System and method for administering security in a logical namespace of a storage system environment

US 8,151,360 B1
Filed: 03/20/2006
Issued: 04/03/2012
Est. Priority Date: 03/20/2006
Status: Active Grant

First Claim

Patent Images

1. A system configured to administer security in a logical namespace of a storage system environment, the system comprising:

a remote agent of an integrated management framework, the remote agent installed on a host machine of a first domain in the storage system environment; and

a namespace and storage management (NSM) server, comprising a processor and a memory, residing in a second domain and cooperating with the remote agent to dynamically establish a trust relationship with the host machine of the first domain by transferring at least one application program interface (API) message from the NSM server to the remote agent to delegate responsibility of issuing system calls associated with namespace and storage management to the remote agent, thereby enabling remote agent-based namespace and storage management, through the NSM server, across multiple domains of the storage system environment, wherein rights are assigned to a user of the host machine interacting with the NSM server in accordance with a security administration feature of the integrated management framework and wherein an authentication procedure is provided, utilizing a database of the NSM server, that indicates the rights assigned to the user to ensure that the user has appropriate rights to perform operations on the NSM server.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method administers security in a logical namespace of a storage system environment. A remote agent performs an integral security-related role within a management framework that is directed to off-loading administration of privileges from a namespace and storage management (NSM) server for namespace and storage management. NSM server rights are defined and assigned to a user of the NSM server in accordance with a security administration feature of the management framework. In addition, a multi-stage authentication procedure is provided to ensure that a user has the appropriate rights to perform operations on the NSM server.

64 Citations

View as Search Results

16 Claims

1. A system configured to administer security in a logical namespace of a storage system environment, the system comprising:
- a remote agent of an integrated management framework, the remote agent installed on a host machine of a first domain in the storage system environment; and
  
  a namespace and storage management (NSM) server, comprising a processor and a memory, residing in a second domain and cooperating with the remote agent to dynamically establish a trust relationship with the host machine of the first domain by transferring at least one application program interface (API) message from the NSM server to the remote agent to delegate responsibility of issuing system calls associated with namespace and storage management to the remote agent, thereby enabling remote agent-based namespace and storage management, through the NSM server, across multiple domains of the storage system environment, wherein rights are assigned to a user of the host machine interacting with the NSM server in accordance with a security administration feature of the integrated management framework and wherein an authentication procedure is provided, utilizing a database of the NSM server, that indicates the rights assigned to the user to ensure that the user has appropriate rights to perform operations on the NSM server.
- View Dependent Claims (2, 3)
- - 2. The system of claim 1 wherein the remote agent is configured to operate with at least a subset of privileges assigned to one of an administrator of the host machine and that of the first domain.
  - 3. The system of claim 2 wherein the remote agent offloads administration of the privileges from the NSM server to remotely establish the trust relationship between the NSM server and the host machine, thereby obviating a need for a pre-configured trust relationship across the domains.

4. A method for administering security in a logical namespace of a storage system environment, the method comprising:
- installing a remote agent of an integrated management framework on a host machine of a first domain in the storage system environment;
  
  deploying a namespace and storage management (NSM) server, comprising a processor and a memory, in a second domain of the environment;
  
  dynamically establishing a trust relationship between the host machine of the first domain and the NSM server in the second domain by transferring at least one application program interface (API) message from the NSM server to the remote agent to delegate responsibility of issuing system calls associated with namespace and storage management to the remote agent, to thereby enable remote agent-based namespace and storage management, through the NSM server, across multiple domains of the storage system environment;
  
  assigning rights to a user of the NSM server in accordance with a security administration feature of the integrated management framework; and
  
  providing an authentication procedure, utilizing a database of the NSM server, that indicates the rights assigned to the user to ensure that the user has appropriate rights to perform operations on the NSM server.
- View Dependent Claims (5, 6, 7, 8, 9, 10)
- - 5. The method of claim 4 further comprising:
    - configuring the remote agent to operate with at least a subset of privileges assigned to one of an administrator of the host machine and that of the first domain.
  - 6. The method of claim 5 further comprising:
    - offloading administration of the privileges from the NSM server to the remote agent to remotely establish the trust relationship between the NSM server and the host machine and thereby obviate a need for a pre-configured trust relationship across the domains.
  - 7. The method of claim 4 wherein the rights include one or more of a namespace management right that enables the user to perform namespace management operations, a data migration right that enables the user to perform data migration from one share to another share, and a data protection right that enables the user to configure a data protection failover policy.
  - 8. The method of claim 4 wherein the authentication prodecure isa multi-stage authentication procedure to ensure that the user has the appropriate rights to perform the operations on the NSM server.
  - 9. The method of claim 8 wherein providing further comprises:
    - performing a first look-up operation into the database of the NSM server by a command line interface process of the NSM server in accordance with a first stage of authentication, the database configured to store an indication of the rights assigned to the user.
  - 10. The method of claim 9 wherein providing further comprises:
    - performing a second look-up operation into the database by an API server of the NSM server in accordance with a second stage of authentication.

11. A non-transitory computer readable medium containing executable program instructions executed by a processor, comprising:
- program instructions that install a remote agent of an integrated management framework on a host machine of a first domain in the storage system environment;
  
  program instructions that deploy a namespace and storage management (NSM) server, comprising a processor and a memory, in a second domain of the environment;
  
  program instructions that dynamically establish a trust relationship between the host machine of the first domain and the NMS server in the second domain by transferring at least one application program interface (API) message from the NSM server to the remote agent to delegate responsibility of issuing system calls associated with namespace and storage management to the remote agent, to thereby enable remote agent-based namespace and storage management, through the NSM server, across multiple domains of the storage system environment;
  
  program instructions that assign rights to a user of the NSM server in accordance with a security administration feature of the integrated management framework; and
  
  program instructions that provide an authentication procedure, utilizing a database of the NSM server configured to store an indication of the rights assigned to the user, to ensure that the user has the rights to perform operations on the NSM server.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The non-transitory computer readable medium of claim 11 further comprising:
    - program instructions that configure the remote agent to operate with at least a subset of privileges assigned to one of an administrator of the host machine and that of the first domain.
  - 13. The non-transitory computer readable medium of claim 12 further comprising:
    - program instructions that offload administration of the privileges from the NSM server to the remote agent to remotely establish the trust relationship between the NSM server and the host machine and thereby obviate a need for a pre-configured trust relationship across the domains.
  - 14. The non-transitory computer readable medium of claim 11 wherein program instructions that assign further comprise:
    - program instructions that assign rights to the user of the NSM server in accordance with a security administration feature of the integrated management framework.
  - 15. The non-transitory computer readable medium of claim 14 further comprising:
    - program instructions that provide a multi-stage authentication procedure to ensure that the user has appropriate rights to perform operations on the NSM server.

16. A method for administering security in a logical namespace of a storage system environment, the method comprising:
- installing a remote agent of an integrated management framework on a host machine of a first domain in the storage system environment;
  
  deploying a namespace and storage management (NSM) server, comprising a processor and a memory, in a second domain of the environment;
  
  dynamically establishing a trust relationship between the host machine of the first domain and the NSM server in the second domain by transferring at least one application program interface (API) message from the NSM server to the remote agent to delegate responsibility of issuing system calls associated with namespace and storage management to the remote agent, to thereby enable remote agent-based namespace and storage management, through the NSM server, across multiple domains of the storage system environment;
  
  assigning rights to a user of the NSM server in accordance with a security is administration feature of the integrated management framework;
  
  providing a multi-stage authentication procedure to ensure that the user has appropriate rights to perform operations on the NSM server; and
  
  performing a first look-up operation into a database of the NSM server by a command line interface process of the NSM server in accordance with a first stage of authentication, the database configured to store an indication of the rights assigned to the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NetApp, Inc.
Original Assignee
NetApp, Inc.
Inventors
Kishore, K. Uday, Balasubramanian, Shankar
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
PLECHA, THADDEUS J

Application Number

US11/384,795
Time in Patent Office

2,206 Days
Field of Search

726 1- 21, 726 26- 33, 713182-186, 709217-219, 709227-229, 709/202, 707 1- 10
US Class Current

726/28
CPC Class Codes

G06F 21/604   Tools and structures for ma...

H04L 63/20   for managing network securi...

H04L 67/1097   for distributed storage of ...

System and method for administering security in a logical namespace of a storage system environment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

64 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for administering security in a logical namespace of a storage system environment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

64 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links