The approaches described in this section could be pursued, but are not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated herein, the approaches described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
A content cache is a computer-readable medium that stores copies of objects or other resources. The original objects or resources are typically maintained by a remote server or servers, which are communicatively connected to the server maintaining the cache. Examples of such content caches include, but are not limited to, file caches and web caches. A cache improves network performance by storing copies of the objects or resources closer to the users or clients that need to access them. For example, a file cache managed by a local cache server may store copies of files and directories, the originals of which are maintained by a remote file server. When a user or a client sends a request to access a file, the local cache server checks to determine whether a copy of the requested file is stored in the cache. If a copy of the file is stored in the cache, then the local cache server may service the received request without the client communicating with the remote file server over a possibly slow communication link.
In some operational contexts, a local cache server may need to verify that a user or a client has access rights to a cached object before the local cache server allows the user or the client to access the object in the cache. Verifying the access rights of a user or a client to a cached object, however, has some serious disadvantages that may impede network performance and/or increase the latency in accessing the object in the cache.
For example, objects stored in a cache may have Access Control Lists (ACLs) associated with them. An ACL is a set of data that indicates the permissions, privileges, and/or access rights that various entities have to an associated object. An ACL associated with an object may include one or more entries, where each entry may identify a user or a group of users, the permissions associated with the user or the group, and the access rights to the object for the user or the group. When a user requests access to an object that is found in the cache, a local cache server uses one of two approaches to validate the user's rights to the cached object based on an ACL associated with the object.
In one approach, a local cache server retrieves the ACL associated with a requested cached object from a remote server that manages the original of the object. The local server then processes the ACL locally and determines whether the user or client requesting access to the cached object should be allowed to do so. Thus, this approach basically amounts to retrieving the ACL from the remote authoritative server and mimicking the authorization operations performed by the remote server.
One disadvantage of this approach is that it requires knowledge of the structure of the ACL and the authorization evaluation mechanism used by the remote server to processes the ACL in order to determine whether to grant or deny access. For example, a user may be granted access to an object because the user is part of a specific group, because the user is assigned a specific role, or because the user herself is specifically allowed to access the resource. Thus, in this approach, the local cache server needs to know how the ACL is structured in order to determine how to parse the ACL. In addition, the local cache server may need to identify a user or a client's principal identity, the user or client's group membership and roles, and then match those with the corresponding information stored in the ACL. In this approach, the local server also needs to know the authorization mechanism because it needs to apply the mechanism to the retrieved ACL in exactly the same way, and reach exactly the same decision, as if the mechanism were applied by the remote authoritative server.
In the other approach for validating access rights to cached objects, a local cache server delegates the authorization to the remote authoritative server. This means that whenever a local cache server receives a request from a user to perform an operation on a particular cached object, the request is sent to the remote server managing the original object to determine whether the user has access right to perform the operation. If the remote server grants access, then the local cache server performs the operation on the cached object on behalf of the user.
One disadvantage of this approach is that it requires at least one roundtrip communication to the remote server for each operation that a user attempts to perform on a cached object. The delay in performing an operation on a cached object caused by such roundtrip communication, however, is very significant when the remote server is connected to the local cache server over a slow communication link and/or when multiple cached objects are accessed and require authorization in response to a single logical client operation. For example, a single client logical operation (e.g. double click a directory) may be translated by the underlying protocol to multiple disjoint operations (e.g. directory listing retrieval, followed by retrieval of attributes per entry, followed by reading of some metadata, such as graphical icons or picture thumbnails, from a subset of the entries). In another example, the remote server may be connected to the local cache server over a Wide Area Network (WAN), in which the communication links are of low bandwidth and high latency. In another typical example, the remote server may be connected to the local cache server over a dial-up or other similar high latency point-to-point communication link.
Based on the foregoing, there is a clear need for a technique for local access authorization of cached resources that overcomes the disadvantages of the approaches described above.