US Pat. No. 10,129,256

DISTRIBUTED STORAGE AND DISTRIBUTED PROCESSING QUERY STATEMENT RECONSTRUCTION IN ACCORDANCE WITH A POLICY

BlueTalon, Inc., Redwood...

1. A server, comprising:a processor; and
a memory connected to the processor, the memory storing instructions executed by the processor to:
receive a query statement, wherein the query statement is one of a plurality of distributed storage and distributed processing query statements with unique data access methods, wherein the query statement is received over a network from a client machine;
form token components from the query statement;
categorize each token component of the token components as one of a data component, a computational logic component or a control logic component;
form modified token components from the token components in accordance with a policy;
reconstruct the query statement with the modified token components and original computational logic and control logic associated with the query statement to form a policy compliant query statement; and
coordinate execution of the policy compliant query statement on worker machines connected to the network.

US Pat. No. 9,866,592

POLICY ENFORCEMENT SYSTEM

BlueTalon, Inc., Redwood...

1. A method, comprising:
storing, by a policy enforcement system, a plurality of policies and data associating a plurality of user credentials with
the plurality of policies;

receiving, from a client device by the policy enforcement system, a request for data from a file system, the request further
comprising user credentials;

forwarding, by the policy enforcement system, the request to a first node;
receiving, from the first node, a redirect request comprising data specifying a second node that stores the data from the
file system;

appending, by the policy enforcement system, the user credentials to the redirect request to generate a custom redirect request;
responding to the client device, including sending the custom redirect request to the client device;
receiving, from the client device, a request for data from the second node, the request for data from the second node having
the user credentials;

forwarding, by the policy enforcement system, the request for data from the second node to the second node that stores the
data from the file system;

receiving the data from the file system from the second node;
selecting from the plurality of policies, based on the received user credentials and the data associating the plurality of
user credentials with the plurality of policies, one or more policies that correspond to the received user credentials;

filtering, by the policy enforcement system, the data from the file system based on the one or more policies; and
sending the filtered data to the client device.

US Pat. No. 10,033,765

DISTRIBUTED STORAGE PROCESSING STATEMENT INTERCEPTION AND MODIFICATION

BlueTalon, Inc., Redwood...

1. A non-transitory computer readable storage medium with Instructions executed by a processor to:intercept a query statement at a master machine or a machine delegated to receive query statements sent to the master machine, wherein the query statement is a distributed storage and distributed processing query statement from a client machine that is processed by a distributed storage and distributed processing system;
evaluate tokens associated with the query statement to selectively identify a pattern match, wherein the tokens are evaluated to selectively identify a pattern match of connection pattern tokens, login pattern tokens and query pattern tokens; and
form altered tokens for the query statement in response to the pattern match to form a revised query statement, wherein the revised query statement is produced in response to application of a policy rule, wherein the revised query statement maintains computation, logic and procedure of the query statement, but alters parameters of the query statement as specified by the policy rule.

US Pat. No. 10,091,212

POLICY MANAGEMENT, ENFORCEMENT, AND AUDIT FOR DATA SECURITY

BlueTalon, Inc., Redwood...

1. A method, comprising:receiving, by a policy administration point of a policy appliance, a policy that defines an access privilege of a user on data stored in a first database having a first format and a second database having a second format that is different from the first format;
submitting the policy by the policy administration point to a policy decision point of the policy appliance that is configured to decide whether the user is permitted to access at least a portion of the data according to the policy;
receiving, by a policy enforcement point of the policy appliance, a data request from an application, the request including a user specification specifying the user and a data specification specifying a data item of the data to access;
submitting the user specification and the data specification to the policy decision point by the policy enforcement point;
receiving, by the policy enforcement point and from the policy decision point, a data access decision that is made by the policy decision point according to the policy, the data access decision specifying that the user is permitted to access a portion of the data item;
customizing the data request for each database based on the data access decision, including changing the data request into a first query according to the policy and the first format and changing the data request into a second query according to the policy and the second format, the first query preventing at least a first portion of the data item from being retrieved from the first database and the second query preventing at least a second portion of the data item from being retrieved from the second database;
redacting the data item, including masking the first portion and the second portion of the data item with one or more masking strings; and
providing, by the policy enforcement point to the application, the redacted data item as a response to the request according to the data access decision,
wherein the policy appliance, including each of the policy administration point, the policy decision point, and the policy enforcement point, executes in a container on a system that includes one or more computer processors.

US Pat. No. 9,871,825

POLICY ENFORCEMENT FOR COMPUTE NODES

BlueTalon, Inc., Redwood...

1. A method, comprising:
maintaining, by a policy enforcement system in a first compute node, a plurality of policies and data associating a plurality
of user credentials with the plurality of policies;

intercepting, by the policy enforcement system, a request for data, the request being sent from a compute process to a file
system in the first compute node, the request further comprising user credentials, wherein a first task is assigned to the
first compute node by a resource manager managing a plurality of tasks comprising the first task and a plurality of compute
nodes comprising the first compute node, and wherein the policy enforcement system is logically placed between the compute
process and the file system;

sending the request for data from the policy enforcement system to the file system;
receiving the data by the policy enforcement system from the file system;
selecting, by the policy enforcement system from the plurality of policies, based on the received user credentials and the
data associating the plurality of user credentials with the plurality of policies, one or more policies that correspond to
the received user credentials;

filtering, by the policy enforcement system, the data from the file system based on the one or more policies, the filtering
causing at least a portion of the data from the file system, when presented, to display as one or more masking characters
instead of as originally provided by the file system; and

sending the filtered data by the policy enforcement system to the compute process, the sending allowing a client device to
access the filtered data through the compute process.

US Pat. No. 10,291,602

YARN REST API PROTECTION

BlueTalon, Inc., Redwood...

1. A method, comprising:intercepting, by a reverse proxy in a cluster of computers in a distributed computing system, a request to access a resource manager service of the distributed computing system;
determining, by the reverse proxy, that the request includes a call that conforms to a REST (Representational State Transfer) API (application programming interface);
determining, by the reverse proxy, that the call has a particular method type that indicates requesting an action to be performed;
determining, by the reverse proxy based on authentication configuration information, whether the call needs to be authenticated, wherein the authentication configuration information includes a list of methods that need to be authenticated and determining whether the call needs to be authenticated comprises determining whether the particular method of the call is included in the list of methods of the authentication configuration information; and
in response to determining that the call needs to be authenticated:
authenticating the call using an authentication mechanism specified in the authentication configuration information,
upon successful authentication of the call, performing authorization checks based on the configuration information, and
upon successful authorization of the call, forwarding the request from the reverse proxy to a server that provides the resource manager service in the cluster,
wherein the reverse proxy includes one or more computer processors.

US Pat. No. 10,185,726

ACCESS CONTROL FOR NESTED DATA FIELDS

BlueTalon, Inc., Redwood...

1. A method, comprising:receiving, by a policy system, a database schema including a definition of a data type for a data column in a table of the database, the data type defining a plurality of subfields of the data column;
receiving, by the policy system, a data access policy including a plurality of rules, each rule specifying a respective access limitation on a subfield of the subfields;
generating, by the policy system, a respective access path for each of the subfields, each access path representing hierarchical relations between the database, the schema, the table, the data column, and a respective subfield;
storing each access path in association with a corresponding rule as access control metadata; and
providing, by the policy system, the access control metadata to a policy enforcer for enforcing the data access policy on the subfields of the data column.

US Pat. No. 10,491,635

ACCESS POLICIES BASED ON HDFS EXTENDED ATTRIBUTES

BlueTalon, Inc., Redwood...

1. A method, comprising:receiving, by a policy engine from a client device, a request to access a data item stored on a distributed file system, the request being associated with a requester;
determining a policy for accessing the data item, the policy being associated with the requester and defining one or more access limitations;
determining, based on the policy, that whether to grant the access to the data item to the requester is specified in an extended attribute associated with the data item, the extended attribute being an administrator-defined attribute of the data item that is different from a system attribute and being stored in the distributed file system determining a name of the extended attribute based on the policy;
retrieving, by the policy engine from the distributed file system, the extended attribute using the name of the extended attribute; and
determining whether to grant the request to access the data item based on a value of the retrieved extended attribute,
wherein the policy engine includes one or more computer processors.

US Pat. No. 10,659,467

DISTRIBUTED STORAGE AND DISTRIBUTED PROCESSING QUERY STATEMENT RECONSTRUCTION IN ACCORDANCE WITH A POLICY

BlueTalon, Inc., Redwood...

1. A server, comprising:a network interface circuit connected to a network;
a processor connected to the network interface circuit; and
a memory connected to the processor, the memory storing instructions executed by the processor to:
receive a query statement from a client machine;
form token components from the query statement;
categorize each token component of the token components as one of a data component, a computational logic component or a control logic component;
form modified token components from the token components in accordance with a policy;
reconstruct the query statement with the modified token components and computational logic and control logic associated with the query statement to form a policy compliant query statement; and
coordinate execution of the policy compliant query statement on worker machines connected to the network.

US Pat. No. 10,367,824

POLICY MANAGEMENT, ENFORCEMENT, AND AUDIT FOR DATA SECURITY

BlueTalon, Inc., Redwood...

1. A method, comprising:receiving, by a policy enforcement point of a policy appliance, a data request from an application, the request including a user specification specifying the user and a data specification specifying a data item to be accessed, the policy enforcement point being connected to a first database having a first database format and a second database having a second database format;
submitting, by the policy enforcement point, the user specification and the data specification to a policy decision point of the policy appliance, the policy decision point being configured to decide whether the user is permitted to access at least a portion of the data item according to a policy that defines an access privilege of the user on data;
receiving, by the policy enforcement point and from the policy decision point, a data access decision that is made by the policy decision point according to the policy, the data access decision specifying that the user is permitted to access a portion of the data item;
customizing, by the policy enforcement point, the data request for each of the databases based on the data access decision and a respective database format, including changing the data request into a first customized query according to the first database format and changing the data request into a second customized query according to the second database format, the customized query preventing at least a first portion of the data item from being retrieved from the databases;
retrieving, by the policy enforcement point, a second portion of the data item from the databases as a response to the customized query, the second portion being different from the first portion; and
providing, by the policy enforcement point to the application, the second portion of the data item,
wherein the policy appliance, including the policy decision point, and the policy enforcement point, executes in a container on a system that includes one or more computer processors.

US Pat. No. 10,277,633

POLICY ENFORCEMENT SYSTEM

BlueTalon, Inc., Redwood...

1. A method, comprising:storing, by a policy enforcement system, a plurality of policies and data associating a plurality of user credentials with the plurality of policies;
intercepting, by the policy enforcement system, a request for data submitted from a client device to a file system that stores the data, the request including a first user credentials;
forwarding, by the policy enforcement system, the request for data to a first node of the file system, the first node mapping the requested data to a second node that stores the data in the file system;
receiving, by the policy enforcement system and from the first node, a redirect request comprising information specifying the second node;
encrypting, by the policy enforcement system, the first user credentials to provide encrypted user credentials;
appending, by the policy enforcement system, the encrypted user credentials to the redirect request to provide a custom redirect request;
sending, by the policy enforcement system, the custom redirect request to the second node;
intercepting, by the policy enforcement system, a response to the custom redirect request sent from the second node to the client device;
selecting, by the policy enforcement system and from the plurality of policies, based on the first user credentials and the data associating the plurality of user credentials with the plurality of policies, one or more policies that correspond to the first user credentials;
filtering, by the policy enforcement system, the data from the file system based on the one or more policies to generate filtered data by inserting one or more masking characters in one or more data entries of the data; and
sending the filtered data to the client device.

US Pat. No. 10,594,737

DISTRIBUTED STORAGE PROCESSING STATEMENT INTERCEPTION AND MODIFICATION

BlueTalon, Inc., Redwood...

1. A non-transitory computer readable storage medium with instructions executed by a processor to:intercept a query statement at a master machine or a machine delegated to receive query statements sent to the master machine, wherein the query statement is a distributed storage and distributed processing statement from a client machine;
evaluate tokens associated with the query statement to selectively identify a pattern match, wherein the tokens are evaluated to selectively identify a pattern match of connection pattern tokens, login pattern tokens and query pattern tokens; and
form altered tokens for the query statement in response to the pattern match to form a revised query statement, wherein the revised query statement is produced in response to application of a policy rule, wherein the revised query statement maintains computation, logic and procedure of the query statement, but alters parameters of the query statement as specified by the policy rule.

US Pat. No. 10,250,723

PROTOCOL-LEVEL IDENTITY MAPPING

BlueTalon, Inc., Redwood...

1. A method, comprising:intercepting, by an identity mapping system, a user request submitted from a client device through an application program to a distributed computing system that provides a plurality of services, the user request being associated with user credentials, wherein the identity mapping system intercepts the user request at a protocol level that is outside of the application program;
determining, by the identity mapping system, a user protocol in which the client device submitted the user request;
authenticating the user request based on the user credentials;
upon successfully authenticating the user request, determining, by the identity mapping system, a service of the services that the user request is authorized to access;
determining service credentials associated with the service;
generating a service request by the identity mapping system, including translating the user protocol of the user request to a service protocol associated with the service at least in part by associating the service credentials with the service request; and
submitting the service request by the identity mapping system to the distributed computing system, wherein the identity mapping system includes one or more computer processors.