Multi-protocol access control lists
US-2018288057-A1 · Oct 4, 2018 · US
Access verification for distributed file systems
US10614241B1 · US · B1
| Field | Value |
|---|---|
| Publication number | US-10614241-B1 |
| Application number | US-201816234334-A |
| Country | US |
| Kind code | B1 |
| Filing date | Dec 27, 2018 |
| Priority date | Dec 27, 2018 |
| Publication date | Apr 7, 2020 |
| Grant date | Apr 7, 2020 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Managing data in a file system with a verification engine that may obtain a user identifier associated with a user, an object identifier, and a target object. The verification engine may determine target identities associated with two or more file system protocols based on the user identifier. The verification engine may determine permission entries associated with the two or more file system protocols associated and the target object. The verification engine may employ the target identities and the permission entries to directly verify access rights to the target object for the user. Accordingly, the verification engine may provide a report that includes the target identities, the permission entries, or the access rights.
First claim
Opening claim text (preview).
What is claimed as new and desired to be protected by Letters Patent of the United States is: 1. A method for managing data in a file system over a network using one or more processors that execute instructions to perform actions, comprising: instantiating a verification engine to perform actions including: obtaining a user identifier and an object identifier, wherein the user identifier is associated with one or more users and the object identifier is associated with one or more target objects; determining one or more target identities based on the user identifier, wherein the one or more target identities are associated with two or more file system protocols, and wherein one of the two or more file system protocols is native to the file system for utilizing a distributed underlying file distribution system for storing the one or more target objects; determining one or more permission entries associated with the one or more target objects, wherein the one or more permission entries are associated with the two or more file system protocols; when subsequent execution of one or more operations on the one or more target objects are identified to cause one or more of persistent side effects or changes to the file system, employing a file system engine to simulate the execution of the one or more identified operations, wherein non-identified operations are executed instead of simulated; employing the one or more target identities and the one or more permission entries to directly verify one or more access rights to the one or more target objects for the one or more users, wherein the access rights are based on the one or more target identities and the one or more permission entries, and wherein the direct verification reduces latency and improves accuracy in providing access rights to the one or more users for the one or more target objects; and providing a report that includes the one or more target identities, the one or more permission entries, captured information during simulation of the one or more identified operations, or the one or more access rights. 2. The method of claim 1 , wherein verifying the one or more access rights further comprises: determining a path in the file system to the one or more target objects; traversing the path in the file system, wherein the one or more permission entries of each file system object disposed between a root of the file system and the one or more target objects are evaluated; and determining the one or more access rights of each intervening file system object for the one or more users based on the one or more target identities and the one or more permission entries. 3. The method of claim 1 , wherein verifying the one or more access rights further comprises: providing a target network address that is associated with the one or more users; and modifying the one or more access rights based on the target network address. 4. The method of claim 1 , wherein determining the one or more target identities, further comprises: determining one or more target groups that include the one or more users as members; and providing one or more additional access rights based on the one or more determined target groups. 5. The method of claim 1 , wherein the verification engine performs further actions, including: determining pre-action access information that is associated with one or more access actions, wherein the pre-action access information includes context data or metadata that is associated with the one or more access actions; and further determining the one or more access rights for the one or more users based on one or more portions of the pre-action access information. 6. The method of claim 1 , further comprising, instantiating the file system engine to perform actions, including: comparing the one or more access rights with one or more access requests that are associated with the user identifier and the object identifier; and executing the one or more access requests based on an affirmative result of the comparison, wherein the one or more access requests are denied based on negative result of the comparison. 7. The method of claim 1 , wherein the verification engine performs further actions, including: determining one or more access actions that are associated with the user identifier and the object identifier, wherein an execution of the one or more access action produces one or more persistent side-effects to the file system; and simulating the execution of the one or more access actions. 8. A processor readable non-transitory storage media that includes instructions for managing data in a file system over a network, wherein execution of the instructions by one or more processors on one or more network computers performs actions, comprising: instantiating a verification engine to perform actions including: obtaining a user identifier and an object identifier, wherein the user identifier is associated with one or more users and the object identifier is associated with one or more target objects; determining one or more target identities based on the user identifier, wherein the one or more target identities are associated with two or more file system protocols, and wherein one of the two or more file system protocols is native to the file system for utilizing a distributed underlying file distribution system for storing the one or more target objects; determining one or more permission entries associated with the one or more target objects, wherein the one or more permission entries are associated with the two or more file system protocols; when subsequent execution of one or more operations on the one or more target objects are identified to cause one or more of persistent side effects or changes to the file system, employing a file system engine to simulate the execution of the one or more identified operations, wherein non-identified operations are executed instead of simulated; employing the one or more target identities and the one or more permission entries to directly verify one or more access rights to the one or more target objects for the one or more users, wherein the access rights are based on the one or more target identities and the one or more permission entries, and wherein the direct verification reduces latency and improves accuracy in providing access rights to the one or more users for the one or more target objects; and providing a report that includes the one or more target identities, the one or more permission entries, captured information during simulation of the one or more identified operations, or the one or more access rights. 9. The media of claim 8 , wherein verifying the one or more access rights further comprises: determining a path in the file system to the one or more target objects; traversing the path in the file system, wherein the one or more permission entries of each file system object disposed between a root of the file system and the one or more target objects are evaluated; and determining the one or more access rights of each intervening file system object for the one or more users based on the one or more target identities and the one or more permission entries. 10. The media of claim 8 , wherein verifying the one or more access rights further comprises: providing a target network address that is associated with the one or more users; and modifying the one or more access rights based on the target network address. 11. The media of claim 8 , wherein determining the one or more target identities, further comprises: determining one or more target groups that include the one or more users as members; and providing one or more additional access rights based on the one or mo
Assignees
Inventors
Classifications
- G06F21/629Primary
to features or functions of an application · CPC title
- G06F21/6227Primary
where protection concerns the structure of data, e.g. records, types, queries · CPC title
File access structures, e.g. distributed indices (arrangements of input from, or output to, record carriers G06F3/06) · CPC title
using management policies (point-in-time backing up or restoration of persistent data G06F11/1446; file migration policies for HSM systems G06F16/185) · CPC title
for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS] · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10614241B1 cover?
- Managing data in a file system with a verification engine that may obtain a user identifier associated with a user, an object identifier, and a target object. The verification engine may determine target identities associated with two or more file system protocols based on the user identifier. The verification engine may determine permission entries associated with the two or more file system p…
- Who is the assignee on this patent?
- Qumulo Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/629. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Apr 07 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).