The present invention relates generally to a technique for controlling access to file system resources using externally stored attributes. More specifically this invention describes a technique in which an externally stored attribute, such as an authorization security policy, uses a file system identifier to determine access to a file system resource associated to that file system identifier.
File systems, in operating system environments, such as UNIX, have evolved into complex implementations with many features. These file systems present a hierarchical tree view of a file name space and support large amounts of data and numbers of objects at very high performance levels. Yet, one characteristic that has changed little is the authorization security models of these file systems. The fundamental problem is that, on operating systems such as UNIX, LINIX and even to some degree WINDOWS, the degree to which the native file systems do not support robust security models. For example, with UNIX, the security of an individual file may be specified is fairly limited in coarse grain. A user and a group owns the file. In this model, file access is based on a set of xe2x80x9cmodexe2x80x9d bits that grant permissions based on the file object""s owning user and group. Some file systems support a more robust security model based on access control lists (ACLs) where more security is placed on a file to enable control of various users"" access to files. The problem with this approach is that these models are very different across different versions of operating systems. This inconsistency leads to another problem that each system requires individual and separate administration of each system and each system requires a separate set of administration methods. When viewing the Information Technology (xe2x80x9cITxe2x80x9d) infrastructures of large corporations and other entities, there is a growing need for stronger more granular security controls in file systems. This need is driven by large-scale commercial usage of these file systems, data sharing with Internet based applications, an increased focus on IT security, and the desire to control IT administration costs. From an IT cost perspective, there is a need to have enhanced security in an efficient way. This objective leads itself to being able to define the security rules and procedures centrally for all of an entity""s systems that could be accessed so that there would be a central point of administration, control and verification of rules. The IT structures of today need better security and a more efficient way to implement the security. An efficient way to do that is to provide a file system security model that can be applied uniformly across a large number of systems using a centrally managed set of policies that is administered identically regardless of the target file system implementation or hardware platform.
Ideally, it would be desirable to add extended attributes describing properties such as authorization policy to the file system object""s attributes. However, file systems, such as UNIX, are typically byte stream oriented and do not support mechanisms to add attributes beyond the classic UNIX attributes which are typically the object""s owner, size, modification and access times, and mode bits.
A set of techniques is needed which allows unique identification of an accessed resource regardless of way in which it was accessed. In addition, the techniques must allow the specification of attributes in terms of an object""s common path name in a manner that maps to the same unique file system resource regardless of the representation used at access time. These techniques should be efficient so they impose minimal impact the file system""s native performance characteristics. They must allow for quick recognition and processing of attached attributes at access time. They must also accommodate changes in defined attributes and object changes in the file systems to which they are applied.
It is an objective of the present invention to provide a method for controlling access to named objects in a file system.
It is a second objective of the present invention to provide a method for associating external attributes defining authorization policy to named objects in a file system.
It is a third objective of the present invention to recognize the existence of an associated external file system authorization policy and provide for the evaluation and enforcement of that policy at the time of access to a file system object.
It is a fourth objective of the present invention to provide for the association, recognition, and processing of external attributes utilizing file system object file identifiers.
It is a fifth objective of the present invention to provide a means for the generation of object file identifiers when the native operating system for a particular file system does not provide these identifiers.
It is sixth objective of the present invention to allow for the processing of the externally defined policy by a resource manager based on associations to the original file name without requiring the resource manager to have knowledge of the underlying association and recognition techniques that utilize file identifiers (FIDs).
This invention describes a method for file system security through techniques that control access to the file system resources using externally stored attributes. This invention accomplishes the described objectives in file system security by creating an external database containing auxiliary attributes for objects in the file system. This solution incorporates techniques and algorithms for attribute attachment, storage and organization of the associations to these attributes, and subsequent recognition of attached attributes. In this approach, the attributes would define authorization policy for controlling access to objects in the file system. Such a solution would require techniques for associating the defined policy with file system objects, detecting accesses to the objects, locating the appropriate attributes at access time, and then processing the attributes to produce an access decision for granting or denying access to the accessed resource.
Administratively, the most convenient technique for defining authorization rules for a file system object is to associate the attributes with the object""s fully qualified common name. This common name is also known as the path name to the file. UNIX file systems, for example, provide a hierarchical name space for constructing object names. For example, a file called mydata might have a fully qualified path of /home/john_doe/data_files/mydata. This path is the most recognizable representation of the object and the most convenient description for an administrator to use when defining new attributes for the object. Therefore the technique for associating (or attaching) attributes should support using the object""s fully qualified pathname.
Recognizing and locating externally defined attributes for a file system object at the time of object access poses significant technical challenges. Accesses occur through a set of available programming Application Programming Interfaces (xe2x80x9cAPIsxe2x80x9d) that provide several ways to identify the object being accessed. For many APIs, the name of the object is provided. However, this name is often not the full path name starting from the top or xe2x80x9crootxe2x80x9d of the file hierarchy. Instead, the name is relative to a xe2x80x9ccurrent directoryxe2x80x9d that is tracked for the calling application by the native operation system. UNIX file systems also commonly contain support for creating alternate names to an object using symbolic or hard links. This provides alias names to the same object. A symbolic link might allow /home/john_doe/data_files/mydata to be accessed as /u/jdoes_data/mydata. These variations make it difficult to locate the externally defined attributes using the provided name at the time of access. There are also APIs that do not take a pathname as input. Instead they take an integer number known as a file descriptor, which was obtained in an earlier name based function. It is desirable to intervene in and enforce policy on these APIs as well.
The present invention is described in the context of a resource manager embodying the techniques of the invention. The resource manager enforces authorization policy for file system resources. The policy resides external to the native operating system and is defined using full path names for the target file system resources to be protected. These names are referred to as protected object names or PONs. An example PON would be /home/john_doe/data_files/mydata. The policy can reside in a database on the system where the resources reside, or it could reside in a network of computers. The resource manager would be comprised of components for 1) retrieving the policy, 2) intervening in accesses to the objects to be protected, 3) collecting the access conditions such as the accessing user and the attempted action, and 4) producing an authorization decision based on the policy, the accessed object, and the access conditions. Those skilled in the art will recognize that systems with these characteristics can be constructed and that they could exist in many variations including a distributed application in a network of computing devices.
When the described resource manager starts, it first retrieves the authorization policy and then preprocesses the named protected files into their equivalent file identifier xe2x80x9cFIDxe2x80x9d mappings. A FID is a binary representation that uniquely defines a physical file system object that resides in a file system. The manager then creates a database of FID to name mappings and potentially other properties that may facilitate processing at access time. For example, those properties could include the policy itself in the form of access control lists (ACLs) or hints about how the resource is protected. Potentially the resource manager could store the processed FID mappings and reuse them on subsequent starts instead of re-processing the name based authorization policy. The database of FID mappings could be organized in a variety of ways. The FID""s numerical nature would allow for hashing techniques that would enable efficient searches using FID data as the search key.
When an object access is attempted through one of the access paths the resource manager will intervene. The resource manager uses available operating system services to process the API""s provided description of the target file resource into its underlying data structure representation. This description could be the fully qualified path name, a relative path name, an alternate name such as a hard or symbolic line, or a non-name based description such as an integer UNIX file descriptor. Additional provided services or techniques are then used to produce a corresponding FID. The FID is then used to search the FID mapping database looking for a match. If a match is found, then the PON and any other included properties are provided to the decision-processing component of the resource manager to produce an access decision. The resulting decision is then enforced by the intervention component, which either permits or denies the resource access.
With these described techniques, the resource manager is able to efficiently associate defined policy with physical protected file system objects. It can then quickly recognize the existence of relevant policy at the time of object access regardless of how the object was accessed. Once recognized, the retrieved FID to PON mapping can by used to consult the decision component of the resource manager for an access decision that can then be enforced.