Entity authentication for pre-authenticated links
US-2024396898-A1 · Nov 28, 2024 · US
Secure isolation of tenant resources in a multi-tenant storage system using a security gateway
US9646019B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9646019-B2 |
| Application number | US-201615156821-A |
| Country | US |
| Kind code | B2 |
| Filing date | May 17, 2016 |
| Priority date | May 2, 2013 |
| Publication date | May 9, 2017 |
| Grant date | May 9, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Machines, systems and methods for handling a client request in a hierarchical multi-tenant data storage system, the method comprising processing a request in subtasks, wherein a subtask is executed with a minimal set of privileges associated with a specific subtenant; extracting a claimed n-level hierarchy of a tenant and sub-tenant identities from the request; extracting authentication signatures or credentials that correspond to a level in the hierarchy; for a first level in the hierarchy, sending the request to a dedicated subtenant authenticator with privilege to validate credentials for a subtenant at the first level; and receiving a confirmation from the dedicated subtenant authenticator, whether the request is authentic.
First claim
Opening claim text (preview).
What is claimed is: 1. A method of maintaining resource isolation in a multi-tenant computing system, the method comprising: receiving a first request submitted by a first user in a multi-tenant computing system; extracting from the first request a first tenant ID associated with a tenant from among a plurality of tenants in the multi-tenant computing system; spawning a first request processor, wherein the first tenant ID is utilized by the first request processor to determine resource access privileges associated with the first tenant ID; spawning a subtenant authenticator; examining, by the subtenant authenticator, user credential data associated with the first request to determine whether the first user is authorized to access the one or more target resources; and servicing the first request by providing access to one or more target resources identified in the first request, in response to determining that the first tenant ID is associated with a first tenant with privileges to access the one or more target resources. 2. The method of claim 1 , wherein the security gateway determines that the first tenant ID is associated with a first tenant. 3. The method of claim 1 , wherein the subtenant authenticator determines that the first user is authorized to access the one or more target resources, in response to determining that the user credential data associated with the first request matches user credential data associated with the first tenant. 4. The method of claim 3 , wherein a plurality of subtenant authenticators are utilized to authenticate a plurality of requests, wherein the requests are respectively associated with a plurality of tenant IDs. 5. The method of claim 3 , wherein a secure communication channel is established between the first request processor and the subtenant authenticator, wherein the user credential data is transferred over the secured communication channel to the subtenant authenticator. 6. The method of claim 1 , wherein the security gateway utilizes one or more processes to service the first request by providing access to the one or more resources according to the first tenant privileges. 7. The method of claim 6 , wherein a first process is utilized to provide access to a first resource and a second process is utilized to provide access to a second resource. 8. The method of claim 7 , wherein the first process and the second process privileges are set so that the first process is exclusively dedicated to providing access to the first resource and the second process is exclusively dedicated to providing access to the second resource. 9. The method of claim 1 , wherein the first tenant ID is embedded in a header portion of a data communication packet that includes the first request. 10. A computer system comprising: one or more processors; one or more non-transitory computer readable storage media; computer program instructions; the computer program instructions being stored on the one or more non-transitory computer readable storage media; the computer program instructions comprising instructions to: receive a first request submitted by a first user in a multi-tenant computing system; extract from the first request a first tenant ID associated with a tenant from among a plurality of tenants in the multi-tenant computing system; spawn a first request processor, wherein the first tenant ID is utilized by the first request processor to determine resource access privileges associated with the first tenant ID; spawn a subtenant authenticator; examine, by the subtenant authenticator, user credential data associated with the first request to determine whether the first user is authorized to access the one or more target resources; and service the first request by providing access to one or more target resources identified in the first request, in response to determining that the first tenant ID is associated with a first tenant with privileges to access the one or more target resources. 11. The computer system of claim 10 , wherein the security gateway determines that the first tenant ID is associated with a first tenant. 12. The computer system of claim 10 , wherein the subtenant authenticator determines that the first user is authorized to access the one or more target resources, in response to determining that the user credential data associated with the first request matches user credential data associated with the first tenant. 13. The computer system of claim 12 , wherein a plurality of subtenant authenticators are utilized to authenticate a plurality of requests, wherein the requests are respectively associated with a plurality of tenant IDs. 14. The computer system of claim 12 , wherein a secure communication channel is established between the first request processor and the subtenant authenticator, wherein the user credential data is transferred over the secured communication channel to the subtenant authenticator. 15. The computer system of claim 10 , wherein the security gateway utilizes one or more processes to service the first request by providing access to the one or more resources according to the first tenant privileges. 16. The computer system of claim 15 , wherein the first tenant ID is embedded in a header portion of a data communication packet that includes the first request. 17. A computer program product comprising logic code embedded in a non-transitory data storage medium for maintaining resource isolation in a multi-tenant computing system, wherein execution of the logic code on a computer causes the computer to: receive a first request submitted by a first user in a multi-tenant computing system; extract from the first request a first tenant ID associated with a tenant from among a plurality of tenants in the multi-tenant computing system; spawn a first request processor, wherein the first tenant ID is utilized by the first request processor to determine resource access privileges associated with the first tenant ID; spawn a subtenant authenticator; examine, by the subtenant authenticator, user credential data associated with the first request to determine whether the first user is authorized to access the one or more target resources; and service the first request by providing access to one or more target resources identified in the first request, in response to determining that the first tenant ID is associated with a first tenant with privileges to access the one or more target resources. 18. The computer program product of claim 17 , wherein the subtenant authenticator determines that the first user is authorized to access the one or more target resources, in response to determining that the user credential data associated with the first request matches user credential data associated with the first tenant. 19. The computer program product of claim 18 , wherein a plurality of subtenant authenticators are utilized to authenticate a plurality of requests, wherein the requests are respectively associated with a plurality of tenant IDs. 20. The computer program product of claim 19 , wherein a secure communication channel is established between the first request processor and the subtenant authenticator, wherein the user credential data is transferred over the secured communication channel to the subtenant authenticator.
Assignees
Inventors
Classifications
Multiprogramming arrangements · CPC title
- G06F21/6218Primary
to a system of files or objects, e.g. local or distributed file system or database · CPC title
Inheriting rights or properties, e.g., propagation of permissions or restrictions within a hierarchy · CPC title
for authentication of entities (cryptographic mechanisms or cryptographic arrangements for entity authentication H04L9/32) · CPC title
Distributed file systems · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9646019B2 cover?
- Machines, systems and methods for handling a client request in a hierarchical multi-tenant data storage system, the method comprising processing a request in subtasks, wherein a subtask is executed with a minimal set of privileges associated with a specific subtenant; extracting a claimed n-level hierarchy of a tenant and sub-tenant identities from the request; extracting authentication signatu…
- Who is the assignee on this patent?
- IBM
- What technology area does this patent fall under?
- Primary CPC classification G06F21/6218. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue May 09 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).