Delegate authorization in cloud-based storage system

US 9,209,973 B2
Filed: 11/20/2012
Issued: 12/08/2015
Est. Priority Date: 11/20/2012
Status: Active Grant

First Claim

Patent Images

1. A method performed by one or more processors, the method comprising:

receiving, at a hosted storage service, a resource and a request to store the resource, the request including a location of an access control service, wherein the access control service is separate from the hosted storage service and controls access permissions for the resource;

storing, at the hosted storage service, the resource in association with metadata that indicates the location of the access control service;

receiving, at the hosted storage service and from a client system, a request to access the stored resource;

accessing, at the hosted storage service, the metadata stored in association with the resource;

determining, at the hosted storage service and based on the metadata, that access permissions for the resource are controlled by the access control service;

in response to determining that access permissions for the resource are controlled by the access control service, sending an access request from the hosted storage service to the access control service, the access request identifying the resource and a user of the client system;

receiving, at the hosted storage service and from the access control service, an access response that indicates the user is permitted to access the resource; and

in response to receiving the access response, sending the resource from the hosted storage service to the client system, wherein the resource is encrypted by a content provider with a first key before the resource is received at the hosted storage service;

receiving, at the hosted storage service, the first key encrypted with a client key; and

sending, by the hosted storage service and to the client system, the first key encrypted with the client key for decryption by the client using the client key, wherein the first key encrypted with a client key is received from an access keystore that is subject to a different administrative control than the hosted storage service and subject to a different administrative control than the access control service.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

At a hosted storage service, a resource and a request to store the resource are received. The request includes a location of an access control service. The access control service is separate from the hosted storage service and controls access permissions for the resource. A request to access the stored resource is received. The hosted storage service accesses metadata stored in association with the resource and determines that access permissions for the resource are controlled by the access control service. An access request is from the hosted storage service to the access control service, the access request identifying the resource and a user of the client system.

335 Citations

22 Claims

1. A method performed by one or more processors, the method comprising:
- receiving, at a hosted storage service, a resource and a request to store the resource, the request including a location of an access control service, wherein the access control service is separate from the hosted storage service and controls access permissions for the resource;
  
  storing, at the hosted storage service, the resource in association with metadata that indicates the location of the access control service;
  
  receiving, at the hosted storage service and from a client system, a request to access the stored resource;
  
  accessing, at the hosted storage service, the metadata stored in association with the resource;
  
  determining, at the hosted storage service and based on the metadata, that access permissions for the resource are controlled by the access control service;
  
  in response to determining that access permissions for the resource are controlled by the access control service, sending an access request from the hosted storage service to the access control service, the access request identifying the resource and a user of the client system;
  
  receiving, at the hosted storage service and from the access control service, an access response that indicates the user is permitted to access the resource; and
  
  in response to receiving the access response, sending the resource from the hosted storage service to the client system, wherein the resource is encrypted by a content provider with a first key before the resource is received at the hosted storage service;
  
  receiving, at the hosted storage service, the first key encrypted with a client key; and
  
  sending, by the hosted storage service and to the client system, the first key encrypted with the client key for decryption by the client using the client key, wherein the first key encrypted with a client key is received from an access keystore that is subject to a different administrative control than the hosted storage service and subject to a different administrative control than the access control service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the access control service maintains an access control list that defines who is authorized to perform actions on resources, and the nature of the permitted actions.
  - 3. The method of claim 1, wherein the access control service is subject to a different administrative control than the hosted storage service.
  - 4. The method of claim 1, wherein the first key is provided to the client system from the content provider.
  - 5. The method of claim 1, wherein the first key is encrypted with a provider key and wherein the method further comprises:
    - receiving, at the hosted storage service, the encrypted first key; and
      
      storing, at the hosted storage service and in association with the resource, the encrypted first key.
  - 6. The method of claim 5, the method further comprising;
    - in response to receiving the access response, sending the encrypted first key from the hosted storage service to the client system.
  - 7. The method of claim 1, wherein the metadata stored in association with the resource comprises an access control list.
  - 8. The method of claim 7, wherein the access control list identifies a user and access permission for the associated resource for the user.
  - 9. The method of claim 7, wherein the hosted storage service stores a second resource in association with a second access control list which identifies a second user and a second access permission for the associated second resource for the second user.
  - 10. The method of claim 1, the method further comprising:
    - receiving, at the hosted storage service, a validation of the access control service indicating that the access control service is able to be used for authorizing access to the resource.
  - 11. The method of claim 1, wherein receiving a request to access the stored resource includes receiving authentication information agreed upon by client system and the access control service;
    - andwherein sending an access request to the access control service include sending the authentication information.

12. A computer system comprising:
- a hosted storage service comprising at least one processor and computer memory and configured to;
  
  receive a resource and a request to store the resource, the request including a location of an access control service, wherein the access control service is separate from the hosted storage service and controls access permissions for the resource;
  
  store the resource in association with metadata that indicates the location of the access control service;
  
  receive a request to access the stored resource;
  
  access the metadata stored in association with the resource;
  
  determine, based on the metadata, that access permissions for the resource are controlled by the access control service;
  
  in response to determining that access permissions for the resource are controlled by the access control service, send an access request to the access control service, the access request identifying the resource and a user of a client system; and
  
  receive, from the access control service, an access response that indicates the user is permitted to access the resource; and
  
  in response to receiving the access response, send the resource from the hosted storage service to the client system;
  
  the client system comprising at least one processor and computer memory and configured to;
  
  send, to the hosted storage service, the request to access the stored resource; and
  
  receive from the hosted storage service, the resource;
  
  an access control service configured to;
  
  receive, from the hosted storage service, the access request; and
  
  send, in response to receiving the access request, the access response; and
  
  a content provider comprising at least one processor and computer memory and configured to;
  
  encrypt the resource with a first key; and
  
  send, after encrypting the resource, the resource to the hosted storage service;
  
  wherein;
  
  the access control service further configured to;
  
  encrypt the first key with a client key; and
  
  send, to the hosted storage service, the first key encrypted with the client key;
  
  the hosted storage service further configured to;
  
  receive the first key encrypted with the client key; and
  
  send, to the client system, the first key encrypted with the client key;
  
  the client system further configured to receive the first key encrypted with the client key; and
  
  an access keystore comprising at least one processor and computer memory and that is subject to a different administrative control than the hosted storage service and subject to a different administrative control than the access control service, the access keystore configured to;
  
  send, to the hosted storage service, the first key encrypted with a client key to the hosted storage system;
  
  wherein;
  
  the hosted storage service further configured to;
  
  receive the first key encrypted with a client key.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The system of claim 12, wherein the access control service maintains an access control list that defines who is authorized to perform actions on resources, and the nature of the permitted actions.
  - 14. The system of claim 12, wherein the access control service is subject to a different administrative control than the hosted storage service.
  - 15. The system of claim 12, wherein:
    - the content provider is further configured to send, to the client system, the first key; and
      
      the client system is further configured to receive the first key.
  - 16. The system of claim 12, wherein the first key is encrypted with a provider key and wherein the hosted storage service is further configured to:
    - receive the encrypted first key; and
      
      store the encrypted first key in association with the resource.
  - 17. The system of claim 16, wherein the hosted storage service is further configured to send the encrypted first key to the client system in response to receiving the access response.
  - 18. The system of claim 12, wherein the metadata stored in association with the resource comprises an access control list.
  - 19. The system of claim 18, wherein the access control list identifies a user and access permission for the associated resource for the user.
  - 20. The system of claim 18, wherein:
    - the hosted storage service is further configured to store a second resource in association with a second access control list which identifies a second user and a second access permission for the associated second resource for the second user.
  - 21. The system of claim 12, wherein the hosted storage service is further configured to receive a validation of the access control service indicating that the access control service is able to be used for authorizing access to the resource.
  - 22. The system of claim 12, wherein, to receive a request to access the stored resource, the hosted storage service is further configured to receive authentication information agreed upon by client system and the access control service;
    - andwherein to send an access request to the access control service, the hosted storage service is configured to send the authentication information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google Inc. (Alphabet Inc.)
Inventors
Aikas, Erkki Ville, Erb, David
Primary Examiner(s)
Hoffman, Brandon
Assistant Examiner(s)
Woldemariam, Nega

Application Number

US13/681,516
Publication Number

US 20140143543A1
Time in Patent Office

1,113 Days
Field of Search

726/1, 726/26, 726/27, 726/28, 726/29, 726/30, 713/166, 713/167, 713/168
US Class Current

1/1
CPC Class Codes

G06F 16/252   between a Database Manageme...

G06F 21/6209   to a single file or object,...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/101   Access control lists [ACL]

H04L 67/1097   for distributed storage of ...

H04L 9/0822   using key encryption key

H04L 9/0894   Escrow, recovery or storing...

Delegate authorization in cloud-based storage system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

335 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Delegate authorization in cloud-based storage system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

335 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links