DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the Amendment filed on 6/11/2021.

Examiner’s Amendment
An Examiner’s Amendment to the record appears below.  Should the changes and/or additions be unacceptable to Applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this Examiner’s Amendment was given in a telephone interview with Applicant’s representative, Mr. Syed S. Ahmed (Reg. No. 64,587) on June 29, 2021.  During the telephone conference, Mr. Ahmed has agreed and authorized the Examiner to amend Claims 1, 8, 9, and 17, to add new claims 22 and 23, and to cancel claim 7, 15, and 18.  Authorization for payment of an extra independent claim fee in excess of three independent claims was filed on 7/2/2021.

Claims
Replacing Claims 1, 8, 9, 17, canceling claims 7, 15, and 18, and adding claims 22 and 23 as following:
Claim 1:	  (Currently Amended) A method, comprising:
receiving, from a client device by a policy system, a request to access data stored on a distributed file system comprising a name node and one or more data nodes, the request comprising user credentials, the name node being separate from the policy system;
determining, by a policy decision point of the policy system and according to (i) one or more data access policies and (ii) the user credentials, whether the request is to be denied, to be allowed with obligations that define conditions for access to a limited portion of the data requested by the client device, or to be allowed without obligations; and
in response to results of the determining, perform, by the policy system, actions including: 
based at least on a determination that the request is to be denied, notifying the client device of request denial by the policy system;
based at least on a determination that the request is to be allowed with obligations, requesting data from the distributed file system by the policy system; and
based at least on a determination that the request is to be allowed without obligations:
redirecting, by the policy system, the request to a short circuit handler executing on the name node of the distributed file system, the short circuit handler configured to determine whether to perform security check actions on the request based on a 
in response to receiving a verification request from the short circuit handler, providing, by the policy decision point, a verification to the short circuit handler, the verification verifying that the redirected request requires no obligations and authorizing the name node on the distribution file system to allow the client device to access requested data specified in the redirected request without obligation.
Claim 7:	 (Cancelled)

Claim 8:	 (Currently Amended) The method of claim [[7]] 1, wherein the verification request initiated by the short circuit handler is to inquire whether the request is to be denied, to be allowed with obligations, or to be allowed without obligations.

Claim 9:	 (Currently Amended) A system comprising: 
	one or more processors; and
a non-transitory computer-readable medium storing instructions that, upon execution by the one or more processors, cause the one or more processors to perform operations comprising:
receiving, from a client device by a policy system, a request to access data stored on a distributed file system comprising a name node and one or more data nodes, the request comprising user credentials, the name node being separate from the policy system;

in response to results of the determining, perform, by the policy system, actions including:
based at least on a determination that the request is to be denied, notifying the client device of request denial by the policy system;
based at least on a determination that the request is to be allowed with obligations, requesting data from the distributed file system by the policy system; and
based at least on a determination that the request is to be allowed without obligations:
redirecting, by the policy system, the request to a short circuit handler executing on the name node of the distributed file system, the short circuit handler configured to determine whether to perform security check actions on the request based on a sender of the request, wherein redirecting the request comprises (i) either instructing the client device to re-submit the request to the short circuit handler executing on the name node rather than to the policy system or (ii) forwarding the request on behalf of the client device to the short circuit handler, and
in response to receiving a verification request from the short circuit handler, providing, by the policy decision point, a verification to the short-circuit handler, the verification verifying that the redirected request requires no obligations and authorizing the name node on the distribution file system to allow the client device to access requested data specified in the redirected request without obligation.

Claim 15:	 (Cancelled) 

Claim 17:	 (Currently Amended) A non-transitory computer-readable medium storing instructions that, upon execution by one or more processors, cause the one or more processors to perform operations comprising:
receiving a request to access data by a short circuit handler executing on a name node of a Hadoop Distributed File System (HDFS) 
determining, by the short circuit handler, whether the request received by the short circuit handler is received from a client device or from a policy system;
in response to determining that the request is from a client device, performing, by the short circuit handler, actions including:
communicating with a policy decision point of the policy system for verification of the user credentials,
receiving a decision from the policy decision point on whether the request is to be denied, to be allowed with obligations that define conditions for access to a limited portion of the data requested by the client device, or to be allowed without obligations, and
in response to the decision, performing actions including:
based at least on a determination that the request is to be denied or to be allowed with obligations, notifying the client device of a request denial, and
based at least on a determination that the request is to be allowed without obligations, allowing the client device to access the requested data;
in response to determining that the request is from a policy system, determining whether the request includes a flag indicating that the request is to be allowed without obligation; and


Claim 18:	(Cancelled)

Claim 22:	(New) A non-transitory computer-readable medium storing instructions that, upon execution by one or more processors, cause the one or more processors to perform operations comprising:
		receiving a request to access data by a short circuit handler executing on a name node of a distributed file system, the request being associated with user credentials;
determining, by the short circuit handler, whether the request received by the short circuit handler is received from a client device or from a policy system;
in response to determining that the request is from a client device, performing, by the short circuit handler, actions including:
communicating with a policy decision point of the policy system for verification of the user credentials,
receiving a decision from the policy decision point on whether the request is to be denied, to be allowed with obligations that define conditions for access to a limited portion of the data requested by the client device, or to be allowed without 
based at least on a determination that the request is to be denied or to be allowed with obligations, notifying the client device of a request denial, and
based at least on a determination that the request is to be allowed without obligations, allowing the client device to access the requested data;
in response to determining that the request is from a policy system, determining whether the request includes a flag indicating that the request is to be allowed without obligation; and
in response to determining that the request includes the flag, allowing a client computing device to access the requested data, the client computing device being identified based on the user credentials associated with the request.

Claim 23:	(New) The non-transitory computer-readable medium of claim 22, wherein the distributed file system is a Hadoop Distributed File System (HDFS).	




Examiner's Statement of reason for Allowance
Claims 1-6, 8-14, 16, 17, and 19-23 are allowed.
The following is an examiner’s statement of reasons for allowance: 
The present invention is directed to a method, a system, and a non-transitory computer-readable medium for enforcing data security policies for requests from accessing data stored on a distributed data storage system received from a client device. The policy enforcement system can determine user credentials from the requests. The enforcement system then determines whether the user credentials allow the request to retrieve the data and if yes, whether the user credentials allow the request to retrieve the data without obligations.  Upon determining that user credentials allow the request to retrieve the data without obligations, the policy enforcement system directs the client device to communicate directly with a name node of the data storage system, short-circuiting additional data retrieval and filtering of the policy system.
The closest prior art, as previously recited, Chakra (US20100313239), Chua (US9038151), and Drumm (US6643683), are also generally directed to various aspects of accessing data stored on a distributed file system.  However, none of Chakra, Chua, and Drumm teaches or suggests, alone or in combination, the particular combination of steps or elements as recited in the independent claims, claims 1, 9, 17, and 22.  For example, none of the cited prior art teaches or suggest the steps of (for claims 1 and 9, receiving, from a client device by a policy system, a request to access data stored on a distributed file system comprising a name node and one or more data nodes, the request comprising user credentials, the name node being separate from the policy system; determining, by a policy decision point of the policy system and according to (i) one or more data access policies and (ii) the user credentials, whether the request is to be denied, to be allowed with obligations that define conditions for access to a limited portion of the data requested by the client device, or to be allowed without obligations; and based at least on a determination that the request is to be denied, notifying the client device of request denial by the policy system; and based at least on a determination that the request is to be allowed without obligations: redirecting, by the policy system, the request to a short circuit handler executing on the name node of the distributed file system, the short circuit handler configured to determine whether to perform security check actions on the request based on a sender of the request, wherein redirecting the request comprises either (i) instructing the client device to re-submit the request to the short circuit handler executing on the name node rather than to the policy system or (ii) forwarding the request on behalf of the client device to the short circuit handler, and in response to receiving a verification request from the short circuit handler, providing, by the policy decision point, a verification to the short circuit handler, the verification verifying that the redirected request requires no obligations and authorizing the name node on the distribution file system to allow the client device to access requested data specified in the redirected request without obligation; OR,
(for claim 17) receiving a request to access data by a short circuit handler executing on a name node of a Hadoop Distributed File System (HDFS) a client device or from a policy system; communicating with a policy decision point of the policy system for verification of the user credentials, based at least on a determination that the request is to be denied or to be allowed with obligations, notifying the client device of a request denial, and based at least on a determination that the request is to be allowed without obligations, allowing the client device to access the requested data; in response to determining that the request is from a policy system, determining whether the request includes a flag indicating that the request is to be allowed without obligation; and 	in response to determining that the request includes the flag, allowing a client computing device to access the requested data, the client computing device being identified based on the user credentials associated with the request; OR
(for claim 22) receiving a request to access data by a short circuit handler executing on a name node of a distributed file system, the request being associated with user credentials; determining, by the short circuit handler, whether the request received by the short circuit handler is received from a client device or from a policy system; communicating with a policy decision point of the policy system for verification of the user credentials, receiving a decision from the policy decision point on whether the request is to be denied, to be allowed with obligations that define conditions for access to a limited portion of the data requested by the client device, or to be allowed without obligations, the obligations being defined by a setting in one or more data access policies, the setting specifying that at least a portion of the data to be accessed is to be redacted, and in response to the decision, performing actions including: based at least on a determination that the request is to be denied or to be allowed with obligations, notifying the client device of a request denial, and in response to determining that the request is from a policy system, determining whether the request includes a flag indicating that the request is to be allowed without obligation; and in response to determining that the request includes the flag, allowing a client computing device to access the requested data, the client computing device being identified based on the user credentials associated with the request.
Therefore the claims are allowable over the cited prior art.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to WALTER J MALINOWSKI whose telephone number is (571)272-5368.  The examiner can normally be reached on 8-6:30 MTWH.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LUU PHAM can be reached on 5712705002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.









/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439