Method and apparatus for improving file system proxy performance and security by distributing information to clients via file handles

US 7,739,301 B2
Filed: 03/17/2004
Issued: 06/15/2010
Est. Priority Date: 03/17/2004
Status: Active Grant

First Claim

Patent Images

1. A method for establishing identity in a file system, comprising:

receiving, from a client, a first Network File System (NFS) operation concerning an indicated file, the first NFS operation received by a proxy;

forwarding the first NFS operation from the proxy to be received by a file server;

returning a NFS file handle associated with the first NFS operation from the file server to the proxy in response to the file server receiving the first NFS operation from the proxy;

inserting, by the proxy, metadata into the NFS file handle in response to receiving the NFS file handle from the file server, wherein the metadata is an encryption key;

sending, by the proxy in response to receiving the NFS file handle from the file server, the NFS file handle with the metadata inserted in the NFS file handle to the client as a reply to the first NFS operation;

using, by the client, the metadata and the NFS file handle in a second NFS operation to identify the client and the indicated file; and

receiving, from the client, the second NFS operation by the proxy, the second NFS operation comprising the metadata sent with the second NFS operation;

identifying, in response to the metadata, the client as having a permission to submit the second NFS operation;

sending the second NFS operation to the file server and not sending the metadata to the file server; and

receiving, by the proxy, a further NFS reply from the file server, and sending, by the proxy, the further NFS reply to the client.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The preferred embodiment of the invention distributes, and effectively caches, information by inserting it into file handles that the proxy sends to clients. This information can be used to improve performance by eliminating the need for the proxy to generate additional requests to the server to establish file identity. The distributed information can also be intended to improve security, for example, by allowing the proxy to encode into the file handle a session key that expires after some amount of time.

Citations

43 Claims

1. A method for establishing identity in a file system, comprising:
- receiving, from a client, a first Network File System (NFS) operation concerning an indicated file, the first NFS operation received by a proxy;
  
  forwarding the first NFS operation from the proxy to be received by a file server;
  
  returning a NFS file handle associated with the first NFS operation from the file server to the proxy in response to the file server receiving the first NFS operation from the proxy;
  
  inserting, by the proxy, metadata into the NFS file handle in response to receiving the NFS file handle from the file server, wherein the metadata is an encryption key;
  
  sending, by the proxy in response to receiving the NFS file handle from the file server, the NFS file handle with the metadata inserted in the NFS file handle to the client as a reply to the first NFS operation;
  
  using, by the client, the metadata and the NFS file handle in a second NFS operation to identify the client and the indicated file; and
  
  receiving, from the client, the second NFS operation by the proxy, the second NFS operation comprising the metadata sent with the second NFS operation;
  
  identifying, in response to the metadata, the client as having a permission to submit the second NFS operation;
  
  sending the second NFS operation to the file server and not sending the metadata to the file server; and
  
  receiving, by the proxy, a further NFS reply from the file server, and sending, by the proxy, the further NFS reply to the client.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, whereby using the metadata in the NFS file handle eliminates a need for the proxy to generate additional requests to the file server to establish file identity, and for completing client requests.
  - 3. The method of claim 1, further comprising:
    - encoding metadata in a form of a session key into the file handle, the session key expiring after a predetermined amount of time.
  - 4. The method of claim 1, further comprising:
    - using an NFS file system as the file system.
  - 5. The method of claim 1, further comprising:
    - using a stateless protocol by the file system.
  - 6. The method of claim 1, wherein the NFS file handle is of a variable size.

7. A method for establishing identity in a file system, comprising:
- receiving a first file request concerning an indicated file from a client, the first file request received by a proxy;
  
  forwarding the first file request from the proxy to a file server;
  
  returning a reply associated with the first file request from the file server to the proxy, wherein the reply includes a file handle associated with the indicated file;
  
  inserting, by the proxy, metadata into the file handle;
  
  sending, by the proxy, the file handle with the metadata inserted in the file handle to the client, the metadata to be used in further requests to identify the client as having a permission to access the indicated file;
  
  receiving, from the client, a second file request by the proxy, the second file request including the metadata in a second file handle sent with the second file request;
  
  identifying, in response to the metadata, that the client has the permission to submit the second file request;
  
  sending the second file request to the file server and not sending the metadata with the second file handle to the file server; and
  
  receiving by the proxy a second reply from the file server, and sending by the proxy the second reply to the client.

8. An apparatus to establish identity in a file system, comprising:
- a proxy configured to receive a first Network File System (NFS) operation concerning an indicated file sent by a client to the file system, the proxy further configured to forward the first NFS operation to be received by a file server;
  
  the file server configured to return a NFS file handle associated with the first NFS operation to the proxy in response to the file server receiving the first NFS operation from the proxy;
  
  the proxy further configured to insert metadata into the NFS file handle in response to receiving the NFS file handle from the file server, wherein the metadata is an encryption key;
  
  the proxy further configured to send the NFS file handle with the metadata inserted in the NFS file handle to the client as a reply to the first NFS operation, the metadata and the NFS file handle to be used in a second NFS operation to identify the client and the indicated file;
  
  the proxy further configured to receive, by the client, a second NFS operation, the second NFS operation comprising the metadata in the second NFS file handle sent with the second NFS operation;
  
  the proxy to identify, in response to the metadata, the client as having a permission to submit the second NFS operation;
  
  the proxy to send the second NFS operation to the file server and not to send the metadata with the second NFS file handle to the file server; and
  
  the proxy to receive a second NFS reply from the file server, and the proxy to send the second NFS reply to the client.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The apparatus of claim 8, whereby using the metadata in the NFS file handle eliminates a need for the proxy to generate additional requests to the file server to complete client requests.
  - 10. The apparatus of claim 8, further comprising:
    - the proxy to use the metadata in the NFS file handle received from the client to eliminate a need for additional communication with the file server to establish file identity.
  - 11. The apparatus of claim 8, further comprising:
    - the proxy to encode the metadata in a form of a session key into the NFS file handle, the session key expiring after a predetermined amount of time.
  - 12. The apparatus of claim 8, further comprising:
    - an NFS file system used as the file system.
  - 13. The apparatus of claim 8, further comprising:
    - a stateless protocol used by the file system.

14. A non-volatile memory executed on a computer, comprising:
- the non-volatile memory containing procedures for execution on the computer for a method of establishing identity in a file system, the method having the steps of,receiving, from a client, an operation concerning an indicated file, the operation received by a proxy;
  
  forwarding the operation from the proxy to be received by a file server;
  
  returning a file handle associated with the first operation from the file server to the proxy in response to the file server receiving the operation from the proxy;
  
  inserting, by the proxy, metadata into the file handle in response to receiving the file handle from the file server, wherein the metadata is an encryption key;
  
  sending, by the proxy in response to receiving the file handle from the file server, the file handle with the metadata inserted in the file handle to the client as a reply to the operation;
  
  receiving, from the client, a second file request by the proxy, the second file request comprising the metadata in a second file handle sent with the second file request;
  
  identifying, in response to the metadata, that the client has permission to submit the second file request;
  
  sending the second file request to the file server and not sending the metadata with the second file handle to the file server; and
  
  receiving, by the proxy, a second reply from the file server, and sending by the proxy the second reply to the client.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-volatile memory of claim 14, whereby using the metadata in the file handle eliminates a need for the proxy to generate additional requests to the file server to establish file identity.
  - 17. The non-volatile memory of claim 16, further comprising:
    - causing the session key to expire after a selected amount of time.
  - 18. The non-volatile memory of claim 16, further comprising:
    - causing the session key to expire after a selected amount of usage.
  - 19. The non-volatile memory of claim 14, further comprising:
    - using a NFS file server as the file server.
  - 20. The non-volatile memory of claim 14, further comprising:
    - using a two way communication exchange between the proxy and the file server.

15. A method for establishing identity in a file system, comprising:
- receiving a first file request concerning an indicated file from a client, the first file request received by a proxy;
  
  forwarding the first file request from the proxy to a file server;
  
  granting a permission for the request to be acted upon by the file system in response to a predetermined protocol;
  
  returning a reply associated with the first file request from the file server to the proxy, wherein the reply includes a file handle associated with the indicated file;
  
  inserting, by the proxy, a session key into the file handle;
  
  sending, by the proxy, the file handle with the session key inserted in the file handle to the client, the session key to be used in further requests to identify the client and the indicated file;
  
  receiving, from the client, a second file request by the proxy, the second file request comprising information from the session key in a second file handle sent with the second file request;
  
  identifying, in response to the session key, that the client has permission to submit the second file request;
  
  sending the second file request to the file server and not sending the session key with the second file handle to the file server; and
  
  receiving, by the proxy, a second reply from the file server, and sending by the proxy the second reply to the client.

21. An apparatus to establish identity in a file system, comprising:
- a proxy to receive a file request sent by a client to the file system, the proxy to forward the request to a file server;
  
  the file server to return a reply associated with the file request to the proxy, wherein the reply includes a file handle;
  
  the proxy to insert a session key into the file handle;
  
  the proxy to send the file handle with the session key inserted in the file handle to the client, the session key to be used in further requests to identify the client and the indicated file;
  
  the proxy to receive, by the client, a second file request, the second file request to include information of the session key in a further file handle sent with the second request;
  
  the proxy to identify, in response to the information of the session key, the client as having a permission to submit the another file request;
  
  the proxy to send the second request to the file server and not to send the session key with the second file handle to the file server; and
  
  the proxy to receive a further reply from the file server, and the proxy to send the further reply to the client.
- View Dependent Claims (22, 23, 24, 25, 26)
- - 22. The apparatus as in claim 21, whereby using the session key in the file handle eliminates a need for the proxy to generate additional requests to the file server to establish file identity.
  - 23. The apparatus of claim 21, whereinthe file handle is a Network File System (NFS) file handle.
  - 24. The apparatus of claim 21, further comprising:
    - the proxy to encode the metadata in a form of a session key into the file handle, the session key expiring after a predetermined amount of time.
  - 25. The apparatus of claim 21, further comprising:
    - an NFS file system used as the file system.
  - 26. The apparatus of claim 21, further comprising:
    - a stateless protocol used by the file system.

27. An apparatus to establish identity in a file system, comprising:
- a proxy configured to receive a first file request sent by a client to the file system, the proxy further configured to forward the first file request to a file server;
  
  the file server configured to return a reply associated with the first file request to the proxy;
  
  the proxy further configured to insert a session key into a file handle;
  
  the proxy further configured to send the file handle with the session key inserted in the file handle to the client, the session key configured to be used in a second file request to identify the client and the indicated file;
  
  the proxy further configured to receive, by the client, a second file request, the second file request configured to include the session key in a second file handle sent with the second file request;
  
  the proxy further configured to identify, in response to the session key, the client as having a permission to submit the second file request;
  
  the proxy further configured to send the second file request to the file server and not to send the session key with the second file handle to the file server; and
  
  the proxy further configured to receive a second reply from the file server, and the proxy further configured to send the second reply to the client.

28. A method for establishing identity in a file system, comprising:
- receiving a first file request concerning an indicated file from a client, the first file request received by a proxy;
  
  forwarding the first file request from the proxy to a file server;
  
  determining that the client has a permission to have the request acted upon by the file system in response to a predetermined protocol;
  
  returning a reply associated with the first file request from the file server to the proxy, wherein the reply includes a file handle associated with the indicated file;
  
  inserting, by the proxy, a cryptographic information into the file handlesending, by the proxy, the file handle with the cryptographic information inserted in the file handle to the client, the cryptographic information to be used in one or more requests to identify the client and the indicated file;
  
  receiving, by the client, a second file request by the proxy, the second file request including the cryptographic information in a second file handle sent with the second file request;
  
  identifying, in response to the cryptographic information, that the client has the permission to submit the second file request;
  
  sending the second file request to the file server and not sending the cryptographic information with the second file handle to the file server; and
  
  receiving, by the proxy, a second reply from the file server, and sending by the proxy the second reply to the client.
- View Dependent Claims (29, 30, 31, 32, 33)
- - 29. The method according to claim 28, whereby using the cryptographic information in the file handle eliminates a need for the proxy to generate additional requests to the file server to establish file identity.
  - 30. The method according to claim 28, further comprising:
    - causing the cryptographic information to expire after a selected amount of time.
  - 31. The method according to claim 28, further comprising:
    - causing the cryptographic information to expire after a selected amount of usage.
  - 32. The method according to claim 28, further comprising:
    - using a NFS protocol as the predetermined protocol.
  - 33. The method according to claim 28, further comprising:
    - using as the predetermined protocol a two way communication exchange between the proxy and the file server.

34. An apparatus to establish identity in a file system, comprising:
- a proxy configured to receive a file request for an indicated file sent by a client to the file system, the proxy further configured to forward the request to a file server;
  
  the file server configured to return a reply associated with the file request to the proxy, wherein the reply is configured to include a file handle;
  
  the proxy further configured to insert a cryptographic information into the file handle;
  
  the proxy further configured to send the file handle with the cryptographic information inserted in the file handle to the client, the cryptographic information configured to be used in further requests to identify the client and the indicated file;
  
  the proxy further configured to receive, by the client, a second request, the second file request to include the cryptographic information in a second file handle sent with the second request;
  
  the proxy further configured to identify, in response to the cryptographic information, the client as having a permission to submit the second file request;
  
  the proxy further configured to send the second request to the file server and not to send the cryptographic information with the second file handle to the file server; and
  
  the proxy further configured to receive a further reply from the file server, and the proxy to send the further reply to the client.
- View Dependent Claims (35, 36, 37, 38, 39)
- - 35. The apparatus as in claim 34, whereby using the cryptographic information in the file handle eliminates a need for the proxy to generate additional requests to the file server to establish file identity.
  - 36. The apparatus of claim 34, whereinthe file handle is a Network File System (NFS) file handle.
  - 37. The apparatus of claim 34, further comprising:
    - the proxy further configured to encode the metadata in a form of a cryptographic information into the file handle, the cryptographic information configured to expire after a predetermined amount of time.
  - 38. The apparatus of claim 34, further comprising:
    - an NFS file system used as the file system.
  - 39. The apparatus of claim 34, further comprising:
    - a stateless protocol used by the file system.

40. An apparatus to establish identity in a file system, comprising:
- a proxy configured to receive a first file request sent by a client to the file system, the proxy to forward the first file request to a file server;
  
  the file server configured to return a reply associated with the first file request to the proxy;
  
  the proxy further configured to insert a cryptographic information into a file handle;
  
  the proxy further configured to send the file handle with the cryptographic information inserted in the file handle to the client, the cryptographic information configured to be used in a second file request to identify the client and the indicated file;
  
  the proxy further configured to receive, by the client, a second file request, the second file request configured to include the cryptographic information in a second file handle sent with the second file request;
  
  the proxy further configured to identify, in response to the cryptographic information, the client as having a permission to submit the second file request;
  
  the proxy further configured to send the second file request to the file server and not to send the cryptographic information with the second file handle to the file server; and
  
  the proxy further configured to receive a second reply from the file server, and the proxy to send the second reply to the client.

41. A method for establishing identity in a file system, comprising:
- receiving a file request concerning an indicated file from a client, the request received by a proxy;
  
  forwarding the request from the proxy to a file server;
  
  returning a reply associated with the file request from the file server to the proxy, wherein the reply includes a file handle associated with the indicated file;
  
  inserting, by the proxy, metadata into the file handle;
  
  sending, by the proxy, the file handle with the metadata inserted in the file handle to the client, a size of the file handle set to a sum of a length of the server file handle and a length of the proxy metadata, the metadata to be used in further requests to identify the client and the indicated file; and
  
  receiving, from the client, a second file request by the proxy, the second file request comprising the metadata in a second file handle sent with the second file request;
  
  identifying, in response to the metadata, that the client has permission to submit the second file request;
  
  sending the second file request to the file server and not sending the metadata with the second file handle to the file server; and
  
  receiving by the proxy a second reply from the file server, and sending by the proxy the second reply to the client.

42. A method, comprising:
- receiving, by a proxy, a file request for a file sent from a client;
  
  forwarding the file request from the proxy to a file server;
  
  returning a reply associated with the file request from the file server to the proxy, wherein the reply includes a file handle;
  
  inserting, by the proxy, metadata into the file handle;
  
  sending, by the proxy, the file handle with the metadata inserted in the file handle to the client;
  
  receiving, from the client, a second file request by the proxy, the second file request comprising the metadata in a second file handle sent with the second file request;
  
  identifying, in response to the metadata, that the client has permission to submit the second file request;
  
  sending the second file request to the file server and not sending the metadata with the second file handle to the file server; and
  
  receiving by the proxy a second reply from the file server, and sending by the proxy the second reply to the client.

43. A computer apparatus, comprising:
- a proxy configured to receive a client file request for a file and forward the file request from the proxy to a file server;
  
  the server configured to return a reply associated with the file request, wherein the reply includes a file handle;
  
  the proxy further configured to intercept the file handle sent from the server and insert metadata into the file handle to create a modified file handle;
  
  the proxy further configured to send the modified file handle with the metadata inserted in the file handle to the client;
  
  the proxy further configured to receive the modified file handle from the client for a second file request for the file, wherein the proxy is further configured to use the modified file handle to eliminate a need for the proxy to generate one or more additional requests to the server that would be required to access the file if the modified file handle did not include the inserted metadata;
  
  the proxy further configured to receive, by the client, a second file request, the second file request configured to include the metadata in a second file handle sent with the second file request;
  
  the proxy further configured to identify, in response to the metadata, the client as having a permission to submit the second file request;
  
  the proxy further configured to send the second file request to the file server and not to send the metadata with the second file handle to the file server; and
  
  the proxy further configured to receive a second reply from the file server, and the proxy to send the second reply to the client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NetApp, Inc.
Original Assignee
NetApp, Inc.
Inventors
Ishii, Hiroshi, Bojinov, Hristo Iankov, Plotkin, Serge, Wood, Robert Paul
Primary Examiner(s)
Breene; John E
Assistant Examiner(s)
COLAN, GIOVANNA B

Application Number

US10/803,788
Publication Number

US 20050210072A1
Time in Patent Office

2,281 Days
Field of Search

707/8, 707/203, 707/10, 707/201, 707/1, 707/782, 707/827, 707/783, 709/229, 709/203, 709/249, 709/225, 709/213, 709/217, 709/237, 709/230, 713/201, 713/165, 713/153, 726/4
US Class Current

707/782
CPC Class Codes

G06F 16/10 File systems; File servers

G06F 21/64 Protecting data integrity, ...

Method and apparatus for improving file system proxy performance and security by distributing information to clients via file handles

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

43 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for improving file system proxy performance and security by distributing information to clients via file handles

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

43 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links