Multiprotocol access control list with guaranteed protocol compliance

US 9,336,406 B2
Filed: 11/14/2013
Issued: 05/10/2016
Est. Priority Date: 11/14/2013
Status: Active Grant

First Claim

Patent Images

1. A method of access rights validation for a multiprotocol supported file server, comprising:

receiving a request to store a file on a file server from an owner protocol, the request to store comprising the file and a security descriptor;

storing the file on the file server;

storing the security descriptor according to a specification of the owner protocol in an extended attribute associated with the file;

receiving a request to open the file from a requestor protocol having a user ID;

expanding the security descriptor to extract a set of ACEs (access control entries), wherein the set of ACEs comprises at least one of an NTFS, an NFS, and a POSIX access control entry;

transforming the user ID to a mapped ID according to the specification of the owner protocol; and

validating the mapped ID against the set of ACEs expanded from the security descriptor according to the specification of the owner protocol.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An approach to multiprotocol ACL implementation with guaranteed protocol compliance is described. In one approach, a method of access rights validation for a multiprotocol supported file server is detailed. The method involves receiving a request to store a file with a security descriptor and storing the security descriptor in an extended attribute associated with the file. Subsequently, the security descriptor is expanded to extract a set of ACEs. Access to the file can then be validated against the ACEs expanded from the security descriptor according to the specifications of the protocol that created the security descriptor.

4 Citations

20 Claims

1. A method of access rights validation for a multiprotocol supported file server, comprising:
- receiving a request to store a file on a file server from an owner protocol, the request to store comprising the file and a security descriptor;
  
  storing the file on the file server;
  
  storing the security descriptor according to a specification of the owner protocol in an extended attribute associated with the file;
  
  receiving a request to open the file from a requestor protocol having a user ID;
  
  expanding the security descriptor to extract a set of ACEs (access control entries), wherein the set of ACEs comprises at least one of an NTFS, an NFS, and a POSIX access control entry;
  
  transforming the user ID to a mapped ID according to the specification of the owner protocol; and
  
  validating the mapped ID against the set of ACEs expanded from the security descriptor according to the specification of the owner protocol.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the request to open the file comprises an access mode.
  - 3. The method of claim 2, further comprising validating the access mode against an open state of the file.
  - 4. The method of claim 3, further comprising:
    - sending the request to open the file, the security descriptor, and an open state to a multiprotocol access handler;
      
      upon receiving the request to open the file, validating the access mode against the open state at the multiprotocol access handler and validating the user ID against the set of ACEs expanded from the security descriptor at the multiprotocol access handler.
  - 5. The method of claim 1, further comprising:
    - setting a mode bit associated with the file based on the security descriptor.
  - 6. The method of claim 1, wherein the user ID is transformed using a mapping table.
  - 7. The method of claim 1, wherein the user ID is transformed according to a specification of the owner protocol.
  - 8. The method of claim 1, wherein a user ID will be treated as a member of an unauthenticated user group if no mapped ID is available.
  - 9. The method of claim 1, wherein the extended attribute is contained in an inode associated with the file.
  - 10. The method of claim 9, wherein the file system is POSIX compliant.

11. An apparatus for performing access rights validation for a multiprotocol supported file server, comprising:
- a main memory;
  
  a data storage device; and
  
  a processor communicatively coupled to the main memory and the data storage device that receives a request to store a file on the data storage device from an owner protocol, the request to store comprising the file and a security descriptor, stores the file on the data storage device, stores the security descriptor according to a specification of the owner protocol in an extended attribute associated with the file, receives a request to open the file from a requestor protocol having a user ID, expands the security descriptor to extract a set of ACEs (access control entries) in the main memory, wherein the set of ACEs comprises at least one of an NTFS, an NFS, and a POSIX access control entry, transforms the user ID to a mapped ID according to the specification of the owner protocol, and validates the mapped ID against the set of ACEs expanded from the security descriptor according to the specification of the owner protocol.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The apparatus of claim 11, wherein the request to open the file further comprises an access mode.
  - 13. The apparatus of claim 12, wherein the processor validates the access mode against an open state of the file.
  - 14. The apparatus of claim 13, further comprising:
    - sending the request to open the file, the security descriptor, and an open state to a multiprotocol access handler; and
      
      upon receiving the request to open the file, validating the access mode against the open state at the multiprotocol access handler and validating the user ID against the set of ACEs expanded from the security descriptor at the multiprotocol access handler.
  - 15. The apparatus of claim 11, further comprising:
    - setting a mode bit associated with the file based on the security descriptor.
  - 16. The apparatus of claim 11, wherein the user ID is transformed using a mapping table.

17. An apparatus for providing access rights validation for a multiprotocol supported file server, comprising:
- a multiprotocol access handler circuit configured to receive a request to store a file on a file system from an owner protocol, the request to store comprising the file and a security descriptor; and
  
  memory coupled to the multiprotocol access handler circuit configured to;
  
  store the file on the file server;
  
  store the security descriptor according to a specification of the owner protocol in an extended attribute associated with the file; and
  
  expand the security descriptor to extract a set of ACEs (access control entries) in response to receiving a request to open the file from a requestor protocol having a user ID,wherein the user ID is transformed to a mapped ID according to the specification of the owner protocol, and the mapped ID is validated against the set of ACEs expanded from the security descriptor by the multiprotocol access handler circuit according to the specification of the owner protocol, wherein the set of ACEs comprises at least one of an NTFS, an NFS, and a POSIX access control entry.
- View Dependent Claims (18, 19, 20)
- - 18. The apparatus of claim 17, wherein the request to open further comprises an access mode and the access mode is validated by the multiprotocol access handler circuit against an open state of the file.
  - 19. The apparatus of claim 17, wherein a mode bit associated with the file is set based on the security descriptor.
  - 20. The apparatus of claim 17, further comprising a mapping table configured to map a user ID to a mapped ID according to a specification of the owner protocol.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Futurewei Technologies Incorporated (Huawei Investment & Holding Co., Ltd.)
Original Assignee
Futurewei Technologies Incorporated (Huawei Investment & Holding Co., Ltd.)
Inventors
Das, Kalyan
Primary Examiner(s)
POWERS, WILLIAM S

Application Number

US14/080,669
Publication Number

US 20150135331A1
Time in Patent Office

908 Days
Field of Search

726/27
US Class Current

1/1
CPC Class Codes

G06F 21/6218 to a system of files or obj...

Multiprotocol access control list with guaranteed protocol compliance

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

4 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Multiprotocol access control list with guaranteed protocol compliance

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

4 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links