Cluster federation and trust in a cloud environment

US 9,684,453 B2
Filed: 11/26/2014
Issued: 06/20/2017
Est. Priority Date: 03/08/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

designating a first cluster as a trust root, the first cluster including a first set of containers, each container of the first set of containers being based on one or more user accounts;

setting a first user account in the first set of clusters to synchronize with a second user account in a second cluster, the first user account being specified by an authentication response uniform resource locator (URL);

after a period of time has elapsed, synchronizing the second user account with the first user account; and

switching, based on the synchronizing, the authentication response URL from the first cluster to the second cluster, wherein after the switching, the second user account is specified by the authentication response URL.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An improved scalable object storage system allows multiple clusters to work together. In one embodiment, a trust and federation relationship is established between a first cluster and a second cluster. This is done by designating a first cluster as a trust root. The trust root receives contact from another cluster, and the two clusters exchange cryptographic credentials. The two clusters mutually authenticate each other based upon the credentials, and optionally relative to a third information service, and establish a service connection. Services from the remote cluster are registered as being available to the cluster designated as the trust root. Multi-cluster gateways can also be designated as the trust root, and joined clusters can be mutually untrusting. Two one-way trust and federation relationships can be set up to form a trusted bidirectional channel.

135 Citations

View as Search Results

20 Claims

1. A method, comprising:
- designating a first cluster as a trust root, the first cluster including a first set of containers, each container of the first set of containers being based on one or more user accounts;
  
  setting a first user account in the first set of clusters to synchronize with a second user account in a second cluster, the first user account being specified by an authentication response uniform resource locator (URL);
  
  after a period of time has elapsed, synchronizing the second user account with the first user account; and
  
  switching, based on the synchronizing, the authentication response URL from the first cluster to the second cluster, wherein after the switching, the second user account is specified by the authentication response URL.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the first cluster is controlled by a first cloud service provider.
  - 3. The method of claim 2, wherein the second cluster is controlled by the first cloud service provider.
  - 4. The method of claim 2, wherein the second cluster is controlled by a second cloud service provider different from the first cloud service provider.
  - 5. The method of claim 1, further including:
    - receiving contact from the second cluster at the trust root over a communications medium, wherein the second cluster includes a second set of containers, and each container of the second set of containers is based on one or more user accounts.
  - 6. The method of claim 1, further including:
    - providing account tokens to the first cluster.
  - 7. The method of claim 6, further including:
    - revoking, based on the switching, the account tokens.
  - 8. The method of claim 1, further including:
    - setting, based on the switching, the first user account into a read-only mode.
  - 9. The method of claim 8, further including:
    - turning off the synchronizing from the first user account to the second user account.
  - 10. The method of claim 1, further including:
    - after a second period of time has elapsed, purging the first account.

11. A system, comprising:
- a first cluster including a plurality of information processing devices, wherein the first cluster includes a first set of containers, and each container of the first set of containers is based on one or more user accounts; and
  
  a first cluster controller that, by one or more hardware processors, sets a first user account in the first set of clusters to synchronize with a second user account in a second cluster, wherein after a period of time has elapsed, the first cluster controller synchronizes the second user account with the first user account,wherein the first user account is specified by an authentication response uniform resource locator (URL), and the first cluster controller switches, based on the synchronizing, the authentication response URL from the first cluster to the second cluster, wherein after the first cluster controller switches the authentication response URL from the first cluster to the second cluster, the second user account is specified by the authentication response URL.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The system of claim 11, wherein the first cluster is controlled by a first cloud service provider.
  - 13. The system of claim 12, wherein the second cluster is controlled by the first cloud service provider.
  - 14. The system of claim 12, wherein the second cluster is controlled by a second cloud service provider different from the first cloud service provider.
  - 15. The system of claim 11, wherein the first cluster controller receives contact from the second cluster at the trust root over a communications medium, and wherein the second cluster includes a second set of containers, and each container of the second set of containers is based on one or more user accounts.
  - 16. The system of claim 11, wherein the first cluster controller sets, based on the switching, the first user account into a read-only mode.
  - 17. The system of claim 16, wherein the first cluster controller turns off the synchronizing from the first user account to the second user account.
  - 18. The system of claim 17, wherein after a second period of time has elapsed, the first cluster controller purges the first account.

19. A non-transitory machine-readable medium comprising a plurality of machine-readable instructions that when executed by one or more processors is adapted to cause the one or more processors to perform a method comprising:
- designating a first cluster as a trust root, the first cluster including a first set of containers, each container of the first set of containers being based on one or more user accounts;
  
  setting a first user account in the first set of clusters to synchronize with a second user account in a second cluster, the first user account being specified by an authentication response uniform resource locator (URL);
  
  after a period of time has elapsed, synchronizing the second user account with the first user account; and
  
  switching, based on the synchronizing, the authentication response URL from the first cluster to the second cluster, wherein after the switching, the second user account is specified by the authentication response URL.
- View Dependent Claims (20)
- - 20. The machine-readable medium of claim 19, the method further including:
    - receiving contact from the second cluster at the trust root over a communications medium, wherein the second cluster includes a second set of containers, and each container of the second set of containers is based on one or more user accounts.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Rackspace US Incorporated (Apollo Global Management, Inc.)
Original Assignee
Rackspace US Incorporated (Apollo Global Management, Inc.)
Inventors
Goetz, David Patrick, Gerrard, Clay, Holt, Gregory Lee, Barton, Michael
Primary Examiner(s)
Lagor, Alexander

Application Number

US14/555,289
Publication Number

US 20150156136A1
Time in Patent Office

937 Days
Field of Search

713186
US Class Current
CPC Class Codes

G06F 16/1824   implemented using Network-a...

G06F 16/27   Replication, distribution o...

G06F 3/0608   Saving storage space on sto...

G06F 3/0619   in relation to data integri...

G06F 3/0631   by allocating resources to ...

G06F 3/0641   De-duplication techniques

G06F 3/0644   Management of space entitie...

G06F 3/067   Distributed or networked st...

G06F 9/5083   Techniques for rebalancing ...

H04L 47/80   Actions related to the user...

H04L 67/10   in which an application is ...

H04L 67/1006   with static server selectio...

H04L 67/1023   based on a hash applied to ...

H04L 67/1095   Replication or mirroring of...

H04L 67/1097   for distributed storage of ...

Y10S 707/9994   Distributed or remote access

Y10S 707/99953   Recoverability

Cluster federation and trust in a cloud environment

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

135 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Cluster federation and trust in a cloud environment

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

135 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links