Data store access permission system with interleaved application of deferred access control filters
First Claim
Patent Images
1. A nontransitory computer readable medium having stored thereon software instructions that, when executed by one or more processors, cause the one or more processors to perform operations including:
- receiving a user request submitted from a computing device for data from a first table object;
requesting, from an access control list source stored in a computer medium, access control groups for a user;
requesting, from an access control filter source in the computer medium, a set of filter generators for each access control group;
determining, for each set of filter generators for each access control group, a filter generator based on first table metadata for the first table object configured to identify a computer medium source of the first table object data;
for each determined filter generator, executing the determined filter generator to create a generated filter for the first table object;
combining each of the generated filters for the first table object into an access control filter;
creating a second table object in memory that references the first table object;
associating the access control filter with the second table object;
making the second table object available for user operationsreceiving a second user request from a computing device to perform a filtering operation on the second table object;
accessing metadata of the second table object;
retrieving a tree-based table storage structure from the metadata;
traversing the tree-based table storage structure starting at a table root of the tree-based table storage structure;
when the second user request requests data from one or more partition columns of the tree-based table storage structure, applying one or more partition column filters based on a partition column structure of the tree;
when the second user request contains a filtering operation for one or more grouping columns of the tree-based table storage structure, in a first pass, executing user-specified filters on the one or more partition columns that execute only system-specified code, and on a second pass, applying internal access-control filters, thereby removing all rows for which the user does not have authorized access by;
retrieving the access control filter from the metadata;
extracting filters from the access control filter that apply to the access control groups for the user;
choosing a filter from the extracted filters;
applying the chosen filter to the second user request;
applying one or more second grouping column filters based on a first filter request contained in the second user request;
applying one or more normal filters contained in the second user request to identify a filtered data source result; and
return a final set of data.
3 Assignments
0 Petitions
Accused Products
Abstract
Described are methods, systems and computer readable media for a permissions system including relationships of partitioning, grouping, and the application of access control deferred filters.
440 Citations
2 Claims
-
1. A nontransitory computer readable medium having stored thereon software instructions that, when executed by one or more processors, cause the one or more processors to perform operations including:
-
receiving a user request submitted from a computing device for data from a first table object; requesting, from an access control list source stored in a computer medium, access control groups for a user; requesting, from an access control filter source in the computer medium, a set of filter generators for each access control group; determining, for each set of filter generators for each access control group, a filter generator based on first table metadata for the first table object configured to identify a computer medium source of the first table object data;
for each determined filter generator, executing the determined filter generator to create a generated filter for the first table object;combining each of the generated filters for the first table object into an access control filter; creating a second table object in memory that references the first table object;
associating the access control filter with the second table object;
making the second table object available for user operationsreceiving a second user request from a computing device to perform a filtering operation on the second table object; accessing metadata of the second table object; retrieving a tree-based table storage structure from the metadata; traversing the tree-based table storage structure starting at a table root of the tree-based table storage structure; when the second user request requests data from one or more partition columns of the tree-based table storage structure, applying one or more partition column filters based on a partition column structure of the tree; when the second user request contains a filtering operation for one or more grouping columns of the tree-based table storage structure, in a first pass, executing user-specified filters on the one or more partition columns that execute only system-specified code, and on a second pass, applying internal access-control filters, thereby removing all rows for which the user does not have authorized access by; retrieving the access control filter from the metadata; extracting filters from the access control filter that apply to the access control groups for the user; choosing a filter from the extracted filters; applying the chosen filter to the second user request; applying one or more second grouping column filters based on a first filter request contained in the second user request; applying one or more normal filters contained in the second user request to identify a filtered data source result; and return a final set of data.
-
-
2. A nontransitory computer readable medium having stored thereon software instructions that, when executed by one or more processors, cause the one or more processors to perform operations including:
-
receiving a user request submitted from a computing device for data from a first table object; requesting, from an access control list source stored in a computer medium, access control groups for a user; requesting, from an access control filter source in the computer medium, a set of filter generators for each access control group; determining, for each set of filter generators for each access control group, a filter generator based on first table metadata for the first table object configured to identify a computer medium source of the first table object data; for each determined filter generator, executing the determined filter generator to create a generated filter for the first table object; combining each of the generated filters for the first table object into an access control filter; creating a second table object in memory that references the first table object; associating the access control filter with the second table object; making the second table object available for user operations; receiving a second user request from a computing device to perform a data access operation on the second table object; accessing metadata of the second table object; retrieving a tree-based table storage structure from the metadata; traversing the tree-based table storage structure starting at a table root of the tree-based table storage structure; when the second user request requests data from one or more columns of the tree-based table storage structure, applying internal access-control filters, thereby removing all rows for which the user does not have authorized access by; retrieving the access control filter from the metadata; extracting filters from the access control filter that apply to the access control groups for the user; choosing a filter from the extracted filters; applying the chosen filter to the second user request; applying the data access operation; and returning a final set of data.
-
Specification