Clustered filesystem for mix of trusted and untrusted nodes

US 20040250113A1
Filed: 04/16/2003
Published: 12/09/2004
Est. Priority Date: 04/16/2003
Status: Active Grant

First Claim

Patent Images

1. A method of operating a cluster of computer system nodes sharing direct read/write access to filesystems administered by at least one trusted metadata server node on storage devices connected to the computer system nodes via a storage area network, comprising:

assigning a mandatory access control label as an extended attribute of each filesystem object administered by the at least one trusted metadata server node regardless of whether required by a client node creating the filesystem object.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A cluster of computer system nodes share direct read/write access to storage devices via a storage area network using a cluster filesystem. At least one trusted metadata server assigns a mandatory access control label as an extended attribute of each filesystem object regardless of whether required by a client node accessing the filesystem object. The mandatory access control label indicates the sensitivity and integrity of the filesystem object and is used by the trusted metadata server(s) to control access to the filesystem object by all client nodes.

109 Citations

18 Claims

1. A method of operating a cluster of computer system nodes sharing direct read/write access to filesystems administered by at least one trusted metadata server node on storage devices connected to the computer system nodes via a storage area network, comprising:
- assigning a mandatory access control label as an extended attribute of each filesystem object administered by the at least one trusted metadata server node regardless of whether required by a client node creating the filesystem object.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. A method as recited in claim 1, wherein the file system object is obtained from a filesystem, and wherein said assigning uses a fiilesystem mandatory access control label if previously assigned to the filesystem when the client node requesting access to the filesystem has no mandatory access control label for accessing the filesystem.
  - 3. A method as recited in claim 2, wherein said assigning uses a networking mandatory access control label if previously assigned to the client node and no fiilesystem mandatory access control label is assigned to the filesystem.
  - 4. A method as recited in claim 3, wherein said assigning uses a default mandatory access control label if no fiilesystem mandatory access control label is assigned to the filesystem and no networking mandatory access control label is assigned to the client node.
  - 5. A method as recited in claim 4, wherein said assigning includes a first indication of sensitivity and integrity in the mandatory access control label of the filesystem object.
  - 6. A method as recited in claim 5, further comprising:
    - assigning a second indication of sensitivity and integrity to each node having access to the filesystem; and
      
      permitting access to the filesystem object by any client node only if the second indication of sensitivity and integrity assigned thereto meets criteria defined by the first indication of sensitivity and integrity in the mandatory access control label of the filesystem object.

7. At least one computer readable medium storing at least one program embodying a method of operating a cluster of computer system nodes sharing direct read/write access to filesystems administered by at least one trusted metadata server node on storage devices connected to the computer system nodes via a storage area network, said method comprising:
- assigning a mandatory access control label as an extended attribute of each filesystem object administered by the at least one trusted metadata server node regardless of whether required by a client node creating the filesystem object.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. At least one computer readable medium as recited in claim 7, wherein the file system object is obtained from a filesystem, and wherein said assigning uses a fiilesystem mandatory access control label if previously assigned to the filesystem when the client node requesting access to the filesystem has no mandatory access control label for accessing the filesystem.
  - 9. At least one computer readable medium as recited in claim 8, wherein said assigning uses a networking mandatory access control label if previously assigned to the client node and no fiilesystem mandatory access control label is assigned to the filesystem.
  - 10. At least one computer readable medium as recited in claim 9, wherein said assigning uses a default mandatory access control label if no fiilesystem mandatory access control label is assigned to the filesystem and no networking mandatory access control label is assigned to the client node.
  - 11. At least one computer readable medium as recited in claim 10, wherein said assigning includes a first indication of sensitivity and integrity in the mandatory access control label of the filesystem object.
  - 12. At least one computer readable medium as recited in claim 11, further comprising:
    - assigning a second indication of sensitivity and integrity to each node having access to the filesystem; and
      
      permitting access to the filesystem object by any client node only if the second indication of sensitivity and integrity assigned thereto meets criteria defined by the first indication of sensitivity and integrity in the mandatory access control label of the filesystem object.

13. A cluster of computer systems, comprising:
- storage devices storing at least one filesystem;
  
  a storage area network coupled to said storage devices;
  
  metadata client nodes coupled to said storage area network; and
  
  at least one trusted metadata server node, coupled to said storage area network, to assign a mandatory access control label as an extended attribute of each filesystem object regardless of whether required by a client node accessing the filesystem object.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. A cluster of computer systems as recited in claim 13, wherein the file system object is obtained from a filesystem, and wherein said at least one trusted metadata server node uses a fiilesystem mandatory access control label if previously assigned to the filesystem when the client node requesting access to the filesystem does has no mandatory access control label for accessing the filesystem.
  - 15. A cluster of computer systems as recited in claim 14, wherein said at least one trusted metadata server node uses a networking mandatory access control label if previously assigned to the client node and no fiilesystem mandatory access control label is assigned to the filesystem.
  - 16. A cluster of computer systems as recited in claim 15, wherein said at least one trusted metadata server node uses a default mandatory access control label if no fiilesystem mandatory access control label is assigned to the filesystem and no networking mandatory access control label is assigned to the client node.
  - 17. A cluster of computer systems as recited in claim 16, wherein said at least one trusted metadata server node includes a first indication of sensitivity and integrity in the mandatory access control label of the filesystem object.
  - 18. A cluster of computer systems as recited in claim 17, wherein said at least one trusted metadata server node further assigns a second indication of sensitivity and integrity to each node having access to the filesystem, and permits access to the filesystem object by any client node only if the second indication of sensitivity and integrity assigned thereto meets criteria defined by the first indication of sensitivity and integrity in the mandatory access control label of the filesystem object.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Silicon Graphics Incorporated (Graphics Properties Holdings, Inc.)
Inventors
Beck, Kenneth S.

Granted Patent

US 7,640,582 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

G06F 11/0709   in a distributed system con...

G06F 11/0745   in an input/output transact...

G06F 11/0772   Means for error signaling, ...

G06F 11/3006   where the computing system ...

G06F 21/6218   to a system of files or obj...

G06F 9/4843   by program, e.g. task dispa...

G06F 9/485   Task life-cycle, e.g. stopp...

H04L 63/101   Access control lists [ACL]

H04L 63/12   Applying verification of th...

Y10S 707/99931   Database or file accessing

Clustered filesystem for mix of trusted and untrusted nodes

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

109 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Clustered filesystem for mix of trusted and untrusted nodes

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

109 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links