Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
DETAILED ACTION
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 09/04/2024 are in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-14 of U.S. Patent No. 12088576B2. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the instant application while broader are fully anticipated by the claims of the US Patent as they each are directed towards a node in cluster joining at least two domains, merging keys from each domain and permitting access based on the merged set of keys as indicated in the chart below.
Instant Application 18791498
U.S. Patent No. 12088576B2
(Claim 1) - A system comprising:
at least one processor configured to:
join at least one node of a computational cluster to a primary domain, wherein joining the at least one node to the primary domain generates a primary key table, the primary key table associated with a first set of permissions for remotely accessing a computer resource of the primary domain;
join the at least one node of the computational cluster to a secondary domain, wherein joining the at least one node to the secondary domain generates a secondary key table, the secondary key table associated with a second set of permissions for remotely accessing a computer resource of the secondary domain;
merge the primary key table with the secondary key table to form a merged key table, wherein each key of the merged key table comprises an identifier of a domain account associated with an encryption key necessary to encrypt or decrypt a ticket of a ticket-based computer network authentication protocol;
connect a remote computing device of the primary domain and a remote computing device of the secondary domain to the computational cluster;
authenticate a first cluster access request and a second cluster access request via the ticket-based computer network authentication protocol;
permit access by the computational cluster to perform a first action based on the first cluster access request, the first action requiring access to a first domain account associated with the remote computing device of the primary domain and being permissible based the merged key table; and
permit access by the computational cluster to perform a second action based on the second cluster access request, the second action requiring access to a second domain account associated with the remote computing device of the secondary domain and being permissible based the merged key table.
A system comprising:
a server comprising at least one hardware processor and at least one physical storage device comprising non-transitory memory, wherein the server is programmed and/or configured to:
generate, using a ticket-based computer network authentication protocol, a primary key table based on remote system access credentials for a primary domain and at least one secondary key table based on remote system access credentials for at least one secondary domain, wherein the primary key table is associated with a first set of permissions for remotely accessing a computer resource of the primary domain, wherein the at least one secondary key table is associated with at least one second set of permissions for remotely accessing a computer resource of the at least one secondary domain, and wherein the first set of permissions and the at least one second set of permissions are different sets of permissions associated with different permitted actions for remotely accessing computer resources;
merge the primary key table with the at least one secondary key table to form a merged key table, wherein each key of the merged key table comprises an identifier of a domain account associated with an encryption key necessary to encrypt or decrypt a ticket of the ticket-based computer network authentication protocol;
activate a system daemon;
connect, using the ticket-based computer network authentication protocol via the system daemon, a remote computing device of the primary domain and a remote computing device of the at least one secondary domain to a computational cluster;
receive a first cluster access request to access a first domain account associated with the remote computing device of the primary domain, wherein the first cluster access request comprises a request to perform a first action that is permissible based on the first set of permissions and is not permissible based on the at least one second set of permissions;
authenticate the first cluster access request via the ticket-based computer network authentication protocol;
receive a second cluster access request to access a second domain account associated with the remote computing device of the at least one secondary domain, wherein the second cluster access request comprises a request to perform a second action that is permissible based on the at least one second set of permissions and is not permissible based on the first set of permissions;
authenticate the second cluster access request via the ticket-based computer network authentication protocol; and
manage access by the computational cluster to the first domain account and the second domain account based on the merged key table, wherein, while managing access by the computational cluster, the server is programmed and/or configured to:
permit, using the system daemon, access by the computational cluster to the first domain account to perform the first action, based on the first set of permissions of the primary key table in the merged key table; and
permit, using the system daemon, access by the computational cluster to the second domain account to perform the second action, based on the at least one second set of permissions of the at least one secondary key table in the merged key table.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over US 20170048223 to Padmanaban (hereinafter “Padmanaban”) retrieved from IDS dated 09/04/2024 in view of NPL Network Security Enhancement in Hadoop Clusters to Gaikwad et al. (hereinafter “Gaikwad”) and further in view of NPL The MIT Kerberos Administrator’s How-to Guide Protocol, Installation and Single Sign On to Migeon
Claim 1
Padmanaban teaches a system [e.g. Padmanaban; Abstract, Para. 0063, 0064, 0072, 0074, 0081, 0093, 0095, 0102, 0108, 0120, 0121, 0124, 0127, 0128, 0137, 0161 – Padmanaban discloses a system.] comprising:
at least one processor [e.g. Padmanaban; Abstract, Para. 0063, 0064, 0072, 0074, 0081, 0093, 0095, 0102, 0108, 0120, 0121, 0124, 0127, 0128, 0137, 0161 – Padmanaban discloses a processor.] configured to:
join at least one node of a computational cluster to a primary domain, wherein joining the at least one node to the primary domain generates a primary key table, the primary key table associated with a first set of permissions for remotely accessing a computer resource of the primary domain; [e.g. Padmanaban; Abstract, Para. 0063, 0064, 0072, 0074, 0081, 0093, 0095, 0102, 0108, 0120, 0121, 0124, 0127, 0128, 0137, 0161 – Padmanaban discloses a node in a cluster may join a security domain such as Active Directory in a conventional fashion using Kerberos.]
join the at least one node of the computational cluster to a secondary domain, wherein joining the at least one node to the secondary domain generates a secondary key table, the secondary key table associated with a second set of permissions for remotely accessing a computer resource of the secondary domain; [e.g. Padmanaban; Abstract, Para. 0063, 0064, 0072, 0074, 0081, 0093, 0095, 0102, 0108, 0120, 0121, 0124, 0127, 0128, 0137, 0161 – Padmanaban discloses the same node in the same cluster may join a different security domain such as Active Directory in a conventional fashion using Kerberos.]
connect a remote computing device of the primary domain and a remote computing device of the secondary domain to the computational cluster; [e.g. Padmanaban; Abstract, Para. 0063, 0064, 0072, 0074, 0081, 0093, 0095, 0102, 0108, 0120, 0121, 0124, 0127, 0128, 0137, 0161 – Padmanaban discloses clients in different domains may connect to the node.]
authenticate a first cluster access request and a second cluster access request via the ticket-based computer network authentication protocol; [e.g. Padmanaban; Abstract, Para. 0063, 0064, 0072, 0074, 0081, 0093, 0095, 0102, 0108, 0120, 0121, 0124, 0127, 0128, 0137, 0161 – Padmanaban discloses Kerberos.]
permit access by the computational cluster to perform a first action based on the first cluster access request, the first action requiring access to a first domain account associated with the remote computing device of the primary domain and being permissible based the merged key table; [e.g. Padmanaban; Abstract, Para. 0063, 0064, 0072, 0074, 0081, 0093, 0095, 0102, 0108, 0120, 0121, 0124, 0127, 0128, 0137, 0161 – Padmanaban discloses a client accessing the node in a first domain.] and
permit access by the computational cluster to perform a second action based on the second cluster access request, the second action requiring access to a second domain account associated with the remote computing device of the secondary domain and being permissible based the merged key table. [e.g. Padmanaban; Abstract, Para. 0063, 0064, 0072, 0074, 0081, 0093, 0095, 0102, 0108, 0120, 0121, 0124, 0127, 0128, 0137, 0161 – Padmanaban discloses a different client accessing the node in a second domain.]
While Padmanaban teaches the system of claim 1 and teaches conventional use of Kerberos for clusters Padmanaban fails to explicitly teach how the conventional use is implemented. However, Gaikwad discloses that the conventional use requires a Key Distribution Centers is formed from an Authentication Server and Ticket Granting Server and further discloses that a keytab (e.g. key table) file is provided storing passwords from clients for the domain (e.g. BOB.COM) it serves. See Abstract, Page 153-155 of Gaikwad.
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to include, the features above in the invention as disclosed by Padmanaban in order to provide the conventional standard regarding security for cluster based server that would be known by one of ordinary skill in the art.
The combination teaches the system of claim 1 and establishes the security required to implement clusters and access of a single node onto multiple domains and association of keytab files per domain on the principal that is using the file, however the combination and in particular Padmanaban states for those file servers to be integrated in a conventional AD context the machines composing the cluster have to be domain joined. This creates an administrative complexity for the deployment, and can expose the cluster to group policy management, with the overhead and complexity that involves. It also creates difficulties in locking down the machines from console access through domain credentials, see paragraph 0064 of Padmanaban.
However, Migeon teaches that multiple keytab files can be merged into a single file that the principal can access. More specifically, Migeon teaches:
merge the primary key table with the secondary key table to form a merged key table, wherein each key of the merged key table comprises an identifier of a domain account associated with an encryption key necessary to encrypt or decrypt a ticket of a ticket-based computer network authentication protocol; [e.g. Migeon; Abstract, Page 5, 9, 12-17, 25, 29, 55, 59, 60– Migeon discloses merging two keytab (e.g. key tables) into a single file using the ktutil shell and the conventional components and set up of the Kerberos protocol.]
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to include, the features above in the invention as disclosed by Padmanaban and Gaikwad in order to simplify the administrative complexity by combining prior art elements (e.g. Migeon) according to known methods (e.g. Key Table Mergers) to yield predictable results (e.g. provide access to keys in a single file).
Claim 2:
Padmanaban teaches the system of claim 1, wherein the at least one processor is further configured to activate a system daemon operated on a node of the computational cluster. [e.g. Padmanaban; Abstract, Para. 0063, 0064, 0072, 0074, 0081, 0093, 0095, 0102, 0108, 0120, 0121, 0124, 0127, 0128, 0137, 0161 – Padmanaban discloses conventional use of Kerberos.]
Claim 3:
Padmanaban and Migeon teaches the system of claim 2, wherein, when connecting the remote computing device of the primary domain and the remote computing device of the secondary domain to the computational cluster, the at least one processor is configured to: connect the remote computing device of the primary domain and the remote computing device of the secondary domain to the computational cluster using the ticket-based computer network authentication protocol via the system daemon. [e.g. Padmanaban; Abstract, Para. 0063, 0064, 0072, 0074, 0081, 0093, 0095, 0102, 0108, 0120, 0121, 0124, 0127, 0128, 0137, 0161 – Padmanaban discloses clients in different domains may connect to the node using the conventionally using Kerberos.] [e.g. Migeon; Abstract, Page 5, 9, 12-17, 25, 29, 55, 59, 60– Migeon discloses merging two keytab (e.g. key tables) into a single file using the ktutil shell and the conventional components and set up of the Kerberos protocol.]
Claim 4:
Padmanaban and Migeon teaches the system of claim 3, wherein, when permitting access by the computational cluster to perform the first action, the at least one processor is configured to: permit, using the system daemon, access by the computational cluster to perform the first action; and wherein, when permitting access by the computational cluster to perform the second action, the at least one processor is configured to: permit, using the system daemon, access by the computational cluster to perform the second action. [e.g. Padmanaban; Abstract, Para. 0063, 0064, 0072, 0074, 0081, 0093, 0095, 0102, 0108, 0120, 0121, 0124, 0127, 0128, 0137, 0161 – Padmanaban discloses conventional use of Kerberos.] [e.g. Migeon; Abstract, Page 5, 9, 12-17, 25, 29, 55, 59, 60– Migeon discloses merging two keytab (e.g. key tables) into a single file using the ktutil shell and the conventional components and set up of the Kerberos protocol.]
Claim 5:
Padmanaban and Migeon teaches the system of claim 1, wherein the at least one processor is further configured to configure the ticket-based computer network authentication protocol to communicate with the primary domain and the secondary domain. [e.g. Padmanaban; Abstract, Para. 0063, 0064, 0072, 0074, 0081, 0093, 0095, 0102, 0108, 0120, 0121, 0124, 0127, 0128, 0137, 0161 – Padmanaban discloses conventional use of Kerberos.] [e.g. Migeon; Abstract, Page 5, 9, 12-17, 25, 29, 55, 59, 60– Migeon discloses merging two keytab (e.g. key tables) into a single file using the ktutil shell and the conventional components and set up of the Kerberos protocol.]
Claim 6:
Padmanaban and Migeon teaches the system of claim 5, wherein, when configuring the ticket-based computer network authentication protocol, the at least one processor is further configured to activate an authentication service and a ticket-granting service on a domain controller for each of the primary domain and the secondary domain. [e.g. Padmanaban; Abstract, Para. 0063, 0064, 0072, 0074, 0081, 0093, 0095, 0102, 0108, 0120, 0121, 0124, 0127, 0128, 0137, 0161 – Padmanaban discloses conventional use of Kerberos.] [e.g. Migeon; Abstract, Page 5, 9, 12-17, 25, 29, 55, 59, 60– Migeon discloses merging two keytab (e.g. key tables) into a single file using the ktutil shell and the conventional components and set up of the Kerberos protocol.]
Claim 7:
Padmanaban and Migeon teaches the system of claim 1, wherein the at least one processor is further configured to: initiate a discovery scan for each domain associated with the primary key table and the secondary key table; install data packages required to join the computational cluster to each domain associated with the primary key table and the secondary key table; and create an account entry for the computational cluster for each domain associated with the primary key table and the secondary key table. [e.g. Padmanaban; Abstract, Para. 0063, 0064, 0072, 0074, 0081, 0093, 0095, 0102, 0108, 0120, 0121, 0124, 0127, 0128, 0137, 0161 – Padmanaban discloses conventional use of Kerberos.] [e.g. Migeon; Abstract, Page 5, 9, 12-17, 25, 29, 55, 59, 60– Migeon discloses merging two keytab (e.g. key tables) into a single file using the ktutil shell and the conventional components and set up of the Kerberos protocol.]
Regarding claims 8-20 they are method and manufacture claims essentially corresponding to the above recitations, and they are rejected, at least, for the same reasons.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER C HARRIS whose telephone number is (571)270-7841. The examiner can normally be reached Monday through Friday between 8:00 AM to 4:00 PM CST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/CHRISTOPHER C HARRIS/Primary Examiner, Art Unit 2432