[go: up one dir, main page]

WO2016118177A1 - Contrôle d'accès à une partie d'un objet de système de fichier - Google Patents

Contrôle d'accès à une partie d'un objet de système de fichier Download PDF

Info

Publication number
WO2016118177A1
WO2016118177A1 PCT/US2015/022071 US2015022071W WO2016118177A1 WO 2016118177 A1 WO2016118177 A1 WO 2016118177A1 US 2015022071 W US2015022071 W US 2015022071W WO 2016118177 A1 WO2016118177 A1 WO 2016118177A1
Authority
WO
WIPO (PCT)
Prior art keywords
file system
system object
access
request
acl
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/US2015/022071
Other languages
English (en)
Inventor
Anand Satish PHATAK
Sandya Srivilliputtur Mannarswamy
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hewlett Packard Enterprise Development LP
Original Assignee
Hewlett Packard Enterprise Development LP
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hewlett Packard Enterprise Development LP filed Critical Hewlett Packard Enterprise Development LP
Publication of WO2016118177A1 publication Critical patent/WO2016118177A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Definitions

  • File systems typically include methods to assign permissions or access rights to a specific user or group of users. These mechanisms control the ability of the users to perform an action related to the contents of the file system. In other words, they may convey to an operating system what can be done with a file and by whom. Some examples of such actions may include a read, write, execute, delete file, and directory access operation.
  • FIG. 1 is a block diagram of an example computing device for controlling access to a portion of a file system object
  • FIG. 2 is a flowchart of an example method of controlling access to a portion of a file system object
  • FIG. 3 is a block diagram of an example computer system for controlling access to a portion of a file system object.
  • File system permissions may range from a simple arrangement with one or two basic permissions (such as read and write) to a more detailed classification that describes access rights to a file system object. There may be scenarios where access to an entire file system object may not be required. Rather, permissions to access or modify a portion of a file system object may be more desirable.
  • a cloud-based content service provider may prefer to provide access to only those portions or segments of a file's content (for example, a video or sound recording) that are paid for by a subscriber (for example, a media house), as against access to an entire file. Likewise, a subscriber may also be reluctant to pay for an entire file's contents.
  • the existing file system permission mechanisms may not authorize a request to access a portion(s) of a file system object.
  • a request may be received to access a portion of a file system object.
  • a determination may be made from an Access Control List (ACL) associated with the file system object whether the request is authorized to access the portion of the file system object. If the request is authorized to access the portion of the file system object, the request may be allowed to access the portion of the file system object.
  • ACL Access Control List
  • FIG. 1 is a block diagram of an example computing device 100 for controlling access to a portion of a file system object.
  • Computing device 100 may include a file system 102, a receipt module 104, a determination module 106, and an authorization module 108.
  • the term "module” may refer to a software component (machine readable instructions), a hardware component or a combination thereof.
  • a module may include, by way of example, components, such as software components, processes, tasks, coroutines, functions, attributes, procedures, drivers, firmware, data, databases, data structures, Application Specific Integrated Circuits (ASIC) and other computing devices.
  • a module may reside on a volatile or non- volatile storage medium and configured to interact with a processor of computing device 100.
  • Computing device 100 generally represents any type of computing system capable of reading machine-executable instructions. Examples of computing device 100 may include, without limitation, a server, a desktop computer, a notebook computer, a tablet computer, a thin client, a mobile device, a personal digital assistant (PDA), a phablet, and the like.
  • Examples of computing device 100 may include, without limitation, a server, a desktop computer, a notebook computer, a tablet computer, a thin client, a mobile device, a personal digital assistant (PDA), a phablet, and the like.
  • PDA personal digital assistant
  • File system 102 may include one or more file system objects. Some non- limiting examples of a file system object may include a file, a directory, a sub-directory, and the like. In an example, file system 102 may be a local file system. In another example, file system may a scale-out file system such as a shared file system or network file system. Examples of a shared file system may include a Network Attached Storage (NAS) file system or cluster file system. Examples of a network file system may include a distributed file system or distributed parallel file system.
  • NAS Network Attached Storage
  • An access control list may be associated with a file system object of the file system 102, wherein the ACL may specify an access right (or permission) related to accessing of a portion of the file system object.
  • the access control list may be used to manage file system permissions related to various portions of the file system object. For instance, the access control list may define a list of permissions attached to a portion of a file system object.
  • the ACL may include a set of data (for example, a table) that informs a computer's operating system which permissions, or access rights, that each user or group has to a specific portion of a file system object.
  • the permissions determine specific access rights, such as whether a user can read from, or write to a portion of a file system object.
  • ACL may be termed as a "custom ACL", which may be in addition to or alternative to a default ACL that may be associated with the file system object.
  • the custom ACL may be a part of extended file attributes of the associated file system object.
  • the ACL may specify whether a request is authorized to access a portion of an associated file system object.
  • the ACL may also define what operations a request may be allowed to perform on a portion of a file system object.
  • the ACL may specify which computer application or computer process may be allowed to access a segment of an associated file system object. This may help, for instance, to distinguish between a trusted application and an application that may be suspicious.
  • the ACL may allow the request to access the requested part of a file system object.
  • the ACL may disallow the request.
  • the ACL may also define, in addition, whether a user making such a request via the aforementioned computer application or process is allowed to access the requested segment of the file system object.
  • the ACL may specify a computing device(s) that may be allowed to access a portion of an associated file system object.
  • the ACL may allow a request to access a portion of a file system object only if the request is received from a specified computing device. This may help, for instance, to distinguish between a trusted computing device and a device that may be untrustworthy.
  • the ACL may allow the computing device to access the requested part of a file system object.
  • the ACL may deny access.
  • the ACL may specify a computer network(s) that may be allowed to access a portion of an associated file system object.
  • the ACL may allow a request to access a portion of a file system object only if the request is received from a specified computer network. This may help, for instance, to distinguish between a trusted computer network and a network that may be untrustworthy.
  • the ACL may allow the computer network to access the requested part of a file system object. However, in the latter case, the ACL may not grant access.
  • the ACL may specify a geographical location(s) that may be allowed to access a portion of an associated file system object.
  • the ACL may allow a request to access a portion of a file system object only if the request is received from a specified location. This may help, for instance, to distinguish between a permitted location and a location that may be barred.
  • the ACL may allow the location to access the requested part of a file system object.
  • the ACL may deny access.
  • the ACL may specify a time period during which an access right may remain valid for a portion of a file system object. In other words, the ACL may specify how long a request may be allowed to access a portion of a file system object. In another instance, the ACL may specify a time period for allowing a request to access a portion of a file system object from a particular computer application or process. In another example, the ACL may specify a time period for allowing a request to access a portion of a file system object from a particular computing device or computer network. In a further example, the ACL may specify a time period for allowing a request to access a portion of a file system object from a particular location.
  • Receipt module 104 may receive a request to access a portion (or specific part) of a file system object of a file system (for example, 102).
  • the request may be received from a user.
  • the request may be received from a computer application or computer process.
  • the request may be received from another computing device that may be communicatively coupled to the computing device 100, for example, via a computer network.
  • a computer network may be a wireless or wired network.
  • the computer network may include, for example, a Local Area Network (LAN), a Wireless Local Area Network (WAN), a Metropolitan Area Network (MAN), a Storage Area Network (SAN), a Campus Area Network (CAN), or the like.
  • the computer network may be a public network (for example, the Internet) or a private network (for example, an intranet).
  • the "portion" of a file system object for which a request may be received by the receipt module 104, may be defined using file offsets.
  • a request may define a portion of a file system object that it requires access to by specifying a "start offset” value and an "end offset” value.
  • the "portion” may be considered as that segment of the file system object, which may be present between these two offsets (including both start offset and end offset values).
  • a request to access a portion of a file system object of the file system may include a request to perform an operation related to the portion of the file system object.
  • Some non-limiting examples of such operation may include a read, write, and an execute operation.
  • Determination module 106 may determine, from an Access Control List (ACL) associated with a file system object, whether a request to access a portion of a file system object is authorized to access the portion of the file system object. In other words, the determination module 106 may refer to the Access Control List (ACL) associated with the file system object to determine whether the request may be allowed to access the requested portion of the file system object. In another example, the determination module 106 may determine, from the Access Control List (ACL) associated with the file system object, if the request is received from a computer application or computer process that is permitted to access the requested portion of the file system object in the ACL.
  • ACL Access Control List
  • the determination module 106 may determine, from the Access Control List (ACL) associated with the file system object, if the request is received from a computing device that is permitted to access the requested portion of the file system object in the ACL. In a yet another example, the determination module 106 may determine, from the Access Control List (ACL) associated with the file system object, if the request is received from a computer network that is permitted to access the requested portion of the file system object in the ACL. In a still another example, the determination module 106 may determine, from the Access Control List (ACL) associated with the file system object, if the request is received from a geographical location that is permitted to access the requested portion of the file system object in the ACL.
  • ACL Access Control List
  • Authorization module 108 may authorize a request to access a portion of a file system object if the determination module determines that the request is authorized to access the portion of the file system object. In other words, the authorization module 108 may allow the request to manipulate the portion of file system object. The aforementioned manipulation may include, by way of non-limiting examples, a read operation, a write operation, and a delete operation with respect to the requested portion. In an example, the authorization module 108 may authorize a request to access a portion of a file system object if it is determined that the request is received from a computing device that is permitted to access the requested portion of the file system object in the ACL.
  • the authorization module 108 may authorize a request to access a portion of a file system object if it is determined that the request is received from a computer network that is permitted to access the requested portion of the file system object in the ACL. In a still another example, the authorization module 108 may authorize a request to access a portion of a file system object if it is determined that request is received from a geographical location that is permitted to access the requested portion of the file system object in the ACL.
  • FIG. 2 is a flowchart of an example method of controlling access to a portion of a file system object.
  • the method 200 may at least partially be executed on a computing device 100 of FIG. 1 . However, other computing devices may be used as well.
  • a request may be received (for example, by receipt module 104) for accessing a portion of a file system object of a file system (for example, 102).
  • a determination may be made (for example, by determination module 106), from an Access Control List (ACL) associated with the file system object, whether the request is permitted to access the portion of the file system object.
  • ACL Access Control List
  • the ACL may specify all access right(s) related to the portion of the file system object.
  • the request may be permitted to access the portion of the file system object.
  • the request may be permitted to access the portion of the file system object only for a time period specified in the ACL.
  • the permission to access a portion of the file system object may include a permission to perform an operation related to the portion of the file system object. Some non-limiting examples of such operation may include a read, write, and an execute operation.
  • FIG. 3 is a block diagram of an example computer system 300 for controlling access to a portion of a file system object.
  • System 300 includes a processor 302 and a machine-readable storage medium 304 communicatively coupled through a system bus.
  • system 300 may be analogous to computing device 100 of FIG. 1 .
  • Processor 302 may be any type of Central Processing Unit (CPU), microprocessor, or processing logic that interprets and executes machine-readable instructions stored in machine-readable storage medium 304.
  • Machine-readable storage medium 304 may be a random access memory (RAM) or another type of dynamic storage device that may store information and machine-readable instructions that may be executed by processor 302.
  • RAM random access memory
  • machine- readable storage medium 304 may be Synchronous DRAM (SDRAM), Double Data Rate (DDR), Rambus DRAM (RDRAM), Rambus RAM, etc. or a storage memory media such as a floppy disk, a hard disk, a CD-ROM, a DVD, a pen drive, and the like.
  • machine-readable storage medium 304 may be a non-transitory machine-readable medium.
  • Machine- readable storage medium 304 may store instructions 306, 308, and 310.
  • instructions 306 may be executed by processor 302 to receive a request to access a portion of a file system object of a file system (for example, 102).
  • Instructions 308 may be executed by processor 302 to determine, from an Access Control List (ACL) associated with the file system object, whether the request is authorized to access the portion of the file system object.
  • ACL Access Control List
  • Instructions 310 may be executed by processor 302 to authorize the request to access the portion of the file system object if the request is authorized to access the portion of the file system object.
  • FIG. 2 is shown as executing serially, however it is to be understood and appreciated that the present and other examples are not limited by the illustrated order.
  • Embodiments within the scope of the present solution may also include program products comprising non-transitory computer-readable media for carrying or having computer-executable instructions or data structures stored thereon.
  • Such computer-readable media can be any available media that can be accessed by a general purpose or special purpose computer.
  • such computer-readable media can comprise RAM, ROM, EPROM, EEPROM, CD-ROM, magnetic disk storage or other storage devices, or any other medium which can be used to carry or store desired program code in the form of computer-executable instructions and which can be accessed by a general purpose or special purpose computer.
  • the computer readable instructions can also be accessed from memory and executed by a processor. 25] It should be noted that the above-described examples of the present solution is for the purpose of illustration only. Although the solution has been described in conjunction with a specific embodiment thereof, numerous modifications may be possible without materially departing from the teachings and advantages of the subject matter described herein. Other substitutions, modifications and changes may be made without departing from the spirit of the present solution. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and/or all of the steps of any method or process so disclosed, may be combined in any combination, except combinations where at least some of such features and/or steps are mutually exclusive.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

Certains exemples se rapportent au contrôle d'accès à une partie d'un objet de système de fichier. Dans un exemple, une demande peut être reçue en vue d'un accès à une partie d'un objet de système de fichier. Une détermination peut être effectuée à partir d'une liste de contrôle d'accès (ACL) associée à l'objet de système de fichier si la requête est accordée pour accéder à la partie de l'objet de système de fichier, l'ACL spécifiant un droit d'accès associé à la partie de l'objet de système de fichier. Si la requête est accordée pour accéder à la partie de l'objet de système de fichier, elle peut être autorisée à accéder à la partie de l'objet de système de fichier.
PCT/US2015/022071 2015-01-19 2015-03-23 Contrôle d'accès à une partie d'un objet de système de fichier Ceased WO2016118177A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IN287CH2015 2015-01-19
IN287/CHE/2015 2015-01-19

Publications (1)

Publication Number Publication Date
WO2016118177A1 true WO2016118177A1 (fr) 2016-07-28

Family

ID=56417546

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2015/022071 Ceased WO2016118177A1 (fr) 2015-01-19 2015-03-23 Contrôle d'accès à une partie d'un objet de système de fichier

Country Status (1)

Country Link
WO (1) WO2016118177A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170278206A1 (en) * 2016-03-24 2017-09-28 Adobe Systems Incorporated Digital Rights Management and Updates
US20200250333A1 (en) * 2019-02-04 2020-08-06 Hitachi, Ltd. Data management system and data management method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070233957A1 (en) * 2006-03-28 2007-10-04 Etai Lev-Ran Method and apparatus for local access authorization of cached resources
US20080066185A1 (en) * 2006-09-12 2008-03-13 Adobe Systems Incorporated Selective access to portions of digital content
US20090055921A1 (en) * 2007-08-23 2009-02-26 Microsoft Corporation File access in multi-protocol environment
US8601283B2 (en) * 2004-12-21 2013-12-03 Sandisk Technologies Inc. Method for versatile content control with partitioning
US20140149461A1 (en) * 2011-11-29 2014-05-29 Ravi Wijayaratne Flexible permission management framework for cloud attached file systems

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8601283B2 (en) * 2004-12-21 2013-12-03 Sandisk Technologies Inc. Method for versatile content control with partitioning
US20070233957A1 (en) * 2006-03-28 2007-10-04 Etai Lev-Ran Method and apparatus for local access authorization of cached resources
US20080066185A1 (en) * 2006-09-12 2008-03-13 Adobe Systems Incorporated Selective access to portions of digital content
US20090055921A1 (en) * 2007-08-23 2009-02-26 Microsoft Corporation File access in multi-protocol environment
US20140149461A1 (en) * 2011-11-29 2014-05-29 Ravi Wijayaratne Flexible permission management framework for cloud attached file systems

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170278206A1 (en) * 2016-03-24 2017-09-28 Adobe Systems Incorporated Digital Rights Management and Updates
US20200250333A1 (en) * 2019-02-04 2020-08-06 Hitachi, Ltd. Data management system and data management method

Similar Documents

Publication Publication Date Title
EP2659422B1 (fr) Accès basé sur des règles pour des applications virtualisées
US10165007B2 (en) Securing data usage in computing devices
EP2783321B1 (fr) Accès au système de fichiers pour une ou plusieurs applications bac à sable
US9256722B2 (en) Systems and methods of using a temporary private key between two devices
EP2947905B1 (fr) Permissions intra-applications sur un dispositif electronique
US9332019B2 (en) Establishment of a trust index to enable connections from unknown devices
US20100257578A1 (en) Data access programming model for occasionally connected applications
US10831915B2 (en) Method and system for isolating application data access
US9830432B2 (en) Software revalidation and invalidation
EP2924947B1 (fr) Procédé et appareil de contrôle d'accès
US11886605B2 (en) Differentiated file permissions for container users
EP4064086A1 (fr) Applications sécurisées dans des dispositifs de stockage informatique
US9065863B1 (en) Determining eligibility of a device to auto-enroll in a domain
EP3249540B1 (fr) Procédé d'écriture de multiples copies dans un dispositif de stockage et dispositif de stockage
WO2016118177A1 (fr) Contrôle d'accès à une partie d'un objet de système de fichier
CN115244535A (zh) 用于保护文件夹免受未授权文件修改的系统和方法
US9286476B2 (en) Method and system for configuring constraints for a resource in an electronic device
US9330016B2 (en) Systems and methods for managing read-only memory
US20140380417A1 (en) Methods And Devices For Controlling Access To Distributed Resources
WO2016197850A1 (fr) Procédé et appareil pour accéder à des données de confidentialité dans une mémoire physique d'un dispositif électronique
US9754121B2 (en) System and methods for live masking file system access control entries
US9736201B2 (en) Encrypted streams to receivers
CN114117396A (zh) Docker容器内的移动设备访问控制方法及装置
US10038694B1 (en) System and method for security mode-based authorization for data management operations in a multi-tenant protection storage system
US9742752B1 (en) Data backup and self-service data restoration

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15879201

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15879201

Country of ref document: EP

Kind code of ref document: A1