公开(公告)号：US20140325640A1

公开(公告)日：2014-10-30

申请号：US13873819

申请日：2013-04-30

Applicant: NETAPP, INC.

Inventor： Amit Aggarwal ,  Shekhar Amlekar

IPC: G06F21/31

CPC classification number: G06F21/31 ,  G06F2221/2107 ,  G06F2221/2111 ,  G06F2221/2141

Abstract: Embodiments described herein provide a technique for securely responding to an enumeration request of a data container stored at a location referenced by a junction or mount point within a share served by a storage system. To that end, the technique applies access permissions of the data container at the referenced location instead of permissions that may reside at the junction or mount point. Upon determining that the permissions are insufficient to allow access to the data container, the technique ensures that a descriptor of the junction or mount point is not included in a response to the enumeration request.

Abstract translation: 本文描述的实施例提供了一种用于安全地响应存储在由存储系统服务的共享内的连接点或安装点引用的位置处的数据容器的枚举请求的技术。 为此，该技术在引用的位置应用数据容器的访问权限，而不是可能驻留在连接点或装载点的权限。 在确定权限不足以允许访问数据容器时，该技术确保结点或装入点的描述符不包括在对枚举请求的响应中。

公开(公告)号：US20140317371A1

公开(公告)日：2014-10-23

申请号：US13866281

申请日：2013-04-19

Applicant: NETAPP, INC.

Inventor： Mark Muhlestein ,  Shekhar Amlekar

IPC: G06F12/14

CPC classification number: G06F12/1458 ,  G06F16/13 ,  G06F21/6218 ,  G06F21/6227

Abstract: Method and system for access based directory enumeration is provided. When a directory is enumerated for a first time, user credentials are verified against an access control list (ACL) entry that is referenced by an ACL inode (referred to as Xnode). The Xnode number is obtained from a file handle for a directory entry. The verification is recorded in a data structure that stores the Xnode identifier and user identifier. When the directory is enumerated again, the data structure is used to verify that the user has been validated before, instead of loading and checking against an ACL entry.

Abstract translation: 提供了基于访问的目录枚举的方法和系统。 首次枚举目录时，将根据ACL inode（称为Xnode）引用的访问控制列表（ACL）条目验证用户凭据。 Xnode号是从目录条目的文件句柄中获得的。 验证记录在存储Xnode标识符和用户标识符的数据结构中。 当再次枚举目录时，数据结构用于验证用户是否已经被验证过，而不是对ACL条目进行加载和检查。

公开(公告)号：US09152776B2

公开(公告)日：2015-10-06

申请号：US13873819

申请日：2013-04-30

Applicant: NetApp, Inc.

Inventor： Amit Aggarwal ,  Shekhar Amlekar

IPC: G06F12/00 ,  G06F21/31

CPC classification number: G06F21/31 ,  G06F2221/2107 ,  G06F2221/2111 ,  G06F2221/2141

Abstract: Embodiments described herein provide a technique for securely responding to an enumeration request of a data container stored at a location referenced by a junction or mount point within a share served by a storage system. To that end, the technique applies access permissions of the data container at the referenced location instead of permissions that may reside at the junction or mount point. Upon determining that the permissions are insufficient to allow access to the data container, the technique ensures that a descriptor of the junction or mount point is not included in a response to the enumeration request.

Abstract translation: 本文描述的实施例提供了一种用于安全地响应存储在由存储系统服务的共享内的连接点或安装点引用的位置处的数据容器的枚举请求的技术。 为此，该技术在引用的位置应用数据容器的访问权限，而不是可能驻留在连接点或装载点的权限。 在确定权限不足以允许访问数据容器时，该技术确保结点或装入点的描述符不包括在对枚举请求的响应中。