Storage array access control from cloud-based user authorization and authentication

US 9,444,822 B1
Filed: 05/29/2015
Issued: 09/13/2016
Est. Priority Date: 05/29/2015
Status: Active Grant

First Claim

Patent Images

1. A method of providing authorization and authentication in a cloud for a user of a storage array, the method comprising:

receiving, by a storage array access module from a client-side array services module, a token representing authentication of user credentials and authorized access privileges defining one or more storage array services accessible by the user,wherein the token is generated by a cloud-based security module upon authentication of the user credentials and identification of authorized access privileges for the user,wherein access privileges are defined in the cloud-based security module for a plurality of users with an association of each user with one of a plurality of profiles, each profile specifying access privileges for users associated with the profile, andwherein the plurality of profiles comprise at least one storage-array specific profile specifying access privileges for a single storage array and multi-array profiles specifying access privileges for a plurality of storage arrays;

receiving, by the storage array access module from the user, a user access request to one or more storage array services; and

determining, by the storage array access module, whether to grant the user access request in dependence upon the authorized access privileges represented by the token.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Providing authorization and authentication in a cloud for a user of a storage array includes: receiving, by a storage array access module from a client-side array services module, a token representing authentication of user credentials and authorized access privileges defining one or more storage array services accessible by the user, where the token is generated by a cloud-based security module upon authentication of the user credentials and identification of authorized access privileges for the user; receiving, by the storage array access module from the user, a user access request to one or more storage array services; and determining, by the storage array access module, whether to grant the user access request in dependence upon the authorized access privileges represented by the token.

367 Citations

16 Claims

1. A method of providing authorization and authentication in a cloud for a user of a storage array, the method comprising:
- receiving, by a storage array access module from a client-side array services module, a token representing authentication of user credentials and authorized access privileges defining one or more storage array services accessible by the user,wherein the token is generated by a cloud-based security module upon authentication of the user credentials and identification of authorized access privileges for the user,wherein access privileges are defined in the cloud-based security module for a plurality of users with an association of each user with one of a plurality of profiles, each profile specifying access privileges for users associated with the profile, andwherein the plurality of profiles comprise at least one storage-array specific profile specifying access privileges for a single storage array and multi-array profiles specifying access privileges for a plurality of storage arrays;
  
  receiving, by the storage array access module from the user, a user access request to one or more storage array services; and
  
  determining, by the storage array access module, whether to grant the user access request in dependence upon the authorized access privileges represented by the token.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the cloud-based security module comprises a cloud identity provider (‘
    - IDP’
      
      ).
  - 3. The method of claim 1, wherein the cloud-based security module comprises a component of a cloud-based storage array services provider.
  - 4. The method of claim 1, wherein the cloud-based security module comprises a lightweight directory access protocol directory service.
  - 5. The method of claim 1, wherein:
    - access privileges are further defined in the storage array access module for the plurality of users; and
      
      determining whether to grant the user access request in dependence upon the authorized access privileges represented by the token includes determining whether to grant the user access request in dependence upon the access privileges defined in the storage array access module as well as the token.
  - 6. The method of claim 1, wherein the plurality of profiles comprise:
    - a read-only profile specifying, for users associated with the read only profile, read-only access privileges;
      
      a modify profile specifying, for users associated with the modify profile, read and modify access privileges; and
      
      an administrator profile specifying, for users associated with the administrator profile, all available access privileges.
  - 7. The method of claim 1, wherein the token further comprises data representing the authorized access privileges and a digital signature and determining whether to grant the user access request further comprises:
    - decrypting the digital signature using the public key of the cloud-based security module;
      
      hashing the data representing the authorized access privileges; and
      
      determining whether the hashed data matches the decrypted digital signature.

8. An apparatus for providing authorization and authentication in a cloud for a user of a storage array, the apparatus comprising a computer processor, a computer memory operatively coupled to the computer processor, the computer memory having disposed within it computer program instructions that, when executed by the computer processor, cause the apparatus to carry out the steps of:
- receiving, by a storage array access module from a client-side array services module, a token representing authentication of user credentials and authorized access privileges defining one or more storage array services accessible by the user,wherein the token is generated by a cloud-based security module upon authentication of the user credentials and identification of authorized access privileges for the user,wherein access privileges are defined in the cloud-based security module for a plurality of users with an association of each user with one of a plurality of profiles, each profile specifying access privileges for users associated with the profile, andwherein the plurality of profiles comprise at least one storage-array specific profile specifying access privileges for a single storage array and multi-array profiles specifying access privileges for a plurality of storage arrays;
  
  receiving, by the storage array access module from the user, a user access request to one or more storage array services; and
  
  determining, by the storage array access module, whether to grant the user access request in dependence upon the authorized access privileges represented by the token.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The apparatus of claim 8, wherein the cloud-based security module comprises a cloud identity provider (‘
    - IDP’
      
      ).
  - 10. The apparatus of claim 8, wherein the cloud-based security module comprises a component of a cloud-based storage array services provider.
  - 11. The apparatus of claim 8, wherein:
    - access privileges are further defined in the storage array access module for the plurality of users; and
      
      determining whether to grant the user access request in dependence upon the authorized access privileges represented by the token includes determining whether to grant the user access request in dependence upon the access privileges defined in the storage array access module as well as the token.
  - 12. The apparatus of claim 8, wherein access privileges are defined in the cloud-based security module for a plurality of users with an association of each user with one of a plurality of profiles, each profile specifying access privileges for users associated with the profile.

13. A computer program product for providing authorization and authentication in a cloud for a user of a storage array, the computer program product disposed upon a non-transitory computer readable medium, the computer program product comprising computer program instructions that, when executed, cause a computer to carry out the steps of:
- receiving, by a storage array access module from a client-side array services module, a token representing authentication of user credentials and authorized access privileges defining one or more storage array services accessible by the user,wherein the token is generated by a cloud-based security module upon authentication of the user credentials and identification of authorized access privileges for the user,wherein access privileges are defined in the cloud-based security module for a plurality of users with an association of each user with one of a plurality of profiles, each profile specifying access privileges for users associated with the profile, andwherein the plurality of profiles comprise at least one storage-array specific profile specifying access privileges for a single storage array and multi-array profiles specifying access privileges for a plurality of storage arrays;
  
  receiving, by the storage array access module from the user, a user access request to one or more storage array services; and
  
  determining, by the storage array access module, whether to grant the user access request in dependence upon the authorized access privileges represented by the token.
- View Dependent Claims (14, 15, 16)
- - 14. The computer program product of claim 13, wherein the cloud-based security module comprises a cloud identity provider (‘
    - IDP’
      
      ).
  - 15. The computer program product of claim 13, wherein the cloud-based security module comprises a component of a cloud-based storage array services provider.
  - 16. The computer program product of claim 13, wherein:
    - access privileges are further defined in the storage array access module for the plurality of users; and
      
      determining whether to grant the user access request in dependence upon the authorized access privileges represented by the token includes determining whether to grant the user access request in dependence upon the access privileges defined in the storage array access module as well as the token.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
Pure Storage, Inc.
Inventors
Borowiec, Benjamin P., Hu, Jimmy T., Miller, Ethan L., Noonan, Terence W., Sapuntzakis, Constantine P., Vachharajani, Neil A., Zuo, Daquan
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
LAKHIA, VIRAL S

Application Number

US14/726,449
Time in Patent Office

473 Days
Field of Search

726/4, 726/8, 726/9, 726/11, 726/15, 713/150, 713/193, 707/705
US Class Current

1/1
CPC Class Codes

G06F 9/45533   Hypervisors; Virtual machin...

H04L 2209/24   Key scheduling, i.e. genera...

H04L 2209/72   Signcrypting, i.e. digital ...

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 67/1097   for distributed storage of ...

H04L 67/306   User profiles

H04L 9/30   Public key, i.e. encryption...

H04L 9/3242   involving keyed hash functi...

H04L 9/3247   involving digital signatures

Storage array access control from cloud-based user authorization and authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

367 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Storage array access control from cloud-based user authorization and authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

367 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links