Cluster federation and trust
First Claim
1. A method of establishing trust and federation relationship between a first cluster and a second cluster, the method comprising:
- designating a first cluster as a trust root, the first cluster including a first set of containers, each container of the first set of containers including one or more objects and being based on one or more user accounts;
receiving contact from a remote cluster at the trust root over a communications medium, the remote cluster including a second set of containers, each container of the second set of containers including one or more objects and being based on one or more user accounts;
setting a synchronization attribute of a first container of the first set of containers to a URL of a second container of the second set of containers, wherein both the first container and second container are based on a common user account;
setting a secret key attribute of the first container to a key value;
setting a synchronization attribute of the second container to a URL of the first container;
setting a secret key attribute of the second container to the key value, wherein a target of the synchronization is identified via a synchronization attribute and the secret key is identified via the secret key attribute;
receiving a remote cryptographic token from the remote cluster, and sending a local cryptographic token to the remote cluster;
verifying the identity of the remote cluster using the local and remote cryptographic tokens;
creating an encrypted connection between the trust root and the remote cluster; and
registering a service provided by the remote cluster as being available to the trust root.
4 Assignments
0 Petitions
Accused Products
Abstract
An improved scalable object storage system allows multiple clusters to work together. In one embodiment, a trust and federation relationship is established between a first cluster and a second cluster. This is done by designating a first cluster as a trust root. The trust root receives contact from another cluster, and the two clusters exchange cryptographic credentials. The two clusters mutually authenticate each other based upon the credentials, and optionally relative to a third information service, and establish a service connection. Services from the remote cluster are registered as being available to the cluster designated as the trust root. Multi-cluster gateways can also be designated as the trust root, and joined clusters can be mutually untrusting. Two one-way trust and federation relationships can be set up to form a trusted bidirectional channel.
-
Citations
20 Claims
-
1. A method of establishing trust and federation relationship between a first cluster and a second cluster, the method comprising:
-
designating a first cluster as a trust root, the first cluster including a first set of containers, each container of the first set of containers including one or more objects and being based on one or more user accounts; receiving contact from a remote cluster at the trust root over a communications medium, the remote cluster including a second set of containers, each container of the second set of containers including one or more objects and being based on one or more user accounts; setting a synchronization attribute of a first container of the first set of containers to a URL of a second container of the second set of containers, wherein both the first container and second container are based on a common user account; setting a secret key attribute of the first container to a key value; setting a synchronization attribute of the second container to a URL of the first container;
setting a secret key attribute of the second container to the key value, wherein a target of the synchronization is identified via a synchronization attribute and the secret key is identified via the secret key attribute;receiving a remote cryptographic token from the remote cluster, and sending a local cryptographic token to the remote cluster; verifying the identity of the remote cluster using the local and remote cryptographic tokens; creating an encrypted connection between the trust root and the remote cluster; and registering a service provided by the remote cluster as being available to the trust root. - View Dependent Claims (4, 8, 10, 11)
-
-
2. A method of establishing trust and federation relationship between a multi-cluster gateway and a remote cluster, the method comprising:
-
designating a multi-cluster gateway as a trust root; receiving contact from a remote cluster at the trust root over a communications medium, the remote cluster including a first set of containers, each container of the first set of containers including one or more objects and being based on one or more user accounts; setting a synchronization attribute of a first container of the first set of containers to a URL of a second container of the second set of containers, wherein both the first container and second container are based on a common user account; setting a secret key attribute of the first container to a key value; setting a synchronization attribute of the second container to a URL of the first container; setting a secret key attribute of the second container to the key value, wherein a target of the synchronization is identified via a synchronization attribute and the secret key is identified via the secret key attribute; receiving a remote cryptographic token from the remote cluster, and sending a local cryptographic token to the remote cluster; verifying the identity of the remote cluster using the local and remote cryptographic tokens; creating an encrypted connection between the trust root and the remote cluster; and registering a service provided by the remote cluster as being available to the trust root. - View Dependent Claims (3, 5, 6, 7, 9, 12)
-
-
13. A trusted federation system for a plurality of clusters, the system comprising:
-
a first cluster including a plurality of information processing devices, the first cluster including a first set of containers, each container of the first set of containers including one or more objects and being based on one or more user accounts; a first cluster controller, the first cluster controller including an authenticator and an associated secret, the authenticator operable to cryptographically authenticate a request to interact with the system from a remote cluster using the associated secret, the remote cluster including a second set of containers, each container of the second set of containers including one or more objects and being based on one or more user accounts, wherein the first cluster controller sets a synchronization attribute of a first container of the first set of containers to a URL of a remote container of the remote cluster and sets a secret key attribute of the first container to a key value, wherein both the first container and remote container are based on a common user account; the first cluster controller further including a communications module operable to create an encrypted connection between the first cluster and the remote cluster, wherein a synchronization attribute of the remote container is set to a URL of the first container and a secret key attribute of the remote container is set to the key value, wherein the secret key is the associated secret; and the first cluster controller further including a service registry operable to register a service provided by the remote cluster as being available to the first cluster. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
Specification