Method and apparatus to keep consistency of ACLs among a meta data server and data servers

US 9,064,106 B2
Filed: 04/25/2012
Issued: 06/23/2015
Est. Priority Date: 04/25/2012
Status: Expired due to Fees

First Claim

Patent Images

1. A meta data server coupled to a plurality of client computers and a plurality of data servers, comprising:

a memory configured to store an indication of a relationship among first identification information indicating a data server, second identification information identifying a location of a file, and third identification information associated with a client computer; and

a controller operable to;

manage first access control information in the meta data server based on a layout information for a file subject to an access request from the client computer; and

control access from the client computer identified by the third identification information to the data server identified by the first identification information, by creating or updating second access control information in the data server based on the first access control information of the meta data server, and executing access control by the data server according to the second access control information for a chunk data identified by the layout information,wherein the second access control information in the data server identifies another relationship between each file and related chunk data stored in a storage system identified by the layout information, and is configured to be used for the access control for the chunk data by the data server;

wherein the second identification information further comprises file path information and file name information of the file;

wherein the third identification information comprises at least one Internet Protocol (IP) address segment; and

wherein the controller controls the access from the client computer based on the relationship in the memory and an address segment of the client computer.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Exemplary embodiments may involve a meta-data server that manages data-server access control list (DS ACL) information. Each entry of this DS ACL information may include an address of a data server, an identification or a range address of chunk data on the data server, a file path of the chunk data in the file tree provided by the meta-data server, and addresses of the permitted clients. The meta-data server may determine the addresses of the permitted clients for the chunk data by retrieving the original file path of chunk data from layout information of the meta-data server, and by retrieving the entry containing the directory path that partially matches with the original file path from an access control list of the meta-data server.

Citations

17 Claims

1. A meta data server coupled to a plurality of client computers and a plurality of data servers, comprising:
- a memory configured to store an indication of a relationship among first identification information indicating a data server, second identification information identifying a location of a file, and third identification information associated with a client computer; and
  
  a controller operable to;
  
  manage first access control information in the meta data server based on a layout information for a file subject to an access request from the client computer; and
  
  control access from the client computer identified by the third identification information to the data server identified by the first identification information, by creating or updating second access control information in the data server based on the first access control information of the meta data server, and executing access control by the data server according to the second access control information for a chunk data identified by the layout information,wherein the second access control information in the data server identifies another relationship between each file and related chunk data stored in a storage system identified by the layout information, and is configured to be used for the access control for the chunk data by the data server;
  
  wherein the second identification information further comprises file path information and file name information of the file;
  
  wherein the third identification information comprises at least one Internet Protocol (IP) address segment; and
  
  wherein the controller controls the access from the client computer based on the relationship in the memory and an address segment of the client computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The meta data server of claim 1, wherein the second identification information comprises block information of the file;
    - wherein the third identification information comprises at least one internet small computer system interface qualified name (IQN); and
      
      wherein the controller controls the access from the client computer based on the relationship in the memory and the IQN of the client computer.
  - 3. The meta data server of claim 1, wherein the second identification information comprises block information of the file;
    - wherein the third identification information comprises at least one Fibre Channel (FC) World Wide Name (WWN); and
      
      wherein the controller controls the access from the client computer based on the relationship in the memory and the FC-WWN of the client computer.
  - 4. The meta data server of claim 1, wherein the memory further stores an open processing program operable to configure the plurality of data servers to control access from the plurality of client computers based on the third identification information when executed in a first mode, and further operable to generate a response comprising a file handle.
  - 5. The meta data server of claim 4, wherein the memory further stores a layout processing program operable to configure the plurality of data servers to control access from the plurality of client computers based on the third identification information when executed in a second mode, and further operable to generate a response comprising the layout information.
  - 6. The meta data server of claim 5, wherein the controller is further configured to change a mode of the meta data server from the second mode to the first mode, or from the first mode to the second mode.
  - 7. The meta data server of claim 1, wherein the controller in response to a request to create another file, is configured to update the second identification information based on the another file and update the third identification information based on the request.
  - 8. The meta data server of claim 1, wherein the meta data server is integrated into a parallel Network File System (pNFS).

9. A system, comprising:
- a plurality of client computers;
  
  a plurality of data servers; and
  
  a meta data server coupled to the plurality of client computers and the plurality of data servers, comprising;
  
  a memory configured to store an indication of a relationship among first identification information indicating a data server, second identification information identifying a location of a file, and third identification information associated with a client computer;
  
  anda controller operable to;
  
  manage first access control information in the meta data server based on a layout information for a file subject to an access request from the client computer; and
  
  to control access from the client computer identified by the third identification information to the data server identified by the first identification information, by creating or updating second access control information in the data server based on the first access control information of the meta data server,wherein the data server is configured to execute access control according to the second access control information for a chunk data identified by the layout information,wherein the second access control information in the data server identifies another relationship between each file and related chunk data stored in a storage system identified by the layout information, and is configured to be used for the access control for the chunk data by the data server;
  
  wherein the second information further comprises file path information and file name information of the file;
  
  wherein the third identification information comprises at least one Internet Protocol (IP) address segment; and
  
  wherein the controller controls the access from the client computer based on the relationship in the memory and the IP address segment of the client computer.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein the second information comprises block information of the file;
    - wherein the third identification information comprises at least one internet small computer system interface qualified name (IQN); and
      
      wherein the controller controls the access from the client computer based on the relationship and the IQN of the client computer.
  - 11. The system of claim 9, wherein the second information comprises block information of the file;
    - wherein the third identification information comprises at least one Fibre Channel (FC) World Wide Name (WWN); and
      
      wherein the controller controls the access from the client computer based on the relationship and the FC-WWN of the client computer.
  - 12. The system of claim 9, wherein the memory further stores an open processing program operable to configure the plurality of data servers to control access from the plurality of client computers based on the third identification information when executed in a first mode, and further operable to generate a response comprising a file handle.
  - 13. The system of claim 12, wherein the memory further stores a layout processing program operable to configure the plurality of data servers to control access from the plurality of client computers based on the third identification information when executed in a second mode, and further operable to generate a response comprising the layout information.
  - 14. The system of claim 13, wherein the controller is further configured to change a mode of the meta data server from the second mode to the first mode, or from the first mode to the second mode.
  - 15. The system of claim 9, wherein the controller in response to a request from one of the plurality of clients to create another file, is configured to update the second identification information based on the another file and update the third identification information based on the request.
  - 16. The system of claim 9, wherein the system is a parallel Network File System (pNFS).

17. A non-transitory computer readable medium storing instructions for operating a meta data server, the instructions comprising:
- managing an indication of a relationship among first identification information indicating a data server, second identification information identifying a location of a file, and third identification information associated with a client computer;
  
  managing first access control information in the meta data server based on layout information for the file subject to an access request by the client computer, andcontrolling access from the client computer identified by the third identification information to the data server identified by the first identification information, by creating or updating second access control information in the data server based on the first access control information of the meta data server, wherein the data server is configured to execute access control according to the second access control information for a chunk data identified by the layout information, wherein the second access control information in the data server identifies another relationship between each file and related chunk data stored in a storage system identified by the layout information, and is configured to be used for the access control for the chunk data by the data server;
  
  wherein the second information further comprises file path information and file name information of the file;
  
  wherein the third identification information comprises at least one Internet Protocol (IP) address segment; and
  
  wherein the controlling the access from the client computer is based on the relationship in the memory and an address segment of the client computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hitachi, Ltd.
Original Assignee
Hitachi, Ltd.
Inventors
Okita, Hideki, Nakano, Takahiro
Primary Examiner(s)
Rahman, Mahfuzur

Application Number

US13/456,091
Publication Number

US 20130291066A1
Time in Patent Office

1,154 Days
Field of Search

726/4
US Class Current

1/1
CPC Class Codes

G06F 21/44   Program or device authentic...

G06F 21/53   by executing in a restricte...

G06F 21/6218   to a system of files or obj...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04W 12/06   Authentication

Method and apparatus to keep consistency of ACLs among a meta data server and data servers

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus to keep consistency of ACLs among a meta data server and data servers

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links