Method and apparatus for improving file system proxy performance and security by distributing information to clients via file handles
First Claim
Patent Images
1. A method for establishing identity in a file system, comprising:
- receiving, from a client, a first Network File System (NFS) operation concerning an indicated file, the first NFS operation received by a proxy;
forwarding the first NFS operation from the proxy to be received by a file server;
returning a NFS file handle associated with the first NFS operation from the file server to the proxy in response to the file server receiving the first NFS operation from the proxy;
inserting, by the proxy, metadata into the NFS file handle in response to receiving the NFS file handle from the file server, wherein the metadata is an encryption key;
sending, by the proxy in response to receiving the NFS file handle from the file server, the NFS file handle with the metadata inserted in the NFS file handle to the client as a reply to the first NFS operation;
using, by the client, the metadata and the NFS file handle in a second NFS operation to identify the client and the indicated file; and
receiving, from the client, the second NFS operation by the proxy, the second NFS operation comprising the metadata sent with the second NFS operation;
identifying, in response to the metadata, the client as having a permission to submit the second NFS operation;
sending the second NFS operation to the file server and not sending the metadata to the file server; and
receiving, by the proxy, a further NFS reply from the file server, and sending, by the proxy, the further NFS reply to the client.
4 Assignments
0 Petitions
Accused Products
Abstract
The preferred embodiment of the invention distributes, and effectively caches, information by inserting it into file handles that the proxy sends to clients. This information can be used to improve performance by eliminating the need for the proxy to generate additional requests to the server to establish file identity. The distributed information can also be intended to improve security, for example, by allowing the proxy to encode into the file handle a session key that expires after some amount of time.
-
Citations
43 Claims
-
1. A method for establishing identity in a file system, comprising:
-
receiving, from a client, a first Network File System (NFS) operation concerning an indicated file, the first NFS operation received by a proxy; forwarding the first NFS operation from the proxy to be received by a file server; returning a NFS file handle associated with the first NFS operation from the file server to the proxy in response to the file server receiving the first NFS operation from the proxy; inserting, by the proxy, metadata into the NFS file handle in response to receiving the NFS file handle from the file server, wherein the metadata is an encryption key; sending, by the proxy in response to receiving the NFS file handle from the file server, the NFS file handle with the metadata inserted in the NFS file handle to the client as a reply to the first NFS operation; using, by the client, the metadata and the NFS file handle in a second NFS operation to identify the client and the indicated file; and receiving, from the client, the second NFS operation by the proxy, the second NFS operation comprising the metadata sent with the second NFS operation; identifying, in response to the metadata, the client as having a permission to submit the second NFS operation; sending the second NFS operation to the file server and not sending the metadata to the file server; and receiving, by the proxy, a further NFS reply from the file server, and sending, by the proxy, the further NFS reply to the client. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for establishing identity in a file system, comprising:
-
receiving a first file request concerning an indicated file from a client, the first file request received by a proxy; forwarding the first file request from the proxy to a file server; returning a reply associated with the first file request from the file server to the proxy, wherein the reply includes a file handle associated with the indicated file; inserting, by the proxy, metadata into the file handle; sending, by the proxy, the file handle with the metadata inserted in the file handle to the client, the metadata to be used in further requests to identify the client as having a permission to access the indicated file; receiving, from the client, a second file request by the proxy, the second file request including the metadata in a second file handle sent with the second file request; identifying, in response to the metadata, that the client has the permission to submit the second file request; sending the second file request to the file server and not sending the metadata with the second file handle to the file server; and receiving by the proxy a second reply from the file server, and sending by the proxy the second reply to the client.
-
-
8. An apparatus to establish identity in a file system, comprising:
-
a proxy configured to receive a first Network File System (NFS) operation concerning an indicated file sent by a client to the file system, the proxy further configured to forward the first NFS operation to be received by a file server; the file server configured to return a NFS file handle associated with the first NFS operation to the proxy in response to the file server receiving the first NFS operation from the proxy; the proxy further configured to insert metadata into the NFS file handle in response to receiving the NFS file handle from the file server, wherein the metadata is an encryption key; the proxy further configured to send the NFS file handle with the metadata inserted in the NFS file handle to the client as a reply to the first NFS operation, the metadata and the NFS file handle to be used in a second NFS operation to identify the client and the indicated file; the proxy further configured to receive, by the client, a second NFS operation, the second NFS operation comprising the metadata in the second NFS file handle sent with the second NFS operation; the proxy to identify, in response to the metadata, the client as having a permission to submit the second NFS operation; the proxy to send the second NFS operation to the file server and not to send the metadata with the second NFS file handle to the file server; and the proxy to receive a second NFS reply from the file server, and the proxy to send the second NFS reply to the client. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A non-volatile memory executed on a computer, comprising:
-
the non-volatile memory containing procedures for execution on the computer for a method of establishing identity in a file system, the method having the steps of, receiving, from a client, an operation concerning an indicated file, the operation received by a proxy; forwarding the operation from the proxy to be received by a file server; returning a file handle associated with the first operation from the file server to the proxy in response to the file server receiving the operation from the proxy; inserting, by the proxy, metadata into the file handle in response to receiving the file handle from the file server, wherein the metadata is an encryption key; sending, by the proxy in response to receiving the file handle from the file server, the file handle with the metadata inserted in the file handle to the client as a reply to the operation; receiving, from the client, a second file request by the proxy, the second file request comprising the metadata in a second file handle sent with the second file request; identifying, in response to the metadata, that the client has permission to submit the second file request; sending the second file request to the file server and not sending the metadata with the second file handle to the file server; and receiving, by the proxy, a second reply from the file server, and sending by the proxy the second reply to the client. - View Dependent Claims (16, 17, 18, 19, 20)
-
-
15. A method for establishing identity in a file system, comprising:
-
receiving a first file request concerning an indicated file from a client, the first file request received by a proxy; forwarding the first file request from the proxy to a file server; granting a permission for the request to be acted upon by the file system in response to a predetermined protocol; returning a reply associated with the first file request from the file server to the proxy, wherein the reply includes a file handle associated with the indicated file; inserting, by the proxy, a session key into the file handle; sending, by the proxy, the file handle with the session key inserted in the file handle to the client, the session key to be used in further requests to identify the client and the indicated file; receiving, from the client, a second file request by the proxy, the second file request comprising information from the session key in a second file handle sent with the second file request; identifying, in response to the session key, that the client has permission to submit the second file request; sending the second file request to the file server and not sending the session key with the second file handle to the file server; and receiving, by the proxy, a second reply from the file server, and sending by the proxy the second reply to the client.
-
-
21. An apparatus to establish identity in a file system, comprising:
-
a proxy to receive a file request sent by a client to the file system, the proxy to forward the request to a file server; the file server to return a reply associated with the file request to the proxy, wherein the reply includes a file handle; the proxy to insert a session key into the file handle; the proxy to send the file handle with the session key inserted in the file handle to the client, the session key to be used in further requests to identify the client and the indicated file; the proxy to receive, by the client, a second file request, the second file request to include information of the session key in a further file handle sent with the second request; the proxy to identify, in response to the information of the session key, the client as having a permission to submit the another file request; the proxy to send the second request to the file server and not to send the session key with the second file handle to the file server; and the proxy to receive a further reply from the file server, and the proxy to send the further reply to the client. - View Dependent Claims (22, 23, 24, 25, 26)
-
-
27. An apparatus to establish identity in a file system, comprising:
-
a proxy configured to receive a first file request sent by a client to the file system, the proxy further configured to forward the first file request to a file server; the file server configured to return a reply associated with the first file request to the proxy; the proxy further configured to insert a session key into a file handle; the proxy further configured to send the file handle with the session key inserted in the file handle to the client, the session key configured to be used in a second file request to identify the client and the indicated file; the proxy further configured to receive, by the client, a second file request, the second file request configured to include the session key in a second file handle sent with the second file request; the proxy further configured to identify, in response to the session key, the client as having a permission to submit the second file request; the proxy further configured to send the second file request to the file server and not to send the session key with the second file handle to the file server; and the proxy further configured to receive a second reply from the file server, and the proxy further configured to send the second reply to the client.
-
-
28. A method for establishing identity in a file system, comprising:
-
receiving a first file request concerning an indicated file from a client, the first file request received by a proxy; forwarding the first file request from the proxy to a file server; determining that the client has a permission to have the request acted upon by the file system in response to a predetermined protocol; returning a reply associated with the first file request from the file server to the proxy, wherein the reply includes a file handle associated with the indicated file; inserting, by the proxy, a cryptographic information into the file handle sending, by the proxy, the file handle with the cryptographic information inserted in the file handle to the client, the cryptographic information to be used in one or more requests to identify the client and the indicated file; receiving, by the client, a second file request by the proxy, the second file request including the cryptographic information in a second file handle sent with the second file request; identifying, in response to the cryptographic information, that the client has the permission to submit the second file request; sending the second file request to the file server and not sending the cryptographic information with the second file handle to the file server; and receiving, by the proxy, a second reply from the file server, and sending by the proxy the second reply to the client. - View Dependent Claims (29, 30, 31, 32, 33)
-
-
34. An apparatus to establish identity in a file system, comprising:
-
a proxy configured to receive a file request for an indicated file sent by a client to the file system, the proxy further configured to forward the request to a file server; the file server configured to return a reply associated with the file request to the proxy, wherein the reply is configured to include a file handle; the proxy further configured to insert a cryptographic information into the file handle; the proxy further configured to send the file handle with the cryptographic information inserted in the file handle to the client, the cryptographic information configured to be used in further requests to identify the client and the indicated file; the proxy further configured to receive, by the client, a second request, the second file request to include the cryptographic information in a second file handle sent with the second request; the proxy further configured to identify, in response to the cryptographic information, the client as having a permission to submit the second file request; the proxy further configured to send the second request to the file server and not to send the cryptographic information with the second file handle to the file server; and the proxy further configured to receive a further reply from the file server, and the proxy to send the further reply to the client. - View Dependent Claims (35, 36, 37, 38, 39)
-
-
40. An apparatus to establish identity in a file system, comprising:
-
a proxy configured to receive a first file request sent by a client to the file system, the proxy to forward the first file request to a file server; the file server configured to return a reply associated with the first file request to the proxy; the proxy further configured to insert a cryptographic information into a file handle; the proxy further configured to send the file handle with the cryptographic information inserted in the file handle to the client, the cryptographic information configured to be used in a second file request to identify the client and the indicated file; the proxy further configured to receive, by the client, a second file request, the second file request configured to include the cryptographic information in a second file handle sent with the second file request; the proxy further configured to identify, in response to the cryptographic information, the client as having a permission to submit the second file request; the proxy further configured to send the second file request to the file server and not to send the cryptographic information with the second file handle to the file server; and the proxy further configured to receive a second reply from the file server, and the proxy to send the second reply to the client.
-
-
41. A method for establishing identity in a file system, comprising:
-
receiving a file request concerning an indicated file from a client, the request received by a proxy; forwarding the request from the proxy to a file server; returning a reply associated with the file request from the file server to the proxy, wherein the reply includes a file handle associated with the indicated file; inserting, by the proxy, metadata into the file handle; sending, by the proxy, the file handle with the metadata inserted in the file handle to the client, a size of the file handle set to a sum of a length of the server file handle and a length of the proxy metadata, the metadata to be used in further requests to identify the client and the indicated file; and receiving, from the client, a second file request by the proxy, the second file request comprising the metadata in a second file handle sent with the second file request; identifying, in response to the metadata, that the client has permission to submit the second file request; sending the second file request to the file server and not sending the metadata with the second file handle to the file server; and receiving by the proxy a second reply from the file server, and sending by the proxy the second reply to the client.
-
-
42. A method, comprising:
-
receiving, by a proxy, a file request for a file sent from a client; forwarding the file request from the proxy to a file server; returning a reply associated with the file request from the file server to the proxy, wherein the reply includes a file handle; inserting, by the proxy, metadata into the file handle; sending, by the proxy, the file handle with the metadata inserted in the file handle to the client; receiving, from the client, a second file request by the proxy, the second file request comprising the metadata in a second file handle sent with the second file request; identifying, in response to the metadata, that the client has permission to submit the second file request; sending the second file request to the file server and not sending the metadata with the second file handle to the file server; and receiving by the proxy a second reply from the file server, and sending by the proxy the second reply to the client.
-
-
43. A computer apparatus, comprising:
-
a proxy configured to receive a client file request for a file and forward the file request from the proxy to a file server; the server configured to return a reply associated with the file request, wherein the reply includes a file handle; the proxy further configured to intercept the file handle sent from the server and insert metadata into the file handle to create a modified file handle; the proxy further configured to send the modified file handle with the metadata inserted in the file handle to the client; the proxy further configured to receive the modified file handle from the client for a second file request for the file, wherein the proxy is further configured to use the modified file handle to eliminate a need for the proxy to generate one or more additional requests to the server that would be required to access the file if the modified file handle did not include the inserted metadata; the proxy further configured to receive, by the client, a second file request, the second file request configured to include the metadata in a second file handle sent with the second file request; the proxy further configured to identify, in response to the metadata, the client as having a permission to submit the second file request; the proxy further configured to send the second file request to the file server and not to send the metadata with the second file handle to the file server; and the proxy further configured to receive a second reply from the file server, and the proxy to send the second reply to the client.
-
Specification