Fine-grained structured data store access using federated identity management

US 9,569,634 B1
Filed: 12/16/2013
Issued: 02/14/2017
Est. Priority Date: 12/16/2013
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a plurality of compute nodes implementing a database service maintaining data for an application provider, wherein the database service implements a fine-grained access management module to authorize fine-grained access requests from one or more application clients of the application provider directed toward portions of the data;

the fine-grained access management module, configured to;

receive a fine-grained access request for a specified portion of the data maintained at the database service and a delegated access credential for the fine-grained access request from one of the one or more application clients;

request, from a delegation service, verification of the delegated access credential;

receive the verification of the delegated access credential;

receive, from the delegation service, a delegation policy corresponding to the delegated access credential;

evaluate the fine-grained access request according to the delegation policy in order to determine request authorization for the fine-grained access request from the one application client; and

in response to determining that the fine-grained access request is authorized, provide access to the specified portion of the data in order to service the fine-grained access request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A structured data store service, such as a database service, may implement fine-grained access to data maintained at the database service using federated identity. Fine grained access requests may be received at a database service for specified data maintained for an application provider from a client of the application provider. An access credential may be also be received. Verification of the access credential may be obtained, and the database service may evaluate the fine-grained access request according to a delegation policy corresponding to the access credential to determine whether the fine-grained request is authorized. If authorized, the fine-grained access request may be service. If not authorized, the fine-grained access request may be denied. In some embodiments, multiple application clients may have the same authorization for data, such as read authorization, while another one or more application clients may have different authorization for the data, such as write authorization.

27 Citations

View as Search Results

21 Claims

1. A system, comprising:
- a plurality of compute nodes implementing a database service maintaining data for an application provider, wherein the database service implements a fine-grained access management module to authorize fine-grained access requests from one or more application clients of the application provider directed toward portions of the data;
  
  the fine-grained access management module, configured to;
  
  receive a fine-grained access request for a specified portion of the data maintained at the database service and a delegated access credential for the fine-grained access request from one of the one or more application clients;
  
  request, from a delegation service, verification of the delegated access credential;
  
  receive the verification of the delegated access credential;
  
  receive, from the delegation service, a delegation policy corresponding to the delegated access credential;
  
  evaluate the fine-grained access request according to the delegation policy in order to determine request authorization for the fine-grained access request from the one application client; and
  
  in response to determining that the fine-grained access request is authorized, provide access to the specified portion of the data in order to service the fine-grained access request.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1, wherein the fine-grained access management module is further configured to in response to determining that the fine-grained access request is not authorized, deny access to the specified portion of the data.
  - 3. The system of claim 1, further comprising:
    - another plurality of compute nodes implementing the delegation service, the delegation service configured to;
      
      receive a request for the delegated access credential from the one application client, wherein the request includes an identity credential, wherein the identity credential is issued by an identity provider in response to authenticating the one application client; and
      
      in response to validating the identity credential, sending the delegated access credential to the one application client.
  - 4. The system of claim 1, wherein the one or more application clients send one or more requests to the application provider in order to perform application operations, and wherein the fine-grained access request is received at the fine-grained access module directly from the one application client.

5. A method, comprising:
- performing, by a plurality of computing devices;
  
  receiving, at a database service, a fine-grained access request for a specified portion of data maintained at the database service for an application provider and a delegated access credential for the fine-grained access request from an application client, wherein the application client is one of one or more application clients of the application provider with different delegated authority from the application provider to access one or more portions of the data;
  
  obtaining verification of the delegated access credential from a delegation service;
  
  evaluating the fine-grained access request according to a delegation policy received from the delegation service corresponding to the delegated access credential in order to determine client authorization for the fine-grained access request; and
  
  in response to determining that the fine-grained access request is authorized, providing access to the specified portion of the data in order to service the fine-grained access request.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13)
- - 6. The method of claim 5, further comprising:
    - wherein said receiving the fine-grained access request, said obtaining the verification of the delegated access credential, and said evaluating the fine-grained access request are performed with respect to another fine-grained access request;
      
      in response to determining that the other fine-grained access request is not authorized, sending an access request denial to the application client.
  - 7. The method of claim 5, wherein said evaluating the fine-grained access request according to the delegation policy is performed without accessing user permission data maintained at the database service.
  - 8. The method of claim 5, wherein the specified portion of data is maintained as part of a database table for the application provider, wherein the delegation policy is one of a plurality of delegation policies that indicate the delegated authority from the application provider for the one or more application clients to access the one or more portions of the data, and wherein at least some of the plurality of delegation policies restrict access of the one or more application clients to different specified rows in the database table or different specified columns in the database table.
  - 9. The method of claim 5, wherein the delegation policy is one of a plurality of delegation policies that indicate the delegated authority from the application provider for the one or more application clients to access the one or more portions of the data, wherein at least some of the plurality of delegation policies authorize different ones of:
    - read operations;
      
      orwrite operations.
  - 10. The method of claim 5, wherein the delegation policy used for evaluating the fine-grained access request authorizes the application client to perform read operations and write operations with respect to the specified portion of the data, wherein another delegation policy used for evaluating one or more other fine-grained access requests directed toward the specified portion of the data received at the database service from one or more other application clients of the one or more application clients authorizes the one or more other application clients to perform read operations.
  - 11. The method of claim 5, wherein the delegation policy used for evaluating the fine-grained access request authorizes the application client to perform read operations with respect to the specified portion of the data, wherein another delegation policy used for evaluating one or more other fine-grained access requests directed toward the specified portion of the data received at the database service from one or more other application clients of the one or more application clients authorizes the one or more other application clients to perform read operations and write operations.
  - 12. The method of claim 5,wherein said evaluating the fine-grained access request according to a delegation policy corresponding to the delegated access credential, comprises:
    - obtaining the specified portion of the data maintained at the database service;
      
      applying the delegation policy corresponding to remove select data from the specified portion of data for which the delegation policy prohibits access;
      
      wherein said providing access to the specified portion of the data in order to service the fine-grained access request comprises sending remaining data from the specified portion of the data to the client.
  - 13. The method of claim 5, wherein the database service and the delegation service are implemented as part of the same network-based services platform, wherein the database service is a multi-tenant, key value data store.

14. A non-transitory, computer-readable storage medium storing program instructions that when executed by one or more computing devices cause the one or more computing devices to implement:
- receiving, at a structured data store service, a fine-grained access request for a specified portion of data maintained at the structured data store service for an application provider and a delegated access credential for the fine-grained access request from an application client, wherein the application client is one of one or more application clients of the application provider with different delegated authority from the application provider to access one or more portions of the data;
  
  requesting verification of the delegated access credential from a delegation service;
  
  receiving verification of the delegated access credential from the delegation service;
  
  evaluating the fine-grained access request according to a delegation policy received from the delegation service corresponding to the delegated access credential in order to determine client authorization for the fine-grained access request; and
  
  in response to determining that the fine-grained access request is authorized, providing access to the specified portion of the data in order to service the fine-grained access request.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The non-transitory, computer-readable storage medium of claim 14, wherein the program instructions further cause the one or more computing devices to implement:
    - wherein said receiving the fine-grained access request, said obtaining the verification of the delegated access credential, and said evaluating the fine-grained access request are performed with respect to another fine-grained access request from the application client;
      
      in response to determining that the other fine-grained access request is not authorized, sending an access request denial to the application client.
  - 16. The non-transitory, computer-readable storage medium of claim 14, wherein the structured data store service is a database service, wherein the specified portion of data is maintained as part of a database table for the application provider, wherein the delegation policy is one of a plurality of delegation policies that indicate the delegated authority from the application provider for the one or more application clients to access the one or more portions of the data in the database table, and wherein at least some of the plurality of delegation policies:
    - authorize the one or more application clients to perform read operations or write operations with respect to different specified rows in the database table or different specified columns in the database table.
  - 17. The non-transitory, computer-readable storage medium of claim 14, wherein another fine-grained access request is received at the structured data store service from a different one of the one or more application clients with a different delegated access credential, and wherein the same delegation policy is used to evaluate the other fine-grained access request.
  - 18. The non-transitory, computer-readable storage medium of claim 14, wherein another one or more fine-grained access requests are received at the structured data store service from a different one or more of the one or more application clients with different respective delegated access credentials, and wherein a different delegation policy is used to evaluate the other one or more fine-grained access requests.
  - 19. The non-transitory, computer-readable storage medium of claim 14, wherein the delegation service implements federated identity management, and wherein the delegated access credential was provided to the application client for providing an identification credential from a third-party identity provider.
  - 20. The non-transitory, computer-readable storage medium of claim 14, wherein the structured data store service and the delegation service are implemented as part of the same network-based services platform, wherein the structured data store service is a multi-tenant, key value data store.
  - 21. The non-transitory, computer-readable storage medium of claim 14,wherein, in said evaluating the fine-grained access request according to a delegation policy corresponding to the delegated access credential, the program instructions cause the one or more computing devices to implement:
    - obtaining the specified portion of the data maintained at the database service;
      
      applying the delegation policy corresponding to remove select data from the specified portion of data for which the delegation policy prohibits access;
      
      wherein, in said providing access to the specified portion of the data in order to service the fine-grained access request, the program instructions cause the one or more computing devices to implement sending remaining data from the specified portion of the data to the client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Yanacek, David Craig, Pandey, Prashant
Primary Examiner(s)
Burke, Jeffrey A

Application Number

US14/108,247
Time in Patent Office

1,156 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 16/1767   Concurrency control, e.g. o...

G06F 16/1774   Locking methods, e.g. locki...

G06F 21/335   for accessing specific reso...

G06F 21/6218   to a system of files or obj...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04L 63/205   involving negotiation or de...

Fine-grained structured data store access using federated identity management

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

27 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Fine-grained structured data store access using federated identity management

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links