US2019036912A1PendingUtilityA1

Updating access control information within a dispersed storage unit

63
Assignee: IBMPriority: Jun 5, 2012Filed: Oct 5, 2018Published: Jan 31, 2019
Est. expiryJun 5, 2032(~5.9 yrs left)· nominal 20-yr term from priority
G06F 21/33H04L 63/101H04L 63/0823G06F 21/604G06F 17/3023G06F 21/57G06F 16/1873G06F 16/172
63
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A method begins by a dispersed storage (DS) processing module of a storage unit receiving a write request for storing a data object that includes updated access control list (ACL) information. The method continues with the DS processing module determining whether the data object is a new data object or a revised version of an existing data object and determining write authority of the requesting entity based on information contained in a locally stored access control list. When the write request is regarding the revised version of the existing data object and the write authority includes authorization to issue the write request for the revised version of the existing data object and authorization to issue the updated ACL information, the method continues with the DS processing module storing the revised version of the existing data object and updating the access control list based on the updated ACL information.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A method comprises:
 receiving, by a storage unit of a dispersed storage network (DSN) and from a requesting entity of the DSN, a write request for storing a data object, wherein the write request includes at least an encoded data slice of a set of encoded data slices of the data object and a name identifying the data object, wherein a data segment of the data object is dispersed error encoded;   determining, by the storage unit, whether the data object is a new data object or a revised version of an existing data object;   determining, by the storage unit, write authority of the requesting entity based on information contained in a locally stored access control list (ACL), wherein the write authority includes, at least one of, authorization to issue a write request for the new data object, authorization to issue a write request for the revised version of the existing data object, and authorization to issue updated ACL information regarding the new data object or the revised version of the existing data object;   when the write request is regarding the revised version of the existing data object and the write authority includes the authorization to issue the write request for the revised version of the existing data object and the authorization to issue the updated ACL information regarding the revised version of the existing data object, and the write authority further includes a range of permissible revisions for the revised version of the existing data object:
 determining, by the storage unit, whether a revision number of the revised version of the existing data object is within the range of permissible revisions; 
 when the revision number is within the range of permissible revisions:
 storing, by the storage unit, the at least the encoded data slice of the revised version of the existing data object; and 
 updating, by the storage unit, the locally stored access control list based on the updated ACL information; and 
 
 when the revision number is not within the range of permissible revisions, denying, by the storage unit, the write request; 
   when the write request is regarding the new data object:
 determining, by the storage unit, that the requesting entity is authorized to issue the write request for the new data object and to issue the updated ACL information regarding the new data object, wherein the determining that the requesting entity is authorized to issue the write request for the new data object and to issue the updated ACL information regarding the new data object comprises:
 extracting, by the storage unit, a signed certificate from the write request; and 
 verifying, by the storage unit, the signed certificate to establish authorization to issue the write request for the new data object and to issue the updated ACL information regarding the new data object; 
 
 storing, by the storage unit, the at least the encoded data slice of the new data object; and 
 updating, by the storage unit, the locally stored access control list based on the updated ACL information regarding the new data object. 
   
     
     
         2 . The method of  claim 1 , wherein the determining whether the data object is the new data object or the revised version of the existing data object comprises:
 interpreting, by the storage unit, a revision number field of the name.   
     
     
         3 . The method of  claim 1  further comprises:
 when the write request is regarding the revised version of the existing data object and the write authority includes the authorization to issue the write request for the revised version of the existing data object but not the authorization to issue the updated ACL information regarding the revised version of the existing data object:
 storing, by the storage unit, the at least the encoded data slice of the revised version of the existing data object; 
 accessing, by the storage unit, a trusted source. 
 
 
     
     
         4 . The method of  claim 3  wherein accessing, by the storage unit, the trusted source includes:
 authenticating the requesting entity's write authorization to issue the updated ACL information regarding the revised version of the existing data object. 
 
     
     
         5 . The method of  claim 3  wherein accessing, by the storage unit, the trusted source includes:
 obtaining the updated ACL information regarding the revised version of the existing data object. 
 
     
     
         6 . The method of  claim 1  further comprises:
 when the write request is regarding the revised version of the existing data object and the write authority does not include the authorization to issue the write request for the revised version of the existing data object, sending, by the storage unit, a write request rejection message to the requesting entity. 
 
     
     
         7 . The method of  claim 1 , wherein the data segment is encoded using a dispersed storage error encoding function to produce the set of encoded data slices. 
     
     
         8 . A dispersed storage (DS) module of a dispersed storage network (DSN), the DS module comprises:
 an interface;   memory; and   processing circuitry configured to perform operations that include:
 receiving, by a storage unit of a dispersed storage network (DSN) and from a requesting entity of the DSN, a write request for storing a data object, wherein the write request includes at least an encoded data slice of a set of encoded data slices of the data object and a name identifying the data object, wherein a data segment of the data object is dispersed error encoded; 
 determining, by the storage unit, whether the data object is a new data object or a revised version of an existing data object; 
 determining, by the storage unit, write authority of the requesting entity based on information contained in a locally stored access control list (ACL), wherein the write authority includes, at least one of, authorization to issue a write request for the new data object, authorization to issue a write request for the revised version of the existing data object, and authorization to issue updated ACL information regarding the new data object or the revised version of the existing data object; 
 when the write request is regarding the revised version of the existing data object and the write authority includes the authorization to issue the write request for the revised version of the existing data object and the authorization to issue the updated ACL information regarding the revised version of the existing data object, and the write authority further includes a range of permissible revisions for the revised version of the existing data object:
 determining, by the storage unit, whether a revision number of the revised version of the existing data object is within the range of permissible revisions; 
 when the revision number is within the range of permissible revisions:
 storing, by the storage unit, the at least the encoded data slice of the revised version of the existing data object; and 
 updating, by the storage unit, the locally stored access control list based on the updated ACL information; and 
 
 when the revision number is not within the range of permissible revisions, denying, by the storage unit, the write request; 
 
 when the write request is regarding the new data object:
 determining, by the storage unit, that the requesting entity is authorized to issue the write request for the new data object and to issue the updated ACL information regarding the new data object, wherein the determining that the requesting entity is authorized to issue the write request for the new data object and to issue the updated ACL information regarding the new data object comprises:
 extracting, by the storage unit, a signed certificate from the write request; and 
 verifying, by the storage unit, the signed certificate to establish authorization to issue the write request for the new data object and to issue the updated ACL information regarding the new data object; 
 
 storing, by the storage unit, the at least the encoded data slice of the new data object; and 
 updating, by the storage unit, the locally stored access control list based on the updated ACL information regarding the new data object. 
 
   
     
     
         9 . The DS module of  claim 8 , wherein the determining whether the data object is the new data object or the revised version of the existing data object comprises:
 interpreting, by the storage unit, a revision number field of the name.   
     
     
         10 . The DS module of  claim 8 , wherein the operations further include:
 when the write request is regarding the revised version of the existing data object and the write authority includes the authorization to issue the write request for the revised version of the existing data object but not the authorization to issue the updated ACL information regarding the revised version of the existing data object:   storing, by the storage unit, the at least the encoded data slice of the revised version of the existing data object;   accessing, by the storage unit, a trusted source.   
     
     
         11 . The DS module of  claim 10 , wherein accessing, by the storage unit, the trusted source includes:
 authenticating the requesting entity's write authorization to issue the updated ACL information regarding the revised version of the existing data object.   
     
     
         12 . The DS module of  claim 10 , wherein accessing, by the storage unit, the trusted source includes:
 obtaining the updated ACL information regarding the revised version of the existing data object.   
     
     
         13 . The DS module of  claim 8 , wherein the operations further include:
 when the write request is regarding the revised version of the existing data object and the write authority does not include the authorization to issue the write request for the revised version of the existing data object, sending, by the storage unit, a write request rejection message to the requesting entity.   
     
     
         14 . The DS module of  claim 8 , wherein the data segment is encoded using a dispersed storage error encoding function to produce the set of encoded data slices. 
     
     
         15 . A non-transitory computer readable storage medium includes instructions that configure processing circuitry to perform operations that include:
 receiving, by a storage unit of a dispersed storage network (DSN) and from a requesting entity of the DSN, a write request for storing a data object, wherein the write request includes at least an encoded data slice of a set of encoded data slices of the data object and a name identifying the data object, wherein a data segment of the data object is dispersed error encoded;   determining, by the storage unit, whether the data object is a new data object or a revised version of an existing data object;   determining, by the storage unit, write authority of the requesting entity based on information contained in a locally stored access control list (ACL), wherein the write authority includes, at least one of, authorization to issue a write request for the new data object, authorization to issue a write request for the revised version of the existing data object, and authorization to issue updated ACL information regarding the new data object or the revised version of the existing data object;   when the write request is regarding the revised version of the existing data object and the write authority includes the authorization to issue the write request for the revised version of the existing data object and the authorization to issue the updated ACL information regarding the revised version of the existing data object, and the write authority further includes a range of permissible revisions for the revised version of the existing data object:
 determining, by the storage unit, whether a revision number of the revised version of the existing data object is within the range of permissible revisions; 
 when the revision number is within the range of permissible revisions:
 storing, by the storage unit, the at least the encoded data slice of the revised version of the existing data object; and 
 updating, by the storage unit, the locally stored access control list based on the updated ACL information; and 
 
 when the revision number is not within the range of permissible revisions, denying, by the storage unit, the write request; 
   when the write request is regarding the new data object:
 determining, by the storage unit, that the requesting entity is authorized to issue the write request for the new data object and to issue the updated ACL information regarding the new data object, wherein the determining that the requesting entity is authorized to issue the write request for the new data object and to issue the updated ACL information regarding the new data object comprises:
 extracting, by the storage unit, a signed certificate from the write request; and 
 verifying, by the storage unit, the signed certificate to establish authorization to issue the write request for the new data object and to issue the updated ACL information regarding the new data object; 
 
 storing, by the storage unit, the at least the encoded data slice of the new data object; and 
 updating, by the storage unit, the locally stored access control list based on the updated ACL information regarding the new data object. 
   
     
     
         16 . The non-transitory computer readable storage medium of  claim 15 , wherein the determining whether the data object is the new data object or the revised version of the existing data object comprises:
 interpreting, by the storage unit, a revision number field of the name.   
     
     
         17 . The non-transitory computer readable storage medium of  claim 15 , wherein the operations further include:
 when the write request is regarding the revised version of the existing data object and the write authority includes the authorization to issue the write request for the revised version of the existing data object but not the authorization to issue the updated ACL information regarding the revised version of the existing data object:   storing, by the storage unit, the at least the encoded data slice of the revised version of the existing data object;   accessing, by the storage unit, a trusted source.   
     
     
         18 . The non-transitory computer readable storage medium of  claim 17 , wherein accessing, by the storage unit, the trusted source includes:
 authenticating the requesting entity's write authorization to issue the updated ACL information regarding the revised version of the existing data object.   
     
     
         19 . The non-transitory computer readable storage medium of  claim 17 , wherein accessing, by the storage unit, the trusted source includes:
 obtaining the updated ACL information regarding the revised version of the existing data object.   
     
     
         20 . The non-transitory computer readable storage medium of  claim 15 , wherein the operations further include:
 when the write request is regarding the revised version of the existing data object and the write authority does not include the authorization to issue the write request for the revised version of the existing data object, sending, by the storage unit, a write request rejection message to the requesting entity.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.