a confirmation that the request is authentic, the request is forwarded to one or more entities having a dedicated subtenant privilege for accessing a subset of the subtenant resources.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Factor, Michael E., Hadas, David, Kolodner, Elliot K., Kurmus, Anil, Shulman-Peleg, Alexandra, Sorniotti, Alessandro
Primary Examiner(s)
MORRISON, JAY A

Application Number

US13/875,301
Publication Number

US 20140330869A1
Time in Patent Office

1,195 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 16/176   Support for shared access t...

G06F 16/182   Distributed file systems

G06F 21/6218   to a system of files or obj...

G06F 21/6281   at program execution time, ...

G06F 2221/2145   Inheriting rights or proper...

G06F 9/00   Arrangements for program co...

G06F 9/46   Multiprogramming arrangements

H04L 63/08   for authentication of entit...

H04L 63/105   Multiple levels of security

Secure isolation of tenant resources in a multi-tenant storage system using a security gateway

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

6 Claims

Specification

Solutions

Use Cases

Quick Links

Secure isolation of tenant resources in a multi-tenant storage system using a security gateway

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

6 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links