Access control of data in a dispersed storage network
First Claim
1. A method for providing hierarchical data access control to memory of a dispersed storage network (DSN) by a computing device, the method comprises:
- receiving, by a processing module of the computing device and from a user device associated with a user requesting access and via the DSN, a data access request to access a data object of a logical memory space of a plurality of logical memory spaces of the memory of the DSN, wherein the data access request includes a data access request type to identify a type of access requested, a data object identifier to identify a data object for the access, and a user identifier to identify the user requesting the access;
accessing, by the processing module of the computing device, hierarchical data access control information that is stored in the memory of the DSN based on the data access request, wherein the hierarchical data access control information including;
a plurality of logical memory access control files respectively corresponding to the plurality of logical memory spaces, wherein a logical memory access control file of the plurality of logical memory access control files respectively includes general access rights for users regarding data objects stored in a corresponding logical memory space of the memory of the DSN; and
pluralities of data object access control files, wherein a plurality of the data object access control files of the pluralities of data object access control files corresponds to one of the plurality of logical memory spaces of the memory of the DSN, wherein a data object access control file of the plurality of the data object access control files is for a specific data object and includes specific access rights for the user regarding the specific data object, wherein the data object access control file is generated based on decoding a decode threshold number of data access control slices in accordance with a dispersed storage error coding function, wherein the data access control slices are based on prior dispersed error encoding of a plurality of data access control segments generated by segmenting of the data object access control file in accordance with DS error encoding parameters of the dispersed storage error coding function that include at least one of a number of segments of the plurality of data access control segments, a pillar width, a decode threshold, a read threshold, or a write threshold, wherein the data access control slices are provided via the DSN to the computing device respectively from a plurality of dispersed storage (DS) execution units such that each DS execution unit of the plurality of DS execution units provides a respective one of the data access control slices via the DSN to the computing device in response to a set of data access control requests issued from the computing device to the plurality of DS execution units including a first DS execution unit provides a first data access control slice of the data access control slices and a second DS execution unit provides a second data access control slice of the data access control slices;
selecting, by the processing module of the computing device, one of the plurality of logical memory access control files from the hierarchical data access control information based on the logical memory space;
determining, from the selected logical memory access control file, whether the data access request type of the data access request is generally permitted for a user identified by the user identifier;
when the data access request type is permitted for the identified user, selecting one of the plurality of the data object access control files associated with the logical memory space based on the data object identifier;
determining, from the selected data object access control file, whether the data access request type for the data object is restricted for the user; and
when the data access request type is permitted by the selected logical memory access control file for the user and not restricted for the user by the corresponding data object access control file, executing, by the processing module of the computing device, the data access request.
5 Assignments
0 Petitions
Accused Products
Abstract
A method begins by a dispersed storage (DS) processing module receiving, from a user device, a data access request and accessing hierarchical data access control information. The method continues with the DS processing module obtaining a logical memory access control file from the hierarchical data access control information and determining a data access request type of the request is within access rights of the user device. When the data access request type is within the access rights of the user device, the method continues with the DS processing module obtaining a data object access control file from the hierarchical data access control information. The method continues with the DS processing module determining, from the data object access control file, whether the data access request type is restricted. When the data access request type is not restricted, the method continues with the DS processing module processing the data access request.
114 Citations
22 Claims
-
1. A method for providing hierarchical data access control to memory of a dispersed storage network (DSN) by a computing device, the method comprises:
-
receiving, by a processing module of the computing device and from a user device associated with a user requesting access and via the DSN, a data access request to access a data object of a logical memory space of a plurality of logical memory spaces of the memory of the DSN, wherein the data access request includes a data access request type to identify a type of access requested, a data object identifier to identify a data object for the access, and a user identifier to identify the user requesting the access; accessing, by the processing module of the computing device, hierarchical data access control information that is stored in the memory of the DSN based on the data access request, wherein the hierarchical data access control information including; a plurality of logical memory access control files respectively corresponding to the plurality of logical memory spaces, wherein a logical memory access control file of the plurality of logical memory access control files respectively includes general access rights for users regarding data objects stored in a corresponding logical memory space of the memory of the DSN; and pluralities of data object access control files, wherein a plurality of the data object access control files of the pluralities of data object access control files corresponds to one of the plurality of logical memory spaces of the memory of the DSN, wherein a data object access control file of the plurality of the data object access control files is for a specific data object and includes specific access rights for the user regarding the specific data object, wherein the data object access control file is generated based on decoding a decode threshold number of data access control slices in accordance with a dispersed storage error coding function, wherein the data access control slices are based on prior dispersed error encoding of a plurality of data access control segments generated by segmenting of the data object access control file in accordance with DS error encoding parameters of the dispersed storage error coding function that include at least one of a number of segments of the plurality of data access control segments, a pillar width, a decode threshold, a read threshold, or a write threshold, wherein the data access control slices are provided via the DSN to the computing device respectively from a plurality of dispersed storage (DS) execution units such that each DS execution unit of the plurality of DS execution units provides a respective one of the data access control slices via the DSN to the computing device in response to a set of data access control requests issued from the computing device to the plurality of DS execution units including a first DS execution unit provides a first data access control slice of the data access control slices and a second DS execution unit provides a second data access control slice of the data access control slices; selecting, by the processing module of the computing device, one of the plurality of logical memory access control files from the hierarchical data access control information based on the logical memory space; determining, from the selected logical memory access control file, whether the data access request type of the data access request is generally permitted for a user identified by the user identifier; when the data access request type is permitted for the identified user, selecting one of the plurality of the data object access control files associated with the logical memory space based on the data object identifier; determining, from the selected data object access control file, whether the data access request type for the data object is restricted for the user; and when the data access request type is permitted by the selected logical memory access control file for the user and not restricted for the user by the corresponding data object access control file, executing, by the processing module of the computing device, the data access request. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method for maintaining access control information for data storage in memory of a dispersed storage network (DSN) by a computing device, the method comprises:
-
receiving, by a processing module of the computing device and from a user device associated with a user requesting access and via the DSN, a data access request to access a logical memory space of a plurality of logical memory spaces of the memory of the DSN, wherein the data access request is to determine whether a data object corresponding to a data object identifier of the data access request is stored in the memory of the DSN, wherein the data access request includes a data access request type to identify a type of access requested, the data object identifier to identify the data object, and a user identifier to identify the user requesting the access; when the data object corresponding to the data object identifier is not stored in the memory of the DSN, accessing by the processing module of the computing device, based on the user identifier, hierarchical data access control information that is stored in the memory of the DSN to retrieve a logical memory access control file of a plurality of logical memory access control files, wherein the plurality of logical memory access control files respectively correspond to the plurality of logical memory spaces, in which the plurality of logical memory access control files respectively include general access rights for a list of users that have access to data objects associated with corresponding logical memory spaces; determining, based on the retrieved logical memory access control file, whether the user has corresponding access rights to initially write the data object into a particular logical memory space corresponding to the retrieved logical memory access control file; and when the user has the corresponding access rights to initially write the data object into the particular logical memory space; creating a data object access control file for the data object, wherein the data object access control file includes a list of users that have access to the particular logical memory space and a list of data access restrictions for one or more users of a list of users pertaining to access of the data object, including creating the data object access control file for the data object based on decoding a decode threshold number of data access control slices in accordance with a dispersed storage error coding function, wherein the data access control slices are based on prior dispersed error encoding of a plurality of data access control segments generated by segmenting of the data object access control file in accordance with DS error encoding parameters of the dispersed storage error coding function that include at least one of a number of segments of the plurality of data access control segments, a pillar width, a decode threshold, a read threshold, or a write threshold, wherein the data access control slices are provided via the DSN to the computing device respectively from a plurality of dispersed storage (DS) execution units such that each DS execution unit of the plurality of DS execution units provides a respective one of the data access control slices via the DSN to the computing device in response to a set of data access control requests issued from the computing device to the plurality of DS execution units including a first DS execution unit provides a first data access control slice of the data access control slices and a second DS execution unit provides a second data access control slice of the data access control slices;
linking the data object access control file to the logical memory access control file, in which for a particular user, a user access restriction to the data object overrides a corresponding user access right to the particular logical memory space; and
processing the data access request to write the data object into the particular logical memory space. - View Dependent Claims (7, 8, 9, 10, 11)
-
-
12. A dispersed storage (DS) module for providing hierarchical data access control to memory of a dispersed storage network (DSN), the DS module comprises:
-
an interface configured to communicate with the memory of the DSN; a DS module memory that stores operational instructions; and a processing module operably coupled to the interface and to the DS module memory, wherein the processing module, when operable within the DS module based on the operational instructions, is configured to; receive, via the DSN and via the interface and from a user device associated with a user requesting access, a data access request to access a logical memory space of a plurality of logical memory spaces of the memory of the DSN, wherein the data access request includes a data access request type to identify a type of access requested, a data object identifier to identify a data object for the access, and a user identifier to identify the user requesting the access; access hierarchical data access control information that is stored in the memory of the DSN to process the data access request, the hierarchical data access control information including; a plurality of logical memory access control files respectively corresponding to the plurality of logical memory spaces, wherein a logical memory access control file of the plurality of logical memory access control files respectively includes general access rights for users regarding data objects stored in the a corresponding logical memory space of the memory of the DSN; and pluralities of data object access control files, wherein a plurality of the data object access control files of the pluralities of data object access control files corresponds to one of the plurality of logical memory spaces of the memory of the DSN, wherein a data object access control file of the plurality of the data object access control files is for a specific data object and includes specific access rights for the user regarding the specific data object, wherein the data object access control file is generated based on decoding a decode threshold number of data access control slices in accordance with a dispersed storage error coding function, wherein the data access control slices are based on prior dispersed error encoding of a plurality of data access control segments generated by segmenting of the data object access control file in accordance with DS error encoding parameters of the dispersed storage error coding function that include at least one of a number of segments of the plurality of data access control segments, a pillar width, a decode threshold, a read threshold, or a write threshold, wherein the data access control slices are provided via the DSN to the DS module respectively from a plurality of dispersed storage (DS) execution units such that each DS execution unit of the plurality of DS execution units provides a respective one of the data access control slices via the DSN to the DS module in response to a set of data access control requests issued from the DS module to the plurality of DS execution units including a first DS execution unit provides a first data access control slice of the data access control slices and a second DS execution unit provides a second data access control slice of the data access control slices; select one of the plurality of logical memory access control files from the hierarchical data access control information based on the logical memory space; determine, from the selected logical memory access control file, whether the data access request type of the data access request is generally permitted for a user identified by the user identifier; when the data access request type is permitted for the identified user, select one of the plurality of the data object access control files associated with the logical memory space based on the data object identifier; determine, from the selected data object access control file, whether the data access request type for the data object is restricted for the user; and when the data access request type is permitted by the selected logical memory access control file for the identified user and not restricted for the identified user by the corresponding data object access control file, execute the data access request. - View Dependent Claims (13, 14, 15, 16)
-
-
17. A dispersed storage (DS) module for providing hierarchical data access control to memory of a dispersed storage network (DSN), the DS module comprises:
-
an interface configured to communicate with the memory of the DSN; and a DS module memory that stores operational instructions; and a processing module operably coupled to the interface and to the DS module memory, wherein the processing module, when operable within the DS module based on the operational instructions, is configured to; receive, via the DSN and via the interface and from a user device associated with a user requesting access, a data access request to access a logical memory space of a plurality of logical memory spaces of the memory of the DSN, wherein the data access request is to determine whether a data object corresponding to a data object identifier of the data access request is stored in the memory of the DSN, wherein the data access request includes a data access request type to identify a type of access requested, the data object identifier to identify the data object, and the user identifier to identify a user requesting access; when the data object corresponding to the data object identifier is not stored in the memory of the DSN, access by the processing module, based on the user identifier, hierarchical data access control information that is stored in the memory of the DSN to retrieve a logical memory access control file of a plurality of logical memory access control files, wherein the plurality of logical memory access control files respectively correspond to the plurality of logical memory spaces, in which the plurality of logical memory access control files respectively include general access rights for a list of users that have access to data objects associated with corresponding logical memory spaces; determine, based on the retrieved logical memory access control file, whether the user has corresponding access rights to initially write the data object into a particular logical memory space corresponding to the retrieved logical memory access control file; and when the user has the corresponding access rights to initially write the data object into the particular logical memory space; create a data object access control file for the data object, wherein the data object access control file includes a list of users that have access to the particular logical memory space and a list of data access restrictions for one or more users of a list of users pertaining to access of the data object, including to create the data object access control file for the data object based on decoding a decode threshold number of data access control slices in accordance with a dispersed storage error coding function, wherein the data access control slices are based on prior dispersed error encoding of a plurality of data access control segments generated by segmenting of the data object access control file in accordance with DS error encoding parameters of the dispersed storage error coding function that include at least one of a number of segments of the plurality of data access control segments, a pillar width, a decode threshold, a read threshold, or a write threshold, wherein the data access control slices are provided via the DSN to the DS module respectively from a plurality of dispersed storage (DS) execution units such that each DS execution unit of the plurality of DS execution units provides a respective one of the data access control slices via the DSN to the DS module in response to a set of data access control requests issued from the DS module to the plurality of DS execution units including a first DS execution unit provides a first data access control slice of the data access control slices and a second DS execution unit provides a second data access control slice of the data access control slices; link the data object access control file to the logical memory access control file, in which for a particular user, a user access restriction to the data object overrides a corresponding user access right to the particular logical memory space; and
process the data access request to write the data object into the particular logical memory space. - View Dependent Claims (18, 19, 20, 21, 22)
-
Specification