Access control of data in a dispersed storage network

US 9,936,020 B2
Filed: 09/17/2013
Issued: 04/03/2018
Est. Priority Date: 10/30/2012
Status: Active Grant

First Claim

Patent Images

1. A method for providing hierarchical data access control to memory of a dispersed storage network (DSN) by a computing device, the method comprises:

receiving, by a processing module of the computing device and from a user device associated with a user requesting access and via the DSN, a data access request to access a data object of a logical memory space of a plurality of logical memory spaces of the memory of the DSN, wherein the data access request includes a data access request type to identify a type of access requested, a data object identifier to identify a data object for the access, and a user identifier to identify the user requesting the access;

accessing, by the processing module of the computing device, hierarchical data access control information that is stored in the memory of the DSN based on the data access request, wherein the hierarchical data access control information including;

a plurality of logical memory access control files respectively corresponding to the plurality of logical memory spaces, wherein a logical memory access control file of the plurality of logical memory access control files respectively includes general access rights for users regarding data objects stored in a corresponding logical memory space of the memory of the DSN; and

pluralities of data object access control files, wherein a plurality of the data object access control files of the pluralities of data object access control files corresponds to one of the plurality of logical memory spaces of the memory of the DSN, wherein a data object access control file of the plurality of the data object access control files is for a specific data object and includes specific access rights for the user regarding the specific data object, wherein the data object access control file is generated based on decoding a decode threshold number of data access control slices in accordance with a dispersed storage error coding function, wherein the data access control slices are based on prior dispersed error encoding of a plurality of data access control segments generated by segmenting of the data object access control file in accordance with DS error encoding parameters of the dispersed storage error coding function that include at least one of a number of segments of the plurality of data access control segments, a pillar width, a decode threshold, a read threshold, or a write threshold, wherein the data access control slices are provided via the DSN to the computing device respectively from a plurality of dispersed storage (DS) execution units such that each DS execution unit of the plurality of DS execution units provides a respective one of the data access control slices via the DSN to the computing device in response to a set of data access control requests issued from the computing device to the plurality of DS execution units including a first DS execution unit provides a first data access control slice of the data access control slices and a second DS execution unit provides a second data access control slice of the data access control slices;

selecting, by the processing module of the computing device, one of the plurality of logical memory access control files from the hierarchical data access control information based on the logical memory space;

determining, from the selected logical memory access control file, whether the data access request type of the data access request is generally permitted for a user identified by the user identifier;

when the data access request type is permitted for the identified user, selecting one of the plurality of the data object access control files associated with the logical memory space based on the data object identifier;

determining, from the selected data object access control file, whether the data access request type for the data object is restricted for the user; and

when the data access request type is permitted by the selected logical memory access control file for the user and not restricted for the user by the corresponding data object access control file, executing, by the processing module of the computing device, the data access request.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method begins by a dispersed storage (DS) processing module receiving, from a user device, a data access request and accessing hierarchical data access control information. The method continues with the DS processing module obtaining a logical memory access control file from the hierarchical data access control information and determining a data access request type of the request is within access rights of the user device. When the data access request type is within the access rights of the user device, the method continues with the DS processing module obtaining a data object access control file from the hierarchical data access control information. The method continues with the DS processing module determining, from the data object access control file, whether the data access request type is restricted. When the data access request type is not restricted, the method continues with the DS processing module processing the data access request.

114 Citations

View as Search Results

22 Claims

1. A method for providing hierarchical data access control to memory of a dispersed storage network (DSN) by a computing device, the method comprises:
- receiving, by a processing module of the computing device and from a user device associated with a user requesting access and via the DSN, a data access request to access a data object of a logical memory space of a plurality of logical memory spaces of the memory of the DSN, wherein the data access request includes a data access request type to identify a type of access requested, a data object identifier to identify a data object for the access, and a user identifier to identify the user requesting the access;
  
  accessing, by the processing module of the computing device, hierarchical data access control information that is stored in the memory of the DSN based on the data access request, wherein the hierarchical data access control information including;
  
  a plurality of logical memory access control files respectively corresponding to the plurality of logical memory spaces, wherein a logical memory access control file of the plurality of logical memory access control files respectively includes general access rights for users regarding data objects stored in a corresponding logical memory space of the memory of the DSN; and
  
  pluralities of data object access control files, wherein a plurality of the data object access control files of the pluralities of data object access control files corresponds to one of the plurality of logical memory spaces of the memory of the DSN, wherein a data object access control file of the plurality of the data object access control files is for a specific data object and includes specific access rights for the user regarding the specific data object, wherein the data object access control file is generated based on decoding a decode threshold number of data access control slices in accordance with a dispersed storage error coding function, wherein the data access control slices are based on prior dispersed error encoding of a plurality of data access control segments generated by segmenting of the data object access control file in accordance with DS error encoding parameters of the dispersed storage error coding function that include at least one of a number of segments of the plurality of data access control segments, a pillar width, a decode threshold, a read threshold, or a write threshold, wherein the data access control slices are provided via the DSN to the computing device respectively from a plurality of dispersed storage (DS) execution units such that each DS execution unit of the plurality of DS execution units provides a respective one of the data access control slices via the DSN to the computing device in response to a set of data access control requests issued from the computing device to the plurality of DS execution units including a first DS execution unit provides a first data access control slice of the data access control slices and a second DS execution unit provides a second data access control slice of the data access control slices;
  
  selecting, by the processing module of the computing device, one of the plurality of logical memory access control files from the hierarchical data access control information based on the logical memory space;
  
  determining, from the selected logical memory access control file, whether the data access request type of the data access request is generally permitted for a user identified by the user identifier;
  
  when the data access request type is permitted for the identified user, selecting one of the plurality of the data object access control files associated with the logical memory space based on the data object identifier;
  
  determining, from the selected data object access control file, whether the data access request type for the data object is restricted for the user; and
  
  when the data access request type is permitted by the selected logical memory access control file for the user and not restricted for the user by the corresponding data object access control file, executing, by the processing module of the computing device, the data access request.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 further comprises:
    - when the data access request type is not permitted, rejecting the data access request and ceasing further processing of the data access request.
  - 3. The method of claim 1 further comprises:
    - when the data access request type is restricted, rejecting the data access request.
  - 4. The method of claim 1, wherein the hierarchical data access control information further comprises:
    - a plurality of folder access control files, wherein respective sets of folder access control files are associated with corresponding logical memory access control files, wherein respective folder access control files include a list of users that have access to corresponding logical memory spaces and wherein for respective user entries in the list of users, user access restrictions to the corresponding logical memory spaces regarding data objects stored within a corresponding folder are permitted, in which a sub-set of data object access control files is associated with respective folder access control files.
  - 5. The method of claim 1, wherein the selecting the corresponding data object access control file comprises one of:
    - retrieving a first portion of a data object from the memory of the DSN, wherein the first portion includes the corresponding data object access control file; and
      
      retrieving the corresponding data object access control file from the memory of the DSN as a separate file.

6. A method for maintaining access control information for data storage in memory of a dispersed storage network (DSN) by a computing device, the method comprises:
- receiving, by a processing module of the computing device and from a user device associated with a user requesting access and via the DSN, a data access request to access a logical memory space of a plurality of logical memory spaces of the memory of the DSN, wherein the data access request is to determine whether a data object corresponding to a data object identifier of the data access request is stored in the memory of the DSN, wherein the data access request includes a data access request type to identify a type of access requested, the data object identifier to identify the data object, and a user identifier to identify the user requesting the access;
  
  when the data object corresponding to the data object identifier is not stored in the memory of the DSN, accessing by the processing module of the computing device, based on the user identifier, hierarchical data access control information that is stored in the memory of the DSN to retrieve a logical memory access control file of a plurality of logical memory access control files, wherein the plurality of logical memory access control files respectively correspond to the plurality of logical memory spaces, in which the plurality of logical memory access control files respectively include general access rights for a list of users that have access to data objects associated with corresponding logical memory spaces;
  
  determining, based on the retrieved logical memory access control file, whether the user has corresponding access rights to initially write the data object into a particular logical memory space corresponding to the retrieved logical memory access control file; and
  
  when the user has the corresponding access rights to initially write the data object into the particular logical memory space;
  
  creating a data object access control file for the data object, wherein the data object access control file includes a list of users that have access to the particular logical memory space and a list of data access restrictions for one or more users of a list of users pertaining to access of the data object, including creating the data object access control file for the data object based on decoding a decode threshold number of data access control slices in accordance with a dispersed storage error coding function, wherein the data access control slices are based on prior dispersed error encoding of a plurality of data access control segments generated by segmenting of the data object access control file in accordance with DS error encoding parameters of the dispersed storage error coding function that include at least one of a number of segments of the plurality of data access control segments, a pillar width, a decode threshold, a read threshold, or a write threshold, wherein the data access control slices are provided via the DSN to the computing device respectively from a plurality of dispersed storage (DS) execution units such that each DS execution unit of the plurality of DS execution units provides a respective one of the data access control slices via the DSN to the computing device in response to a set of data access control requests issued from the computing device to the plurality of DS execution units including a first DS execution unit provides a first data access control slice of the data access control slices and a second DS execution unit provides a second data access control slice of the data access control slices;
  
  linking the data object access control file to the logical memory access control file, in which for a particular user, a user access restriction to the data object overrides a corresponding user access right to the particular logical memory space; and
  
  processing the data access request to write the data object into the particular logical memory space.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The method of claim 6 further comprises:
    - updating the logical memory access control file by at least one of;
      
      adding a new user to the list of users and new corresponding access rights to a list of corresponding access rights;
      
      deleting an older user from the list of users and deleting the corresponding access rights from the list of corresponding access rights; and
      
      editing the corresponding access rights of the user in the list of corresponding access rights.
  - 8. The method of claim 6 further comprises:
    - updating the data object access control file by at least one of;
      
      adding new data access restrictions to the list of data access restrictions for another one or more of the users of the list of users of the logical memory access control file;
      
      adding the new data access restrictions to the list of data access restrictions for the one or more of the users of the list of users of the logical memory access control file; and
      
      deleting one or more data access restrictions from the list of data access restrictions for the one or more of the users of the list of users of the logical memory access control file.
  - 9. The method of claim 6 further comprises:
    - when the data object corresponding to the data object identifier is stored in the memory of the DSN and the data access request type is to delete the data object;
      
      determining, based on the logical memory access control file, whether the user has corresponding access rights to delete the data object;
      
      when the user has corresponding access rights to delete the data object, deleting the data object access control file and the data object;
      
      deleting the linking of the data object access control file to the logical memory access control file; and
      
      processing the data access request to delete the data object from the memory of the DSN.
  - 10. The method of claim 6 further comprises:
    - linking the data object access control file to a folder access control file of a set of folder access control files, wherein the set of folder access control files is associated with the logical memory access control file, wherein the folder access control file includes data access restrictions for one or more of the users of the list of users of the logical memory access control file regarding data objects stored within a corresponding folder of the particular logical memory space, in which a sub-set of data object access control files is associated with the folder access control file.
  - 11. The method of claim 6 further comprises one of:
    - storing the data object access control file with the data object in the memory of the DSN; and
      
      storing the data object access control file as a separate file in the memory of the DSN.

12. A dispersed storage (DS) module for providing hierarchical data access control to memory of a dispersed storage network (DSN), the DS module comprises:
- an interface configured to communicate with the memory of the DSN;
  
  a DS module memory that stores operational instructions; and
  
  a processing module operably coupled to the interface and to the DS module memory, wherein the processing module, when operable within the DS module based on the operational instructions, is configured to;
  
  receive, via the DSN and via the interface and from a user device associated with a user requesting access, a data access request to access a logical memory space of a plurality of logical memory spaces of the memory of the DSN, wherein the data access request includes a data access request type to identify a type of access requested, a data object identifier to identify a data object for the access, and a user identifier to identify the user requesting the access;
  
  access hierarchical data access control information that is stored in the memory of the DSN to process the data access request, the hierarchical data access control information including;
  
  a plurality of logical memory access control files respectively corresponding to the plurality of logical memory spaces, wherein a logical memory access control file of the plurality of logical memory access control files respectively includes general access rights for users regarding data objects stored in the a corresponding logical memory space of the memory of the DSN; and
  
  pluralities of data object access control files, wherein a plurality of the data object access control files of the pluralities of data object access control files corresponds to one of the plurality of logical memory spaces of the memory of the DSN, wherein a data object access control file of the plurality of the data object access control files is for a specific data object and includes specific access rights for the user regarding the specific data object, wherein the data object access control file is generated based on decoding a decode threshold number of data access control slices in accordance with a dispersed storage error coding function, wherein the data access control slices are based on prior dispersed error encoding of a plurality of data access control segments generated by segmenting of the data object access control file in accordance with DS error encoding parameters of the dispersed storage error coding function that include at least one of a number of segments of the plurality of data access control segments, a pillar width, a decode threshold, a read threshold, or a write threshold, wherein the data access control slices are provided via the DSN to the DS module respectively from a plurality of dispersed storage (DS) execution units such that each DS execution unit of the plurality of DS execution units provides a respective one of the data access control slices via the DSN to the DS module in response to a set of data access control requests issued from the DS module to the plurality of DS execution units including a first DS execution unit provides a first data access control slice of the data access control slices and a second DS execution unit provides a second data access control slice of the data access control slices;
  
  select one of the plurality of logical memory access control files from the hierarchical data access control information based on the logical memory space;
  
  determine, from the selected logical memory access control file, whether the data access request type of the data access request is generally permitted for a user identified by the user identifier;
  
  when the data access request type is permitted for the identified user, select one of the plurality of the data object access control files associated with the logical memory space based on the data object identifier;
  
  determine, from the selected data object access control file, whether the data access request type for the data object is restricted for the user; and
  
  when the data access request type is permitted by the selected logical memory access control file for the identified user and not restricted for the identified user by the corresponding data object access control file, execute the data access request.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The DS module of claim 12 further comprises:
    - when the data access request type is not permitted, the processing module further functions to reject the data access request and cease further processing of the data access request.
  - 14. The DS module of claim 12 further comprises:
    - when the data access request type is restricted, the processing module further functions to reject the data access request.
  - 15. The DS module of claim 12, wherein the hierarchical data access control information further comprises:
    - a plurality of folder access control files, wherein respective sets of folder access control files are associated with corresponding logical memory access control files, wherein respective folder access control files include a list of users that have access to corresponding logical memory spaces and wherein for respective user entries in the list of users, user access restrictions to the corresponding logical memory spaces regarding data objects stored within a corresponding folder are permitted, in which a sub-set of data object access control files is associated with respective folder access control files.
  - 16. The DS module of claim 12, wherein the processing module further functions selects the corresponding data object access control file by one of:
    - retrieving a first portion of a data object from the memory of the DSN, wherein the first portion includes the corresponding data object access control file; and
      
      retrieving the corresponding data object access control file from the memory of the DSN as a separate file.

17. A dispersed storage (DS) module for providing hierarchical data access control to memory of a dispersed storage network (DSN), the DS module comprises:
- an interface configured to communicate with the memory of the DSN; and
  
  a DS module memory that stores operational instructions; and
  
  a processing module operably coupled to the interface and to the DS module memory, wherein the processing module, when operable within the DS module based on the operational instructions, is configured to;
  
  receive, via the DSN and via the interface and from a user device associated with a user requesting access, a data access request to access a logical memory space of a plurality of logical memory spaces of the memory of the DSN, wherein the data access request is to determine whether a data object corresponding to a data object identifier of the data access request is stored in the memory of the DSN, wherein the data access request includes a data access request type to identify a type of access requested, the data object identifier to identify the data object, and the user identifier to identify a user requesting access;
  
  when the data object corresponding to the data object identifier is not stored in the memory of the DSN, access by the processing module, based on the user identifier, hierarchical data access control information that is stored in the memory of the DSN to retrieve a logical memory access control file of a plurality of logical memory access control files, wherein the plurality of logical memory access control files respectively correspond to the plurality of logical memory spaces, in which the plurality of logical memory access control files respectively include general access rights for a list of users that have access to data objects associated with corresponding logical memory spaces;
  
  determine, based on the retrieved logical memory access control file, whether the user has corresponding access rights to initially write the data object into a particular logical memory space corresponding to the retrieved logical memory access control file; and
  
  when the user has the corresponding access rights to initially write the data object into the particular logical memory space;
  
  create a data object access control file for the data object, wherein the data object access control file includes a list of users that have access to the particular logical memory space and a list of data access restrictions for one or more users of a list of users pertaining to access of the data object, including to create the data object access control file for the data object based on decoding a decode threshold number of data access control slices in accordance with a dispersed storage error coding function, wherein the data access control slices are based on prior dispersed error encoding of a plurality of data access control segments generated by segmenting of the data object access control file in accordance with DS error encoding parameters of the dispersed storage error coding function that include at least one of a number of segments of the plurality of data access control segments, a pillar width, a decode threshold, a read threshold, or a write threshold, wherein the data access control slices are provided via the DSN to the DS module respectively from a plurality of dispersed storage (DS) execution units such that each DS execution unit of the plurality of DS execution units provides a respective one of the data access control slices via the DSN to the DS module in response to a set of data access control requests issued from the DS module to the plurality of DS execution units including a first DS execution unit provides a first data access control slice of the data access control slices and a second DS execution unit provides a second data access control slice of the data access control slices;
  
  link the data object access control file to the logical memory access control file, in which for a particular user, a user access restriction to the data object overrides a corresponding user access right to the particular logical memory space; and
  
  process the data access request to write the data object into the particular logical memory space.
- View Dependent Claims (18, 19, 20, 21, 22)
- - 18. The DS module of claim 17 further comprises:
    - the processing module is further operable to update the logical memory access control file by at least one of;
      
      adding a new user to the list of users and new corresponding access rights to a list of corresponding access rights;
      
      deleting an older user from the list of users and deleting the corresponding access rights from the list of corresponding access rights; and
      
      editing the corresponding access rights of the user in the list of corresponding access rights.
  - 19. The DS module of claim 17 further comprises:
    - the processing module is further operable to update the data object access control file by at least one of;
      
      adding new data access restrictions to the list of data access restrictions for another one or more of the users of the list of users of the logical memory access control file;
      
      adding the new data access restrictions to the list of data access restrictions for the one or more of the users of the list of users of the logical memory access control file; and
      
      deleting one or more data access restrictions from the list of data access restrictions for the one or more of the users of the list of users of the logical memory access control file.
  - 20. The DS module of claim 17 further comprises:
    - when the data object corresponding to the data object identifier is stored in the memory of the DSN and the data access request type is to delete the data object, the processing module is further operable to;
      
      determine, based on the logical memory access control file, whether the user has corresponding access rights to delete the data object;
      
      when the user has corresponding access rights to delete the data object, delete the data object access control file and the data object;
      
      delete linking of the data object access control file to the logical memory access control file; and
      
      process the data access request to delete the data object from the memory of the DSN.
  - 21. The DS module of claim 17 further comprises:
    - the processing module is further operable to link the data object access control file to a folder access control file of a set of folder access control files, wherein the set of folder access control files is associated with the logical memory access control file, wherein the folder access control file includes data access restrictions for one or more of the users of the list of users of the logical memory access control file regarding data objects stored within a corresponding folder of the particular logical memory space, in which a sub-set of data object access control files is associated with the folder access control file.
  - 22. The DS module of claim 17 further comprises:
    - the processing module is further operable to;
      
      store the data object access control file with the data object in the memory of the DSN;
      
      orstore the data object access control file as a separate file in the memory of the DSN.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
International Business Machines Corporation
Inventors
Leggette, Wesley, Young, Jesse Louis, Resch, Jason K.
Primary Examiner(s)
Abyaneh, Ali

Application Number

US14/029,006
Publication Number

US 20140123316A1
Time in Patent Office

1,659 Days
Field of Search

726 28
US Class Current
CPC Class Codes

G06F 11/1076   Parity data used in redunda...

G06F 21/6218   to a system of files or obj...

H04L 67/1097   for distributed storage of ...

Access control of data in a dispersed storage network

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

114 Citations

22 Claims

Specification

Use Cases

Quick Links

Others

Access control of data in a dispersed storage network

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

114 Citations

22 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others