Delegate authorization in cloud-based storage system
First Claim
1. A method performed by one or more processors, the method comprising:
- receiving, at a hosted storage service, a resource and a request to store the resource, the request including a location of an access control service, wherein the access control service is separate from the hosted storage service and controls access permissions for the resource;
storing, at the hosted storage service, the resource in association with metadata that indicates the location of the access control service;
receiving, at the hosted storage service and from a client system, a request to access the stored resource;
accessing, at the hosted storage service, the metadata stored in association with the resource;
determining, at the hosted storage service and based on the metadata, that access permissions for the resource are controlled by the access control service;
in response to determining that access permissions for the resource are controlled by the access control service, sending an access request from the hosted storage service to the access control service, the access request identifying the resource and a user of the client system;
receiving, at the hosted storage service and from the access control service, an access response that indicates the user is permitted to access the resource; and
in response to receiving the access response, sending the resource from the hosted storage service to the client system, wherein the resource is encrypted by a content provider with a first key before the resource is received at the hosted storage service;
receiving, at the hosted storage service, the first key encrypted with a client key; and
sending, by the hosted storage service and to the client system, the first key encrypted with the client key for decryption by the client using the client key, wherein the first key encrypted with a client key is received from an access keystore that is subject to a different administrative control than the hosted storage service and subject to a different administrative control than the access control service.
2 Assignments
0 Petitions
Accused Products
Abstract
At a hosted storage service, a resource and a request to store the resource are received. The request includes a location of an access control service. The access control service is separate from the hosted storage service and controls access permissions for the resource. A request to access the stored resource is received. The hosted storage service accesses metadata stored in association with the resource and determines that access permissions for the resource are controlled by the access control service. An access request is from the hosted storage service to the access control service, the access request identifying the resource and a user of the client system.
335 Citations
22 Claims
-
1. A method performed by one or more processors, the method comprising:
-
receiving, at a hosted storage service, a resource and a request to store the resource, the request including a location of an access control service, wherein the access control service is separate from the hosted storage service and controls access permissions for the resource; storing, at the hosted storage service, the resource in association with metadata that indicates the location of the access control service; receiving, at the hosted storage service and from a client system, a request to access the stored resource; accessing, at the hosted storage service, the metadata stored in association with the resource; determining, at the hosted storage service and based on the metadata, that access permissions for the resource are controlled by the access control service; in response to determining that access permissions for the resource are controlled by the access control service, sending an access request from the hosted storage service to the access control service, the access request identifying the resource and a user of the client system; receiving, at the hosted storage service and from the access control service, an access response that indicates the user is permitted to access the resource; and in response to receiving the access response, sending the resource from the hosted storage service to the client system, wherein the resource is encrypted by a content provider with a first key before the resource is received at the hosted storage service; receiving, at the hosted storage service, the first key encrypted with a client key; and sending, by the hosted storage service and to the client system, the first key encrypted with the client key for decryption by the client using the client key, wherein the first key encrypted with a client key is received from an access keystore that is subject to a different administrative control than the hosted storage service and subject to a different administrative control than the access control service. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer system comprising:
-
a hosted storage service comprising at least one processor and computer memory and configured to; receive a resource and a request to store the resource, the request including a location of an access control service, wherein the access control service is separate from the hosted storage service and controls access permissions for the resource; store the resource in association with metadata that indicates the location of the access control service; receive a request to access the stored resource; access the metadata stored in association with the resource; determine, based on the metadata, that access permissions for the resource are controlled by the access control service; in response to determining that access permissions for the resource are controlled by the access control service, send an access request to the access control service, the access request identifying the resource and a user of a client system; and receive, from the access control service, an access response that indicates the user is permitted to access the resource; and in response to receiving the access response, send the resource from the hosted storage service to the client system; the client system comprising at least one processor and computer memory and configured to; send, to the hosted storage service, the request to access the stored resource; and receive from the hosted storage service, the resource; an access control service configured to; receive, from the hosted storage service, the access request; and send, in response to receiving the access request, the access response; and a content provider comprising at least one processor and computer memory and configured to; encrypt the resource with a first key; and send, after encrypting the resource, the resource to the hosted storage service; wherein; the access control service further configured to; encrypt the first key with a client key; and send, to the hosted storage service, the first key encrypted with the client key; the hosted storage service further configured to; receive the first key encrypted with the client key; and send, to the client system, the first key encrypted with the client key; the client system further configured to receive the first key encrypted with the client key; and an access keystore comprising at least one processor and computer memory and that is subject to a different administrative control than the hosted storage service and subject to a different administrative control than the access control service, the access keystore configured to; send, to the hosted storage service, the first key encrypted with a client key to the hosted storage system; wherein; the hosted storage service further configured to; receive the first key encrypted with a client key. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
Specification