Resource fencing for vLAN multi-tenant systems

US 9,954,947 B2
Filed: 02/27/2013
Issued: 04/24/2018
Est. Priority Date: 02/27/2013
Status: Active Grant

First Claim

Patent Images

1. In a storage system having a plurality of nodes, the nodes being grouped into a plurality of cluster systems each having multiple nodes, each cluster system being logically partitioned into a plurality of namespaces, each namespace including a collection of data objects, each cluster system having multiple tenants, each tenant being a grouping of namespaces, each cluster system having a plurality of capabilities, at least some of the capabilities being bound to the tenants, a node in the cluster system comprising:

a memory, anda controller operable to bind each capability to one of a plurality of IP networks so that each capability is bound to only one of the IP networks and has a destination IP address of the IP network to which the capability is bound;

wherein it is permissible for one or more capabilities to be bound to the same IP network;

wherein each IP network has one corresponding network interface;

wherein each capability is a resource that is bound to one of (i) the cluster system or (ii) a replication interface of the cluster system or (iii) one of the tenants of the cluster system; and

wherein the controller is operable, in response to a request for a capability received via the corresponding network interface of one of the IP networks, to;

find an IP network which is bound to the capability being requested by the request and determine whether an IP address of the IP network at which the request is received is in an address range allocated to the found IP network;

if the IP address of the IP network at which the request is received is in an address range allocated to the found IP network, grant access by the request to the requested capability; and

if the IP address of the IP network at which the request is received is not in an address range allocated to the found IP network, deny access by the request to the requested capability.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A storage system has a plurality of nodes which are grouped into a plurality of cluster systems each having multiple nodes, each cluster system being logically partitioned into a plurality of namespaces, each namespace including a collection of data objects, each cluster system having multiple tenants, each tenant being a grouping of namespaces, each cluster system having a plurality of capabilities, at least some of the capabilities being bound to the tenants. A node in the cluster system comprises: a memory, and a controller operable to bind each capability to one of a plurality of IP networks so that each capability is bound to only one of the IP networks and has a destination IP address of the IP network to which the capability is bound. It is permissible for one or more capabilities to be bound to the same IP network. Each IP network has one corresponding network interface.

Citations

9 Claims

1. In a storage system having a plurality of nodes, the nodes being grouped into a plurality of cluster systems each having multiple nodes, each cluster system being logically partitioned into a plurality of namespaces, each namespace including a collection of data objects, each cluster system having multiple tenants, each tenant being a grouping of namespaces, each cluster system having a plurality of capabilities, at least some of the capabilities being bound to the tenants, a node in the cluster system comprising:
- a memory, anda controller operable to bind each capability to one of a plurality of IP networks so that each capability is bound to only one of the IP networks and has a destination IP address of the IP network to which the capability is bound;
  
  wherein it is permissible for one or more capabilities to be bound to the same IP network;
  
  wherein each IP network has one corresponding network interface;
  
  wherein each capability is a resource that is bound to one of (i) the cluster system or (ii) a replication interface of the cluster system or (iii) one of the tenants of the cluster system; and
  
  wherein the controller is operable, in response to a request for a capability received via the corresponding network interface of one of the IP networks, to;
  
  find an IP network which is bound to the capability being requested by the request and determine whether an IP address of the IP network at which the request is received is in an address range allocated to the found IP network;
  
  if the IP address of the IP network at which the request is received is in an address range allocated to the found IP network, grant access by the request to the requested capability; and
  
  if the IP address of the IP network at which the request is received is not in an address range allocated to the found IP network, deny access by the request to the requested capability.
- View Dependent Claims (2, 3, 4)
- - 2. The node according to claim 1,wherein the IP networks include a plurality of physical and virtual LAN segments.
  - 3. The node according to claim 1, wherein the capabilities comprise one or more of:
    - management resource of the cluster system;
      
      data resource of the cluster system;
      
      replication resource;
      
      management resources of the tenants;
      
      ordata resources of the tenants.
  - 4. The node according to claim 1, wherein the controller is operable, in response to a request for a capability received via the corresponding network interface of one of the IP networks, to:
    - determine whether the capability being requested by the request is bound to a tenant and, if yes, find an IP network which is bound to the capability being requested by the request and determine whether the found IP network has an IP network alias entry;
      
      if it is determined that the found IP network does not have an IP network alias entry, determine whether an IP address of the IP network at which the request is received is in an address range allocated to the found IP network and, if yes, grant access by the request to the requested capability and, if no, deny access by the request to the requested capability; and
      
      if it is determined that the found IP network has an alias entry, look up an alias IP network based on the IP network alias entry, and determine whether an IP address of the IP network at which the request is received is in an address range allocated to the alias IP network and, if yes, grant access by the request to the requested capability and, if no, deny access by the request to the requested capability.

5. A method for managing access to capabilities, in a storage system having a plurality of independent nodes, the nodes being grouped into a plurality of cluster systems each having multiple nodes, each cluster system being logically partitioned into a plurality of namespaces, each namespace including a collection of data objects, each cluster system having multiple tenants, each tenant being a grouping of namespaces, each cluster system having a plurality of capabilities, at least some of the capabilities being bound to the tenants, a node in the cluster system including a memory and a controller, the method comprising:
- binding each capability to one of a plurality of IP networks so that each capability is bound to only one of the IP networks and have a destination IP address of the IP network to which the capability is bound; and
  
  in response to a request for a capability received via the corresponding network interface of one of the IP networks;
  
  finding an IP network which is bound to the capability being requested by the request and determining whether an IP address of the IP network at which the request is received is in an address range allocated to the found IP network;
  
  if the IP address of the IP network at which the request is received is in an address range allocated to the found IP network, granting access by the request to the requested capability; and
  
  if the IP address of the IP network at which the request is received is not in an address range allocated to the found IP network, denying access by the request to the requested capability;
  
  wherein it is permissible for one or more capabilities to be bound to the same IP network;
  
  wherein each IP network has one corresponding network interface; and
  
  wherein each capability is a resource that is bound to one of (i) the cluster system or (ii) a replication interface of the cluster system or (iii) one of the tenants of the cluster system.
- View Dependent Claims (6, 7, 8, 9)
- - 6. The method according to claim 5,wherein the IP networks include a plurality of physical and virtual LAN segments.
  - 7. The method according to claim 5, wherein the capabilities comprise one or more of:
    - management resource of the cluster system;
      
      data resource of the cluster system;
      
      replication resource;
      
      management resources of the tenants;
      
      ordata resources of the tenants.
  - 8. The method according to claim 5, further comprising, in response to a request for a capability received via the corresponding network interface of one of the IP networks:
    - determining whether the capability being requested by the request is bound to a tenant and, if yes, finding an IP network which is bound to the capability being requested by the request and determining whether the found IP network has an IP network alias entry;
      
      if it is determined that the found IP network does not have an IP network alias entry, determining whether an IP address of the IP network at which the request is received is in an address range allocated to the found IP network and, if yes, granting access by the request to the requested capability and, if no, denying access by the request to the requested capability; and
      
      if it is determined that the found IP network has an alias entry, looking up an alias IP network based on the IP network alias entry, and determining whether an IP address of the IP network at which the request is received is in an address range allocated to the alias IP network and, if yes, granting access by the request to the requested capability and, if no, denying access by the request to the requested capability.
  - 9. The method according to claim 5, further comprising:
    - for a capability which is bound to a tenant which has no dedicated network resources and is inaccessible, finding an IP network which is bound to the capability and assigning an IP network alias entry of an alias IP network to the found IP network so as to map the capability via the IP network alias entry to the alias IP network;
      
      wherein the alias IP network provides network access to the capability which is bound to the tenant.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hitachi Vantara, LLC (Hitachi, Ltd.)
Original Assignee
Hitachi Vantara Corporation (Hitachi, Ltd.)
Inventors
Bennett, Jr., Charles C., Curry, Clayton Alan, Manjanatha, Sowmya
Primary Examiner(s)
Yohannes, Tesfay

Application Number

US14/438,912
Publication Number

US 20150296016A1
Time in Patent Office

1,882 Days
Field of Search

709213, 709245, 370328, 370409
US Class Current
CPC Class Codes

H04L 61/5007   Internet protocol [IP] addr...

H04L 63/104   Grouping of entities

H04L 67/1095   Replication or mirroring of...

H04L 67/1097   for distributed storage of ...

Resource fencing for vLAN multi-tenant systems

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

Resource fencing for vLAN multi-tenant systems

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links