Search Patents
-
Publication number: 20160203181Abstract: A non-transitory computer readable storage medium has instructions executed by a processor to assign virtual identifiers to blocks of a file that contain identical information in different data sources. A distributed storage and distributed processing query statement is received. Real name attributes of the query statement are equated with selected virtual identifiers. Access control policies are applied to the selected virtual identifiers to obtain policy results. The policy results are applied to the real name attributes of the query statement to obtain query results.Type: ApplicationFiled: December 28, 2015Publication date: July 14, 2016Applicant: BlueTalon, Inc.Inventors: Pratik Verma, Rakesh Khanduja, Prerna Verma
-
Publication number: 20160205101Abstract: A non-transitory computer readable storage medium has instructions executed by a processor to receive a query statement. The query statement is one of many distributed storage and distributed processing query statements with unique data access methods. Token components are formed from the query statement. The token components are categorized as data components or logic components. Modified token components are formed from the token components in accordance with a policy. The query statement is reconstructed with the modified token components and original computational logic and control logic associated with the query statement.Type: ApplicationFiled: December 11, 2015Publication date: July 14, 2016Applicant: BlueTalon, Inc.Inventors: Pratik Verma, Rakesh Khanduja
-
Publication number: 20180060365Abstract: Systems, computer program products and methods implementing access control for compound structures including subfields are described. A policy system receives a database schema and a data access policy. The database schema defines multiple subfields of a data column. The policy includes one or more rules limiting access to the subfields. A policy analyzer of the policy system creates an access control metadata that stores correspondence between the subfields and the rules. The policy analyzer represents the subfields in the access control metadata using relations between subfields and other components of the database. The policy analyzer provides the access control metadata to a policy enforcer for enforcing the policy on the subfields.Type: ApplicationFiled: August 26, 2016Publication date: March 1, 2018Applicant: BlueTalon, Inc.Inventors: Prasad Mujumdar, Rakesh Khanduja, Pratik Verma
-
Patent number: 10129256Abstract: A non-transitory computer readable storage medium has instructions executed by a processor to receive a query statement. The query statement is one of many distributed storage and distributed processing query statements with unique data access methods. Token components are formed from the query statement. The token components are categorized as data components or logic components. Modified token components are formed from the token components in accordance with a policy. The query statement is reconstructed with the modified token components and original computational logic and control logic associated with the query statement.Type: GrantFiled: December 11, 2015Date of Patent: November 13, 2018Assignee: BlueTalon, Inc.Inventors: Pratik Verma, Rakesh Khanduja
-
Patent number: 10185726Abstract: Systems, computer program products and methods implementing access control for compound structures including subfields are described. A policy system receives a database schema and a data access policy. The database schema defines multiple subfields of a data column. The policy includes one or more rules limiting access to the subfields. A policy analyzer of the policy system creates an access control metadata that stores correspondence between the subfields and the rules. The policy analyzer represents the subfields in the access control metadata using relations between subfields and other components of the database. The policy analyzer provides the access control metadata to a policy enforcer for enforcing the policy on the subfields.Type: GrantFiled: August 26, 2016Date of Patent: January 22, 2019Assignee: BlueTalon, Inc.Inventors: Prasad Mujumdar, Rakesh Khanduja, Pratik Verma
-
Patent number: 10659467Abstract: A non-transitory computer readable storage medium has instructions executed by a processor to receive a query statement. The query statement is one of many distributed storage and distributed processing query statements with unique data access methods. Token components are formed from the query statement. The token components are categorized as data components or logic components. Modified token components are formed from the token components in accordance with a policy. The query statement is reconstructed with the modified token components and original computational logic and control logic associated with the query statement.Type: GrantFiled: November 6, 2018Date of Patent: May 19, 2020Assignee: BlueTalon, Inc.Inventors: Pratik Verma, Rakesh Khanduja
-
Publication number: 20180004970Abstract: A policy system enforces data security policies for requests from accessing data stored on a distributed data storage system received from a client device. The policy enforcement system can determine user credentials from the requests. The enforcement system then determines whether the user credentials allow the request to retrieve the data and if yes, whether the user credentials allow the request to retrieve the data without obligations. Upon determining that user credentials allow the request to retrieve the data without obligations, the policy enforcement system directs the client device to communicate directly with a name node of the data storage system, short-circuiting additional data retrieval and filtering of the policy system.Type: ApplicationFiled: July 1, 2016Publication date: January 4, 2018Applicant: BlueTalon, Inc.Inventors: Dilli Dorai Minnal Arumugam, Prasad Mujumdar
-
Patent number: 10491635Abstract: Systems, computer program products and methods implementing access control on a distributed file system are described. A policy engine enforces one or more policies to access a data item stored in the distributed file system by utilizing non-system extended attributes of the data item. The policy engine receives, from a client device, a request to access the data item. The policy engine determines a policy for access the data item. The policy specifies one or more conditions for accessing the data item in one or more extended attributes. The one or more extended attributes are associated with the data item in the distributed file system. The policy determines whether to grant the request to access the data item according to values of the one or more extended attributes.Type: GrantFiled: June 30, 2017Date of Patent: November 26, 2019Assignee: BlueTalon, Inc.Inventor: Dilli Dorai Minnal Arumugam
-
Patent number: 10033765Abstract: A non-transitory computer readable storage medium has instructions executed by a processor to intercept a query statement at a master machine. The query statement is an instruction from a client machine that specifies how data managed by a distributed storage system should be processed and provided back to the client. In the communication between the client and the master machine, tokens associated with the statement are evaluated to selectively identify a pattern match of one of connection pattern tokens, login pattern tokens or query pattern tokens. For the query pattern tokens, altered tokens for the query statement are formed in response to the pattern match to establish a revised statement. The revised statement is produced in response to application of a policy rule. The revised statement maintains computation, logic and procedure of the statement, but alters parameters of the statement as specified by the policy rule.Type: GrantFiled: December 11, 2015Date of Patent: July 24, 2018Assignee: BlueTalon, Inc.Inventors: Pratik Verma, Rakesh Khanduja
-
Publication number: 20160205140Abstract: A non-transitory computer readable storage medium has instructions executed by a processor to intercept a query statement at a master machine. The query statement is an instruction from a client machine that specifies how data managed by a distributed storage system should be processed and provided back to the client. In the communication between the client and the master machine, tokens associated with the statement are evaluated to selectively identify a pattern match of one of connection pattern tokens, login pattern tokens or query pattern tokens. For the query pattern tokens, altered tokens for the query statement are formed in response to the pattern match to establish a revised statement. The revised statement is produced in response to application of a policy rule. The revised statement maintains computation, logic and procedure of the statement, but alters parameters of the statement as specified by the policy rule.Type: ApplicationFiled: December 11, 2015Publication date: July 14, 2016Applicant: BlueTalon, Inc.Inventors: Pratik Verma, Rakesh Khanduja
-
Patent number: 10277633Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for storing, by a policy enforcement system, a plurality of policies and data associating a plurality of user credentials with the plurality of policies; receiving, from a client device, a request for data from a file system, the request further comprising user credentials; forwarding the request for data to a second node that stores the data from the file system; receiving, from the node, the data from the file system; selecting from the plurality of policies, based on the received user credentials and the data associating the plurality of user credentials with the plurality of policies, one or more policies that correspond to the received user credentials; filtering, by the policy enforcement system, the data from the file system based on the one or more policies; and sending the filtered data to the client device.Type: GrantFiled: January 8, 2018Date of Patent: April 30, 2019Assignee: BlueTalon, Inc.Inventors: Dilli Dorai Minnal Arumugam, Prasad Mujumdar
-
Patent number: 10250723Abstract: Systems, computer program products and methods implementing protocol-level mapping are described. An identity mapping system intercepts a request from a client device to a distributed computing system. The identity mapping system determines a first protocol of the request. The identity mapping system determines user credentials associated with the request. The identity mapping system authenticates the request based on the user credentials. The identity mapping system determines a service provided by the distributed computing system that the request accesses. The identity mapping system determines service credentials of that service. The identity mapping system translates the first protocol into a second protocol associated with the distributed computing system, including associating the service credentials with the request. The identity mapping system then submits the request to the distributed computing system.Type: GrantFiled: April 13, 2017Date of Patent: April 2, 2019Assignee: BlueTalon, Inc.Inventors: Rakesh Khanduja, Vineet Mittal
-
Publication number: 20170257379Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for managing, and enforcing policies on data security. A policy appliance includes a policy administration point, a policy decision point, a policy enforcement point and, optionally, an auditing module. The policy appliance can execute in a self-contained environment, e.g., a single virtual machine, a single physical machine, or a cluster of virtual machines or physical machines identically configured. The self-contained policy appliance can receive, manage, enforce and audit multiple policies that specify access privileges of multiple users on multiple databases. The databases can include heterogeneous databases that are configured separately and differently from one another. A single configuration of the policy appliance centralizes and unifies policy management of the heterogeneous database in the self-contained environment.Type: ApplicationFiled: March 4, 2016Publication date: September 7, 2017Applicant: BlueTalon, Inc.Inventors: Benjamin L. Weintraub, Pratik Verma
-
Patent number: 9871825Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for maintaining, by a policy enforcement system in a first compute node, a plurality of policies and data associating a plurality of user credentials with the plurality of policies. A request is received from a compute process for data from a file system in the first compute node. The request includes user credentials. The request for data is sent to the file system, and the data is received from the file system. Based on the received user credentials and the data associating the plurality of user credentials with the plurality of policies, one or more policies that correspond to the received user credentials is selected from the plurality of policies. The policy enforcement system filters the data from the file system based on the one or more policies, and sends the filtered data to the compute process.Type: GrantFiled: December 10, 2015Date of Patent: January 16, 2018Assignee: BlueTalon, Inc.Inventors: Dilli Dorai Minnal Arumugam, Prasad Mujumdar
-
Patent number: 10367824Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for managing, and enforcing policies on data security. A policy appliance includes a policy administration point, a policy decision point, a policy enforcement point and, optionally, an auditing module. The policy appliance can execute in a self-contained environment, e.g., a single virtual machine, a single physical machine, or a cluster of virtual machines or physical machines identically configured. The self-contained policy appliance can receive, manage, enforce and audit multiple policies that specify access privileges of multiple users on multiple databases. The databases can include heterogeneous databases that are configured separately and differently from one another. A single configuration of the policy appliance centralizes and unifies policy management of the heterogeneous database in the self-contained environment.Type: GrantFiled: September 28, 2018Date of Patent: July 30, 2019Assignee: BlueTalon, Inc.Inventors: Benjamin L. Weintraub, Pratik Verma
-
Patent number: 10803190Abstract: Systems, computer program products and methods implementing access control on a distributed file system are described. A file system enforcement point protects an HDFS from unauthorized access by authenticating a declared identity of a task submitting a request from a client. Upon receiving the request, the file system enforcement point submits a challenge to the client, requesting the task to provide credentials of the declared identity. The task submits credentials. On the client, each task has access to credentials of a true identity of the task. Accordingly, in case a task submits a claimed identity that is different from the true identity of the task, the task cannot submit correct credentials in response to the challenge. The file system enforcement point authenticates the declared identity using the submitted credentials. The file system enforcement point allows the client to access the HDFS only upon successful authentication.Type: GrantFiled: July 21, 2017Date of Patent: October 13, 2020Assignee: BlueTalon, Inc.Inventors: Dilli Dorai Minnal Arumugam, Prasad Mujumdar, Pratik Verma
-
Patent number: 10594737Abstract: A non-transitory computer readable storage medium has instructions executed by a processor to intercept a query statement at a master machine. The query statement is an instruction from a client machine that specifies how data managed by a distributed storage system should be processed and provided back to the client. In the communication between the client and the master machine, tokens associated with the statement are evaluated to selectively identify a pattern match of one of connection pattern tokens, login pattern tokens or query pattern tokens. For the query pattern tokens, altered tokens for the query statement are formed in response to the pattern match to establish a revised statement. The revised statement is produced in response to application of a policy rule. The revised statement maintains computation, logic and procedure of the statement, but alters parameters of the statement as specified by the policy rule.Type: GrantFiled: July 17, 2018Date of Patent: March 17, 2020Assignee: BlueTalon, Inc.Inventors: Pratik Verma, Rakesh Khanduja
-
Patent number: 10091212Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for managing, and enforcing policies on data security. A policy appliance includes a policy administration point, a policy decision point, a policy enforcement point and, optionally, an auditing module. The policy appliance can execute in a self-contained environment, e.g., a single virtual machine, a single physical machine, or a cluster of virtual machines or physical machines identically configured. The self-contained policy appliance can receive, manage, enforce and audit multiple policies that specify access privileges of multiple users on multiple databases. The databases can include heterogeneous databases that are configured separately and differently from one another. A single configuration of the policy appliance centralizes and unifies policy management of the heterogeneous database in the self-contained environment.Type: GrantFiled: March 4, 2016Date of Patent: October 2, 2018Assignee: BlueTalon, Inc.Inventors: Benjamin L. Weintraub, Pratik Verma
-
Patent number: 9866592Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for storing, by a policy enforcement system, a plurality of policies and data associating a plurality of user credentials with the plurality of policies; receiving, from a client device, a request for data from a file system, the request further comprising user credentials; forwarding the request for data to a second node that stores the data from the file system; receiving, from the node, the data from the file system; selecting from the plurality of policies, based on the received user credentials and the data associating the plurality of user credentials with the plurality of policies, one or more policies that correspond to the received user credentials; filtering, by the policy enforcement system, the data from the file system based on the one or more policies; and sending the filtered data to the client device.Type: GrantFiled: September 28, 2015Date of Patent: January 9, 2018Assignee: BlueTalon, Inc.Inventors: Dilli Dorai Minnal Arumugam, Prasad Mujumdar
-
Patent number: 10291602Abstract: Systems, computer program products and methods implementing YARN service protection are described. A reverse proxy in a cluster of computers in a distributed computing system can intercept a request to access a YARN service. The request can be associated with requester credentials. The reverse proxy determines that the request includes a REST API call. The reverse proxy determines, based on authentication configuration information, that the call needs to be authenticated. The reverse proxy authenticates the call based on the requester credentials using an authentication mechanism specified in the configuration information. Upon successful authentication of the call, the reverse proxy makes authorization checks based on specified configuration information. If the authorization checks pass, the reverse proxy forwards the request to a server that provides the YARN service in the cluster. If the authentication or authorization checks fail, the reverse proxy denies the request.Type: GrantFiled: April 12, 2017Date of Patent: May 14, 2019Assignee: BlueTalon, Inc.Inventors: Sridhar Shanmugam Sailappan, Dilli Dorai Minnal Arumugam