发明名称 |
Policy-based data-centric access control in a sorted, distributed key-value data store |
摘要 |
A method, apparatus and computer program product for policy-based access control in association with a sorted, distributed key-value data store in which keys comprise a cell-level access control. In this approach, an information security policy is used to create a set of pluggable policies. A pluggable policy may be used during data ingest time, when data is being ingested into the data store, and a pluggable policy may be used during query time, when a query to the data store is received for processing against data stored therein. Generally, a pluggable policy associates one or more user-centric attributes (or some function thereof), to a particular set of data-centric attributes. By using pluggable policies, preferably at both ingest time and query time, the data store is enhanced to provide a seamless and secure policy-based access control mechanism in association with the cell-level access control enabled by the data store. |
申请公布号 |
US8914323(B1) |
申请公布日期 |
2014.12.16 |
申请号 |
US201414250177 |
申请日期 |
2014.04.10 |
申请人 |
Sqrrl Data, Inc. |
发明人 |
Allen Michael R.;Vines John W.;Fuchs Adam P. |
分类号 |
G06F17/30;G06F21/62 |
主分类号 |
G06F17/30 |
代理机构 |
|
代理人 |
Judson David H. |
主权项 |
1. A method operative in association with a sorted, distributed key-value data store, comprising:
as data is ingested into the data store at an ingest time, tagging one or more key-value pairs in the data with a data-centric label as determined by an ingest-time policy to generate tagged data, the data-centric label representing a function adapted to be evaluated over a set of variables; storing the tagged data in the data store; at query time, the query time being distinct from the ingest time, and in response to receipt of a query from a querier, performing the following sub-steps:
processing the query according to a query-time policy to identify a set of one or more data-centric attributes the query is allowed to use, wherein the processing evaluates values of one or more user-centric attributes associated with the querier against at least one policy rule in the query-time policy to identify the set of one or more data-centric attributes;modifying the query to include the set of one or more data-centric attributes so identified, the one or more data-centric attributes being distinct from the data-centric label;forwarding to the data store the query that has been modified to include the set of one more identified data-centric attributes;receiving a response to the query that has been modified to include the set of one more identified data-centric attributes, wherein the response is generated in the data store upon evaluating the set of one or more data-centric attributes in the query with at least one data-centric label in the data store, the data-centric label in the data store having been associated with the data during the tagging at ingest time; andreturning the response to the querier; wherein at least one of the steps is carried out in software executing in a hardware processor. |
地址 |
Cambridge MA US |