Methods and apparatus for providing dynamic network file system client authentication

US 5,737,523 A
Filed: 03/04/1996
Issued: 04/07/1998
Est. Priority Date: 03/04/1996
Status: Expired due to Term

First Claim

Patent Images

1. A method implemented on a server computer system for providing dynamic client authentication in a distributed file system computing environment, the method comprising the computer controlled steps of:

receiving an NFS request from an NFS client, the NFS request including a file handle representing a given file system available on the server computer system and a file operation to be performed upon the given file system, the given file system modifiable by clients of the server computer having a corresponding access status of read-write with respect to the given file system, readable by clients of the server computer having the corresponding access status of read only with respect to the given file system, and inaccessible to all other clients of the server computer;

dynamically determining whether the NFS client has an access status sufficient to perform the NFS request; and

performing the NFS request when the NFS client has sufficient access status.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A variety of methods and apparatus are taught for providing dynamic distributed file system client authentication. One method for providing dynamic distributed file system client authentication within a distributed file system computing environment includes the steps of receiving an NFS request from an NFS client, determining whether the NFS client has an access status sufficient to perform the NFS request, and performing the NFS request when the NFS client has sufficient access status. In some embodiments, the NFS request includes a file handle representing a given file system available on the server computer system and a file operation to be performed upon the given file system. A server computer in accordance with one embodiment of the present invention is operable to provide dynamic NFS client authentication. The server computer includes a CPU, a RAM accessible by the CPU, a ROM accessible by the CPU, a network I/O port coupled with the CPU, a mass storage device accessible by the CPU, and a kernel implemented on the server computer. In addition, the server computer implements a dynamic NFS client authentication service operable to receive an NFS request from an NFS client and to authenticate the NFS client in relation to the NFS request. The dynamic NFS client authentication service considers factors such as time, date, identity of the NFS client, a nature of the NFS request, and a current status of a resource upon which the NFS request operates.

163 Citations

30 Claims

1. A method implemented on a server computer system for providing dynamic client authentication in a distributed file system computing environment, the method comprising the computer controlled steps of:
- receiving an NFS request from an NFS client, the NFS request including a file handle representing a given file system available on the server computer system and a file operation to be performed upon the given file system, the given file system modifiable by clients of the server computer having a corresponding access status of read-write with respect to the given file system, readable by clients of the server computer having the corresponding access status of read only with respect to the given file system, and inaccessible to all other clients of the server computer;
  
  dynamically determining whether the NFS client has an access status sufficient to perform the NFS request; and
  
  performing the NFS request when the NFS client has sufficient access status.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. A method as recited in claim 1 wherein the step of determining whether the NFS client has the access status sufficient to perform the NFS request includes the substeps of:
    - searching an export information table resident on the server computer system to determine whether the given file system has an entry therein; and
      
      returning an error indication to the NFS client when the file system is not found in the export information table.
  - 3. A method as recited in claim 2 wherein when the export information table has an entry for the given file system, the entry including a read only bit which when set indicates global read only access to the given file system and a read-write bit which when set indicates global read and write access to the given file system, the read only bit and the read-write bit being exclusive, the step of determining whether the NFS client has an access status sufficient to perform the NFS request further including the substeps of:
    - when the read only bit is set, setting the client'"'"'s access status to read only; and
      
      when the read-write bit is set, setting the client'"'"'s access status to read-write.
  - 4. A method as recited in claim 3 wherein when the client'"'"'s access status is one of read only and read-write and the file operation does not require a modification of the given file system, the client'"'"'s access status is sufficient to perform the NFS request.
  - 5. A method as recited in claim 3 wherein when the client'"'"'s access status is read only and the file operation requires a modification of the given file system, the client'"'"'s access status is not sufficient to perform the NFS request.
  - 6. A method as recited in claim 3 wherein when the client'"'"'s access status is read-write, the client'"'"'s access status is sufficient to perform the NFS request.
  - 7. A method as recited in claim 3 wherein when neither the read only bit nor the read-write bit is set, the method further includes the steps of:
    - searching a cache memory resident on the server computer system to find a specific export authentication cache entry for the NFS client which corresponds to the given file system, the specific export authentication cache entry, when it exists, indicating the client'"'"'s access status to the given file system; and
      
      when the specific export authentication cache entry does not exist, creating the specific export authentication.
  - 8. A method as recited in claim 7 further including the steps of:
    - setting the client'"'"'s access status to that indicated by the specific export authentication cache;
      
      when the client'"'"'s access status is one of read only and read-write and the file operation does not require a modification of the given file system, determining that the client'"'"'s access status is sufficient to perform the NFS request;
      
      when the client'"'"'s access status is read only and the file operation requires a modification of the given file system, determining that the client'"'"'s access status is not sufficient to perform the NFS request; and
      
      when the client'"'"'s access status is read-write, determining that the client'"'"'s access status is sufficient to perform the NFS request.
  - 9. A method as recited in claim 7 wherein the step of creating the specific export authentication includes the substeps of:
    - searching a share table file resident on the server computer system to find a share entry for the given file system;
      
      setting the client'"'"'s access status to no access when the share entry for the given file system is not found in the share table file;
      
      determining the client'"'"'s access status from the share entry for the given file system when the share entry is found in the share table file; and
      
      setting the client'"'"'s access status according to the share entry for the given file system when the share entry is found in the share table file.
  - 10. A method as recited in claim 9 wherein access status information is stored in the share table file according to client network names and the substep of determining the client'"'"'s access status from the share entry for the given file system includes calling a network name service available within the NFS computing environment in order to ascertain a network name for the NFS client.
  - 11. A method as recited in claim 9 wherein the client'"'"'s access status can be dynamically modified, without necessitating the NFS client to dismount, by modifying both the share table file and the export information table to indicate the client'"'"'s modified access status.
  - 12. A method as recited in claim 1 wherein the given file system is a resource available on the server computer, the resource being selected from the group including a file and a file system hierarchical structure.
  - 13. A method as recited in claim 1 wherein the step of determining whether the NFS client has the access status sufficient to perform the NFS request includes consideration of at least one of time, date, identity of the NFS client, a nature of the NFS request, and a current status of a resource which the NFS request operates upon.

14. A computer readable medium containing a computer program for providing dynamic client authentication to a server computer operating in a distributed file system computing environment, the computer program comprising computer executable instructions for:
- receiving an NFS request from an NFS client, the NFS request including a file handle representing a given file system available on the server computer system and a file operation to be performed upon the given file system, the given file system modifiable by clients of the server computer having a corresponding access status of read-write with respect to the given file system, readable by clients of the server computer having the corresponding access status of read only with respect to the given file system, and inaccessible to all other clients of the server computer;
  
  dynamically determining whether the NFS client has an access status sufficient to perform the NFS request; and
  
  performing the NFS request when the NFS client has sufficient access status.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 15. A computer readable medium as recited in claim 14 wherein the computer executable instruction of determining whether the NFS client has the access status sufficient to perform the NFS request includes subinstructions for:
    - searching an export information table resident on the server computer system to determine whether the given file system has an entry therein; and
      
      returning an error message to the NFS client when the file system is not found in the export information table.
  - 16. A computer readable medium as recited in claim 15 wherein the export information table has an entry for the given file system, the entry including a read only bit which when set indicates global read only access to the given file system and a read-write bit which when set indicates global read and write access to the given file system, the read only bit and the read-write bit being exclusive, and the computer program instruction for determining whether the NFS client has an access status sufficient to perform the NFS request further includes the computer executable subinstructions of:
    - setting the client'"'"'s access status to read only when the read only bit is set; and
      
      setting the client'"'"'s access status to read-write when the read-write bit is set.
  - 17. A computer readable medium as recited in claim 16 further including computer executable instructions such that when the client'"'"'s access status is one of read only and read-write and the file operation does not require a modification of the given file system, the client'"'"'s access status is sufficient to perform the NFS request.
  - 18. A computer readable medium as recited in claim 16 further including computer executable instructions such that when the client'"'"'s access status is read only and the file operation requires a modification of the given file system, the client'"'"'s access status is not sufficient to perform the NFS request.
  - 19. A computer readable medium as recited in claim 16 further including computer executable instructions such that when the client'"'"'s access status is read-write, the client'"'"'s access status is sufficient to perform the NFS request.
  - 20. A computer readable medium as recited in claim 16 further including computer executable instructions such that when neither the read only bit nor the read-write bit is set, the computer program further executes the computer instructions for:
    - searching a cache memory resident on the server computer system to find a specific export authentication cache entry for the NFS client which corresponds to the given file system, the specific export authentication cache entry, when it exists, indicating the client'"'"'s access status to the given file system; and
      
      when the specific export authentication cache entry does not exist, creating the specific export authentication.
  - 21. A computer readable medium as recited in claim 20 further including computer program instructions for:
    - setting the client'"'"'s access status to that indicated by the specific export authentication cache;
      
      when the client'"'"'s access status is one of read only and read-write and the file operation does not require a modification of the given file system, determining that the client'"'"'s access status is sufficient to perform the NFS request;
      
      when the client'"'"'s access status is read only and the file operation requires a modification of the given file system, determining that the client'"'"'s access status is not sufficient to perform the NFS request; and
      
      when the client'"'"'s access status is read-write, determining that the client'"'"'s access status is sufficient to perform the NFS request.
  - 22. A computer readable medium as recited in claim 20 wherein the computer program instruction for creating the specific export authentication includes the computer executable subinstructions for:
    - searching a share table file resident on the server computer system to find a share entry for the given file system;
      
      setting the client'"'"'s access status to no access when the share entry for the given file system is not found in the share table file;
      
      determining the client'"'"'s access status from the share entry for the given file system when the share entry is found in the share table file; and
      
      setting the client'"'"'s access status according to the share entry for the given file system when the share entry is found in the share table file.
  - 23. A computer readable medium as recited in claim 14 wherein the given file system is a resource available on the server computer, the resource being selected from the group including a file and a file system hierarchical structure.
  - 24. A computer readable medium as recited in claim 14 wherein the computer program instruction for determining whether the NFS client has the access status sufficient to perform the NFS request considers at least one of time, date, identity of the NFS client, a nature of the NFS request, and a current status of a resource which the NFS request operates upon.

25. A server computer for use in a distributed file system computing environment, the server computer operable to provide dynamic NFS client authentication, the server computer comprising:
- a central processing unit (CPU);
  
  a random access memory accessible by the CPU;
  
  a read only memory accessible by the CPU;
  
  a network input/output port coupled with the CPU;
  
  a mass storage device accessible by the CPU, the mass storage device capable of storing a given file system modifiable by clients of the server computer having an access status of read-write with respect to the given file system, readable by clients of the server computer having the access status of read only with respect to the given file system, and inaccessible to all other clients of the server computer;
  
  a kernel implemented on the server computer, the kernel implementing primitive functions of an operating system for the server computer; and
  
  a dynamic NFS client authentication service operable to receive an NFS request from an NFS client and to dynamically authenticate the NFS client in relation to the NFS request, the dynamic NFS client authentication service considering at least one of time, date, identity of the NFS client, a nature of the NFS request, and a current status of a resource which the NFS request operates upon.
- View Dependent Claims (26, 27, 28, 29)
- - 26. A server computer as recited in claim 25 wherein the dynamic NFS client authentication service includes:
    - an NFS service implemented within the kernel, the NFS service operable to receive the NFS request from the NFS client, the NFS request including a file handle identifying the given file system and a file operation to be performed on the given file system, the client'"'"'s access status for the given file system being one of no access, read only access, and read-write access, the NFS service also operable to (a) authenticate the NFS client when the client'"'"'s access status for the given file system has been determined in a previous NFS request, (b) authenticate the NFS client when the server computer provides read only access to all NFS clients for the given file system and the file operation does not require modifying the given file system, (c) authenticate the NFS client when the server computer provides read-write access to all NFS clients for the given file system, and (d) make a dynamic authentication request to a resource external to the kernel when none of the necessary conditions in (a)-(c) are met; and
      
      an NFS authentication service implemented on the server computer system and external to the kernel, the NFS authentication service being operable to receive, perform, and reply to dynamic NFS client authentication requests sent from the NFS service.
  - 27. A server computer as recited in claim 26 wherein the kernel includes:
    - an export information table resident in the kernel, the export information table having entries for a plurality of file systems available on the server computer, each entry being identical in format, an entry for a specific file system including a read only bit which when set indicates global read only access to the specific file system and a read-write bit which when set indicates global read and write access to the specific file system, the read only bit and the read-write bit being exclusive; and
      
      a cache memory for storing a plurality of export authentication cache entries, a particular export authentication cache entry including identifiers for a file system and an NFS client, and an access status of the NFS client with respect to a file system identified by the file system identifier.
  - 28. A server computer as recited in claim 25 further including a share table file including a list of file systems available for sharing on the server computer and a corresponding plurality of client'"'"'s access status.
  - 29. A computer network including a plurality of computer systems, wherein a one of the plurality of computer systems is a server computer as recited in claim 25.

30. A method implemented on a server computer system for providing dynamic client authentication in a distributed file system computing environment, the method comprising the computer controlled steps of:
- receiving an NFS request from an NFS client, the NFS request including a file handle representing a given file system available on the server computer system and a file operation to be performed upon the given file system, the given file system modifiable by clients of the server computer having a corresponding access status of read-write with respect to the given file system, readable by clients of the server computer having the corresponding access status of read only with respect to the given file system, and inaccessible to all other clients of the server computer;
  
  searching an export information table resident on the server computer system to determine whether the given file system has an entry therein, the export information table having an entry for the given file system, the entry including a read only bit which when set indicates global read only access to the given file system and a read-write bit which when set indicates global read and write access to the given file system, the read only bit and the read-write bit being exclusive;
  
  when the read only bit is set, setting the client'"'"'s access status to read only;
  
  when the read-write bit is set, setting the client'"'"'s access status to read-write;
  
  when neither the read only bit nor the read-write bit is set, performing the following substeps of;
  
  (a) searching a cache memory resident on the server computer system to find a specific export authentication cache entry for the NFS client which corresponds to the given file system, the specific export authentication cache entry, when it exists, indicating the client'"'"'s access status to the given file system to which the client'"'"'s access status is then set; and
  
  (b) when the specific export authentication cache entry does not exist, creating the specific export authentication cache entry and then setting the client'"'"'s access status to that indicated by the newly created specific export authentication cache entry, the specific export authentication cache entry creation including;
  
  (i) searching a share table file resident on the server computer system to find a share entry for the given file system;
  
  (ii) setting the client'"'"'s access status to no access when the share entry for the given file system is not found in the share table file;
  
  (iii) determining the client'"'"'s access status from the share entry for the given file system when the share entry is found in the share table file; and
  
  (iv) setting the client'"'"'s access status according to the share entry for the given file system when the share entry is found in the share table file; and
  
  performing the NFS request when either (i) the client'"'"'s access status is read only and the file operation does not require a modification of the given file system or (ii) the client'"'"'s access status is read-write.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Eisler, Michael R., Callaghan, Brent P.
Primary Examiner(s)
Kulik, Paul V.

Application Number

US08/610,704
Time in Patent Office

764 Days
Field of Search

395/187.01, 395/200.06, 395/200.09, 395/186, 395/610, 395/616, 395/617, 395/200.59, 395/200.55, 395/200.33
US Class Current

726/21
CPC Class Codes

G06F 21/6236 between heterogeneous systems

Methods and apparatus for providing dynamic network file system client authentication

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

163 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for providing dynamic network file system client authentication

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

163 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links