Stateful session manager
US-2018324173-A1 · Nov 8, 2018 · US
Systems and methods for associating a user with a task executed in a computing system
US11201738B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11201738-B2 |
| Application number | US-201916401606-A |
| Country | US |
| Kind code | B2 |
| Filing date | May 2, 2019 |
| Priority date | May 2, 2019 |
| Publication date | Dec 14, 2021 |
| Grant date | Dec 14, 2021 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
It is desired to try to increase the security of a computing system running computer applications that may access data in a data storage system. In some embodiments, a token associates a user with a task that is being executed by a computing node. It may therefore be possible to determine which user executed which tasks. In some embodiments, the validity of a token is tied to the lifespan of a task associated with the token, rather than to a fixed amount of time. Therefore, if the task associated with the token is complete, the token may become invalid, rather than remaining valid for a duration of time that possibly exceeds the lifespan of the associated task. In some embodiments, a token is used to enforce data access control, e.g. to deny certain users access to certain data in the data storage system.
First claim
Opening claim text (preview).
The invention claimed is: 1. A method performed by a computing node in a computing system, the method comprising: receiving at the computing node: (i) information that identifies a user, and (ii) a task originating from the user that is scheduled for execution on the computing node; transmitting a request for a task token to a server, wherein the task token is a token specific to the task, and wherein the request for the task token includes: (i) the information that identifies the user, and (ii) a task identifier (ID) that identifies the task; receiving the task token from the server, wherein the task token incorporates the information that identifies the user and the task ID, and the task token is digitally signed; executing the task on the computing node, wherein executing the task includes: transmitting a request for a data access token to the server, wherein the data access token is a token required to access data stored in a data storage system, and wherein the request for the data access token includes the task token; in response to transmitting the request for the data access token, receiving the data access token from the server; and accessing the data from the data storage system using the data access token; wherein the method further comprises: using a private key to obtain a digital signature by digitally signing information that includes both the task ID and an identifier of the computing node, and then including the digital signature in the request for the task token and/or in the request for the data access token. 2. The method of claim 1 , wherein the computing system is a distributed computing system, wherein the computing node is one of a plurality of computing nodes in the distributed computing system, and wherein the information that identifies the user and the task are both received from a resource manager responsible for scheduling tasks on the computing nodes. 3. The method of claim 2 , further comprising: upon completion of executing the task, transmitting to the resource manager an indication that the task is complete. 4. The method of claim 3 , wherein the indication that the task is complete comprises an indication that computing resources used to execute the task are now available for use to execute another task. 5. The method of claim 3 , wherein before execution of the task or before execution of the task is complete, the method further comprises: the computing node transmitting the task ID to the resource manager to identify the task. 6. The method of claim 1 , wherein the information that identifies the user of the computing system comprises a user credential, wherein the user credential originates from a user input at a user device. 7. The method of claim 1 , wherein a digital signature of the task token incorporates both the information that identifies the user and the task ID. 8. The method of claim 1 , wherein the data access token incorporates the task ID and/or the information identifying the user. 9. The method of claim 2 , wherein the information that identifies the user and that is received from the resource manager is: (i) incorporated into a submission token that originates from the user, or (ii) incorporated into a token that originates from a workflow scheduler. 10. A computing node comprising: a processor; a memory; and at least one network interface; wherein the at least one network interface is to: receive both (i) information that identifies a user, and (ii) a task originating from the user that is scheduled for execution on the computing node; transmit a request for a task token to a server, wherein the task token is a token specific to the task, and wherein the request for the task token includes: (i) the information that identifies the user, and (ii) a task identifier (ID) that identifies the task; and receive the task token from the server, wherein the task token incorporates the information that identifies the user and the task ID, and the task token is digitally signed; wherein the processor is to execute the task on the computing node, and during the execution of the task the at least one network interface is to: transmit a request for a data access token to the server, wherein the data access token is a token required to access data stored in a data storage system, and wherein the request for the data access token includes the task token; in response to transmitting the request for the data access token, receive the data access token from the server; and transmit the data access token to the data storage system to access the data; wherein the processor is to: use a private key to obtain a digital signature by digitally signing information that includes both the task ID and an identifier of the computing node, and then include the digital signature in the request for the task token and/or in the request for the data access token. 11. The computing node of claim 10 , wherein the computing node is one of a plurality of computing nodes in a distributed computing system, and wherein the information that identifies the user and the task are both to be received from a resource manager responsible for scheduling tasks on the computing nodes. 12. The computing node of claim 11 , wherein upon completion of executing the task, the at least one network interface is to: transmit to the resource manager an indication that the task is complete. 13. The computing node of claim 12 , wherein the indication that the task is complete comprises an indication that computing resources used to execute the task are now available for use to execute another task. 14. The computing node of claim 12 , wherein before execution of the task or before execution of the task is complete, the at least one network interface is to: transmit the task ID to the resource manager to identify the task. 15. The computing node of claim 10 , wherein the information that identifies the user of the computing system comprises a user credential, wherein the user credential originates from a user input at a user device. 16. The computing node of claim 10 , wherein a digital signature of the task token incorporates both the information that identifies the user and the task ID. 17. The computing node of claim 10 , wherein the data access token incorporates the task ID and/or the information identifying the user. 18. The computing node of claim 11 , wherein the information that identifies the user and that is to be received from the resource manager is: (i) incorporated into a submission token that originates from the user, or (ii) incorporated into a token that originates from a workflow scheduler.
Assignees
Inventors
Classifications
involving digital signatures · CPC title
for controlling access to devices or network resources · CPC title
- H04L63/062Primary
for key distribution, e.g. centrally by trusted party (cryptographic mechanisms or cryptographic arrangements for key distribution involving a central third party H04L9/0819) · CPC title
by program, e.g. task dispatcher, supervisor, operating system · CPC title
Access control lists [ACL] · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11201738B2 cover?
- It is desired to try to increase the security of a computing system running computer applications that may access data in a data storage system. In some embodiments, a token associates a user with a task that is being executed by a computing node. It may therefore be possible to determine which user executed which tasks. In some embodiments, the validity of a token is tied to the lifespan of a …
- Who is the assignee on this patent?
- Shopify Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/062. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Dec 14 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).