System and method for secure multi-tenancy in an operating system of a storage system

US 9,471,803 B2
Filed: 08/07/2014
Issued: 10/18/2016
Est. Priority Date: 08/07/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for providing secure multi-tenancy in a storage system, the method comprising:

creating, by a secure multi-tenancy (SMT) engine executed by a processor, a set of tenant-units (TUs), wherein each of the TUs is associated with a tenant, each TU representing a user group, each user group having a plurality of users associated with the tenant;

associating by the SMT engine one or more file system management objects (FSMOs) with one or more TUs of the set of TUs, wherein each FSMO contains namespace information of a particular tenant;

associating by the SMT engine one or more users with one or more TUs of the set of TUs;

maintaining, by a protocol engine executed by the processor, a protocol config-metadata store based on the association of one or more FSMOs with one or more TUs, and further based on the association of one or more users with one or more TUs;

in response to a first request from a first user to access a first FSMO of a first TU;

determining by the protocol engine whether the first user is authorized to access the first FSMO based on information of the protocol config-metadata store, including identifying a set of one or more TUs that are associated with the first user, determining whether the first TU is included in the set of one or more TUs, determining whether the first FSMO is included in a set of one or more FSMOs that are associated with the first TU, in response to determining that the first TU is included in the set of TUs associated with the first user;

in response to the protocol config-metadata store indicating the first user is authorized to access the first FSMO, allowing the first user to access the first FSMO; and

in response to a second request from the first user to perform a first operation on a first object;

determining whether the first user is authorized to perform the first operation by obtaining a first set of one or more operation IDs associated with the first user from a security config-metadata store and determining an operation ID identifying the requested first operation matches at least one of the operation IDs in the first set of one or more operation IDs obtained from the security config-metadata store.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Exemplary methods for providing secure multi-tenancy in a Purpose Built Backup Appliance include creating a set of tenant-units (TUs), associating file system management objects (FSMOs) and users with the TUs. The methods further include maintaining a protocol config-metadata store based on the association of the FSMOs and users with the TUs. In one embodiment, in response to a first request from a first user to access a first FSMO of a first TU, the methods include determining whether the first user is authorized to access the first FSMO based on information of the protocol config-metadata store, and in response to the protocol config-metadata store indicating the first user is authorized to access the first FSMO, allowing the first user to access the first FSMO.

11 Citations

21 Claims

1. A computer-implemented method for providing secure multi-tenancy in a storage system, the method comprising:
- creating, by a secure multi-tenancy (SMT) engine executed by a processor, a set of tenant-units (TUs), wherein each of the TUs is associated with a tenant, each TU representing a user group, each user group having a plurality of users associated with the tenant;
  
  associating by the SMT engine one or more file system management objects (FSMOs) with one or more TUs of the set of TUs, wherein each FSMO contains namespace information of a particular tenant;
  
  associating by the SMT engine one or more users with one or more TUs of the set of TUs;
  
  maintaining, by a protocol engine executed by the processor, a protocol config-metadata store based on the association of one or more FSMOs with one or more TUs, and further based on the association of one or more users with one or more TUs;
  
  in response to a first request from a first user to access a first FSMO of a first TU;
  
  determining by the protocol engine whether the first user is authorized to access the first FSMO based on information of the protocol config-metadata store, including identifying a set of one or more TUs that are associated with the first user, determining whether the first TU is included in the set of one or more TUs, determining whether the first FSMO is included in a set of one or more FSMOs that are associated with the first TU, in response to determining that the first TU is included in the set of TUs associated with the first user;
  
  in response to the protocol config-metadata store indicating the first user is authorized to access the first FSMO, allowing the first user to access the first FSMO; and
  
  in response to a second request from the first user to perform a first operation on a first object;
  
  determining whether the first user is authorized to perform the first operation by obtaining a first set of one or more operation IDs associated with the first user from a security config-metadata store and determining an operation ID identifying the requested first operation matches at least one of the operation IDs in the first set of one or more operation IDs obtained from the security config-metadata store.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein determining whether the first user is authorized to access the first FSMO comprises:
    - obtaining a first TU ID associated with the first user from the protocol config-metadata store, wherein the first TU ID identifies the first TU;
      
      obtaining a first set of one or more FSMO IDs associated with the first TU ID from the protocol config-metadata store; and
      
      determining the first user is authorized to access the first FSMO in response to determining a first FSMO ID identifying the requested first FSMO matches at least one FSMO ID of the first set of one or more FSMO IDs obtained from the protocol config-metadata store.
  - 3. The method of claim 1, further comprising:
    - in response to IM second request from the first user to perform the first operation on the first object, determining whether the first user is a system administrator; and
      
      in response to determining the first user is not the system administrator, determining whether the first user is authorized to access the first object on which the first operation is to be performed.
  - 4. The method of claim 3, wherein determining whether the first user is authorized to access the first object on which the first operation is to be performed comprises:
    - obtaining a second TU ID associated with the first user from a security config-metadata store;
      
      obtaining a first set of one or more object IDs associated with the second TU ID from an object-to-TU config-metadata store;
      
      determining the first user is authorized to access the first object on which the first operation is to be performed in response to determining an object ID identifying the first object matches at least one of the object IDs in the first set of one or more object IDs obtained from the object-to-TU config-metadata store.
  - 5. The method of claim 1, wherein creating the set of tenant-units comprises creating a second TU by:
    - generating a third TU ID, wherein the third TU ID identifies the second TU; and
      
      storing a TU name of the second TU and the generated third TU ID in a TU config-metadata store.
  - 6. The method of claim 5, wherein associating one or more FSMOs with one or more TUs comprises associating a second FSMO with the second TU by:
    - obtaining the third TU ID from the TU config-metadata store;
      
      obtaining a second FSMO ID from a directory manager (DM) config-metadata store using a FSMO name of the second FSMO; and
      
      storing the third TU ID and the second FSMO ID in the protocol config-metadata store.
  - 7. The method of claim 5, wherein associating one or more users with one or more TUs comprises associating a second user with the second TU by:
    - obtaining the third TU ID from the TU config-metadata store;
      
      obtaining a second user ID from a security config-metadata store using a user name of the second user; and
      
      storing the third TU ID and the second user ID in the protocol config-metadata store.

8. A non-transitory computer-readable storage medium having computer code stored therein, which when executed by a processor, cause the processor to provide secure multi-tenancy by performing operations comprising:
- creating a set of tenant-units (TUs), wherein each of the TUs is associated with a tenant, each TU representing a user group, each user group having a plurality of users associated with the tenant;
  
  associating one or more file system management objects (FSMOs) with one or more TUs of the set of TUs, wherein each FSMO contains namespace information of a particular tenant;
  
  associating one or more users with one or more TUs of the set of TUs;
  
  maintaining a protocol config-metadata store based on the association of one or more FSMOs with one or more TUs, and further based on the association of one or more users with one or more TUs;
  
  in response to a first request from a first user to access a first FSMO of a first TU;
  
  determining whether the first user is authorized to access the first FSMO based on information of the protocol config-metadata store, including identifying a set of one or more TUs that are associated with the first user, determining whether the first TU is included in the set of one or more TUs, determining whether the first FSMO is included in a set of one or more FSMOs that are associated with the first TU, in response to determining that the first TU is included in the set of TUs associated with the first user;
  
  in response to the protocol config-metadata store indicating the first user is authorized to access the first FSMO, allowing the first user to access the first FSMO; and
  
  in response to a second request from the first user to perform a first operation on a first object;
  
  determining whether the first user is authorized to perform the first operation by obtaining a first set of one or more operation IDs associated with the first user from a security config-metadata store and determining an operation ID identifying the requested first operation matches at least one of the operation IDs in the first set of one or more operation IDs obtained from the security config-metadata store.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory computer-readable storage medium of claim 8, wherein determining whether the first user is authorized to access the first FSMO comprises:
    - obtaining a first TU ID associated with the first user from the protocol config-metadata store, wherein the first TU ID identifies the first TU;
      
      obtaining a first set of one or more FSMO IDs associated with the first TU ID from the protocol config-metadata store; and
      
      determining the first user is authorized to access the first FSMO in response to determining a first FSMO ID identifying the requested first FSMO matches at least one FSMO ID of the first set of one or more FSMO IDs obtained from the protocol config-metadata store.
  - 10. The non-transitory computer-readable storage medium of claim 8, further comprising:
    - in response to the second request from the first user to perform the first operation on the first object, determining whether the first user is a system administrator; and
      
      in response to determining the first user is not the system administrator, determining whether the first user is authorized to access the first object on which the first operation is to be performed.
  - 11. The non-transitory computer-readable storage medium of claim 10, wherein determining whether the first user is authorized to access the first object on which the first operation is to be performed comprises:
    - obtaining a second TU ID associated with the first user from a security config-metadata store;
      
      obtaining a first set of one or more object IDs associated with the second TU ID from an object-to-TU config-metadata store;
      
      determining the first user is authorized to access the first object on which the first operation is to be performed in response to determining an object ID identifying the first object matches at least one of the object IDs in the first set of one or more object IDs obtained from the object-to-TU config-metadata store.
  - 12. The non-transitory computer-readable storage medium of claim 8, wherein creating the set of tenant-units comprises creating a second TU by:
    - generating a third TU ID, wherein the third TU ID identifies the second TU; and
      
      storing a TU name of the second TU and the generated third TU ID in a TU config-metadata store.
  - 13. The non-transitory computer-readable storage medium of claim 12, wherein associating one or more FSMOs with one or more TUs comprises associating a second FSMO with the second TU by:
    - obtaining the third TU ID from the TU config-metadata store;
      
      obtaining a second FSMO ID from a directory manager (DM) config-metadata store using a FSMO name of the second FSMO; and
      
      storing the third TU ID and the second FSMO ID in the protocol config-metadata store.
  - 14. The non-transitory computer-readable storage medium of claim 12, wherein associating one or more users with one or more TUs comprises associating a second user with the second TU by:
    - obtaining the third TU ID from the TU config-metadata store;
      
      obtaining a second user ID from a security config-metadata store using a user name of the second user; and
      
      storing the third TU ID and the second user ID in the protocol config-metadata store.

15. A storage system, comprising:
- a set of one or more processors; and
  
  a non-transitory machine-readable storage medium containing code, which when executed by the set of one or more processors, cause the one or more processors to perform operations, the operations including creating a set of tenant-units (TUs), wherein each of the TUs is associated with a tenant, each TU representing a user group, each user group having a plurality of users associated with the tenant;
  
  associating one or more file system management objects (FSMOs) with one or more TUs of the set of TUs, wherein each FSMO contains namespace information of a particular tenant;
  
  associating one or more users with one or more TUs of the set of TUs;
  
  maintaining a protocol config-metadata store based on the association of one or more FSMOs with one or more TUs, and further based on the association of one or more users with one or more TUs;
  
  in response to a first request from a first user to access a first FSMO of a first TU;
  
  determining whether the first user is authorized to access the first FSMO based on information of the protocol config-metadata store, including identifying a set of one or more TUs that are associated with the first user, determining whether the first TU is included in the set of one or more TUs, determining whether the first FSMO is included in a set of one or more FSMOs that are associated with the first TU, in response to determining that the first TU is included in the set of TUs associated with the first user;
  
  in response to the protocol config-metadata store indicating the first user is authorized to access the first FSMO, allowing the first user to access the first FSMO; and
  
  in response to a second request from the first user to perform a first operation on a first object;
  
  determining whether the first user is authorized to perform the first operation by obtaining a first set of one or more operation IDs associated with the first user from a security config-metadata store and determining an operation ID identifying the requested first operation matches at least one of the operation IDs in the first set of one or more operation IDs obtained from the security config-metadata store.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The storage system of claim 15, wherein determining whether the first user is authorized to access the first FSMO comprises:
    - obtaining a first TU ID associated with the first user from the protocol config-metadata store, wherein the first TU ID identifies the first TU;
      
      obtaining a first set of one or more FSMO IDs associated with the first TU ID from the protocol config-metadata store; and
      
      determining the first user is authorized to access the first FSMO in response to determining a first FSMO ID identifying the requested first FSMO matches at least one FSMO ID of the first set of one or more FSMO IDs obtained from the protocol config-metadata store.
  - 17. The storage system of claim 15, further comprising:
    - in response to the second request from the first user to perform the first operation on the first object, determining whether the first user is a system administrator; and
      
      in response to determining the first user is not the system administrator, determining whether the first user is authorized to access the first object on which the first operation is to be performed.
  - 18. The storage system of claim 17, wherein determining whether the first user is authorized to access the first object on which the first operation is to be performed comprises:
    - obtaining a second TU ID associated with the first user from a security config-metadata store;
      
      obtaining a first set of one or more object IDs associated with the second TU ID from an object-to-TU config-metadata store;
      
      determining the first user is authorized to access the first object on which the first operation is to be performed in response to determining an object ID identifying the first object matches at least one of the object IDs in the first set of one or more object IDs obtained from the object-to-TU config-metadata store.
  - 19. The storage system of claim 15, wherein creating the set of tenant-units comprises creating a second TU by:
    - generating a third TU ID, wherein the third TU ID identifies the second TU; and
      
      storing a TU name of the second TU and the generated third TU ID in a TU config-metadata store.
  - 20. The storage system of claim 19, wherein associating one or more FSMOs with one or more TUs comprises associating a second FSMO with the second TU by:
    - obtaining the third TU ID from the TU config-metadata store;
      
      obtaining a second FSMO ID from a directory manager (DM) config-metadata store using a FSMO name of the second FSMO; and
      
      storing the third TU ID and the second FSMO ID in the protocol config-metadata store.
  - 21. The storage system of claim 19, wherein associating one or more users with one or more TUs comprises associating a second user with the second TU by:
    - obtaining the third TU ID from the TU config-metadata store;
      
      obtaining a second user ID from a security config-metadata store using a user name of the second user; and
      
      storing the third TU ID and the second user ID in the protocol config-metadata store.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Chakraborty, Subhasish, Chitloor, Ravi V., Hahn, Terry G., Zhang, Hongyu
Primary Examiner(s)
SHAW, PETER C

Application Number

US14/454,086
Publication Number

US 20160042194A1
Time in Patent Office

803 Days
Field of Search

726/17
US Class Current

1/1
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2113   Multi-level security, e.g. ...

G06F 3/0605   by facilitating the interac...

G06F 3/0608   Saving storage space on sto...

G06F 3/0622   in relation to access

G06F 3/0637   Permissions

G06F 3/0641   De-duplication techniques

G06F 3/0665   at area level, e.g. provisi...

G06F 3/0671   In-line storage system

H04L 63/105   Multiple levels of security

System and method for secure multi-tenancy in an operating system of a storage system

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

11 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for secure multi-tenancy in an operating system of a storage system

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

11 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links