Systems and methods for associating a user with a task executed in a computing system
US-2020351090-A1 · Nov 5, 2020 · US
Systems and methods for tying token validity to a task executed in a computing system
US11201739B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11201739-B2 |
| Application number | US-201916401608-A |
| Country | US |
| Kind code | B2 |
| Filing date | May 2, 2019 |
| Priority date | May 2, 2019 |
| Publication date | Dec 14, 2021 |
| Grant date | Dec 14, 2021 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
It is desired to try to increase the security of a computing system running computer applications that may access data in a data storage system. In some embodiments, a token associates a user with a task that is being executed by a computing node. It may therefore be possible to determine which user executed which tasks. In some embodiments, the validity of a token is tied to the lifespan of a task associated with the token, rather than to a fixed amount of time. Therefore, if the task associated with the token is complete, the token may become invalid, rather than remaining valid for a duration of time that possibly exceeds the lifespan of the associated task. In some embodiments, a token is used to enforce data access control, e.g. to deny certain users access to certain data in the data storage system.
First claim
Opening claim text (preview).
The invention claimed is: 1. A method performed by a server in a computing system, the method comprising: receiving a request for a task token from a computing node, wherein the task token is a token specific to a task scheduled for execution on the computing node, and wherein the request for the task token includes a task identifier (ID) that identifies the task; digitally signing at least the task ID to obtain a digital signature, and incorporating the task ID and the digital signature into the task token; transmitting the task token to the computing node; subsequently receiving a request for a data access token from the computing node, wherein the data access token is a token required to access data stored in a data storage system, and wherein the request for the data access token includes the task token; verifying the digital signature of the task token received in the request for the data access token; extracting the task ID from the task token received in the request for the data access token; transmitting a message to a computing device, the message including the task ID and the message querying whether the task identified by the task ID is still being executed by the computing node; receiving a response from the computing device, the response indicating that the task identified by the task ID is still being executed by the computing node; subsequent to receiving the response, sending the data access token to the computing node for use by the computing node to access the data from the data storage system during execution of the task by the computing node. 2. The method of claim 1 , wherein the task originates from a user, wherein the request for the task token also includes information that identifies the user, wherein the information that identifies the user is also digitally signed by the server to obtain the digital signature, and wherein the information that identifies the user is also incorporated into the task token. 3. The method of claim 2 , wherein the computing system is a distributed computing system, wherein the computing node is one of a plurality of computing nodes in the distributed computing system, and wherein the computing device is a resource manager responsible for scheduling tasks on the computing nodes. 4. The method of claim 3 , further comprising storing the task token in memory for retrieval during an audit. 5. The method of claim 2 , further comprising: extracting the information identifying the user from the task token received in the request for the data access token; using the information identifying the user to determine a restriction on the user in relation to accessing the data in the data storage system; and indicating the restriction in the data access token and/or in information sent to the computing node along with the data access token. 6. The method of claim 5 , wherein the restriction comprises at least one of the following: the user does not have permission to read the data in the data storage system; and/or the user does not have permission to write data to the data storage system; and/or the user has access to only certain data in the data storage system. 7. The method of claim 5 , further comprising also using the task ID to determine the restriction, and wherein the restriction comprises the user only being able to access certain data in the data storage system for the task identified by the task ID. 8. The method of claim 2 , wherein the digital signature is obtained by: the server using a private key to digitally sign a data block that includes at least the task ID and the information that identifies the user; and wherein the task token comprises the digital signature, the task ID, and the information that identifies the user. 9. The method of claim 2 , wherein the digital signature is a first digital signature, wherein the task ID is bound to an identity of the computing node using a second digital signature, wherein the second digital signature is received from the computing node, and wherein the second digital signature is verified by the server prior to sending the data access token to the computing node. 10. The method of claim 2 , wherein the server incorporates the task ID and/or the information identifying the user into the data access token. 11. A server comprising: a processor; a memory; and at least one network interface; wherein the at least one network interface is to receive a request for a task token from a computing node, wherein the task token is a token specific to a task scheduled for execution on the computing node, and wherein the request for the task token includes a task identifier (ID) that identifies the task; wherein the processor is to digitally sign at least the task ID to obtain a digital signature, and incorporate the task ID and the digital signature into the task token; wherein the at least one network interface is further to: transmit the task token to the computing node, and subsequently receive a request for a data access token from the computing node, wherein the data access token is a token required to access data stored in a data storage system, and wherein the request for the data access token includes the task token; wherein the processor is to: verify the digital signature of the task token received in the request for the data access token, and extract the task ID from the task token received in the request for the data access token; wherein the at least one network interface is further to: transmit a message to a computing device, the message including the task ID and the message querying whether the task identified by the task ID is still being executed by the computing node; receive a response from the computing device, the response indicating that the task identified by the task ID is still being executed by the computing node; subsequent to receiving the response, send the data access token to the computing node for use by the computing node to access the data from the data storage system during execution of the task by the computing node. 12. The server of claim 11 , wherein the task originates from a user, wherein the request for the task token is to also include information that identifies the user, wherein the information that identifies the user is also to be digitally signed by the processor to obtain the digital signature, and wherein the information that identifies the user is to also be incorporated into the task token. 13. The server of claim 12 , wherein the computing node is one of a plurality of computing nodes in a distributed computing system, and wherein the computing device is a resource manager responsible for scheduling tasks on the computing nodes. 14. The server of claim 13 , wherein the memory is to store the task token for retrieval during an audit. 15. The server of claim 12 , wherein the processor is to: extract the information identifying the user from the task token received in the request for the data access token; use the information identifying the user to determine a restriction on the user in relation to accessing the data in the data storage system; and indicate the restriction in the data access token and/or in information to be sent to the computing node along with the data access token. 16. The server of claim 15 , wherein the restriction comprises at least one of the following: the user does not have permission to read the data in the data storage system; and/or the user does not have permission to write data to the data storage system; and/or the user has access to only certain data in the data storage system. 17. The server of c
Assignees
Inventors
Classifications
- G06F9/5027Primary
the resource being a machine, e.g. CPUs, Servers, Terminals · CPC title
- H04L9/3213Primary
using tickets or tokens, e.g. Kerberos (network architectures or network communication protocols for entities authentication using tickets in a packet data network H04L63/0807) · CPC title
Task life-cycle, e.g. stopping, restarting, resuming execution (G06F9/4881 takes precedence) · CPC title
Tools and structures for managing or administering access control systems · CPC title
using certificates · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11201739B2 cover?
- It is desired to try to increase the security of a computing system running computer applications that may access data in a data storage system. In some embodiments, a token associates a user with a task that is being executed by a computing node. It may therefore be possible to determine which user executed which tasks. In some embodiments, the validity of a token is tied to the lifespan of a …
- Who is the assignee on this patent?
- Shopify Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F9/5027. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Dec 14 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 4 related publications on this page (citations in our corpus or others sharing the same primary CPC).