Handling permissions for virtualized file servers

US 11,568,073 B2
Filed: 12/01/2017
Issued: 01/31/2023
Est. Priority Date: 12/02/2016
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a cluster of host machines, including a particular host machine, the particular host machine including a memory having a cache;

a file server virtual machine hosted on the particular host machine;

a storage pool distributed across the cluster of host machines, the storage pool including local storage coupled to the particular host machine, the storage pool configured to store a plurality of storage items managed by the file server virtual machine, and the storage pool configured to store respective access control lists (ACLS) corresponding to permissions granted to users for the storage items;

wherein the system is configured to receive an access request associated with a user and directed to a particular storage item of the storage items,wherein the system is further configured to retrieve an access control list of the ACLs and corresponding permissions including one or more an access rights granted to the user for the particular storage item,wherein the system is further configured to extract a relevant permission pertaining to the user for the particular storage item and store a permission profile for the user in the cache of the memory, the permission profile including the relevant permission pertaining to the user for the particular storage item, andwherein the system is further configured to, based on receiving another access request directed to the particular storage item associated with the user, check the permission profile stored in the cache to determine whether the another access request is permissible.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Examples of systems described herein include a file server virtual machine of a virtualized file server configured to manage storage of a plurality of storage items. The file server virtual machine including a file system configured to receive an access request directed to a storage item of the plurality of storage items and associated with a user. The file system is further configured to retrieve an access control list having permissions information associated with the storage item, and to cache a permissions profile for the user including all permissions pertaining to the user for the storage item. The file system is further configured to determine whether the access request is permissible based on the cached permissions profile.

480 Citations

41 Claims

1. A system comprising:
- a cluster of host machines, including a particular host machine, the particular host machine including a memory having a cache;
  
  a file server virtual machine hosted on the particular host machine;
  
  a storage pool distributed across the cluster of host machines, the storage pool including local storage coupled to the particular host machine, the storage pool configured to store a plurality of storage items managed by the file server virtual machine, and the storage pool configured to store respective access control lists (ACLS) corresponding to permissions granted to users for the storage items;
  
  wherein the system is configured to receive an access request associated with a user and directed to a particular storage item of the storage items,wherein the system is further configured to retrieve an access control list of the ACLs and corresponding permissions including one or more an access rights granted to the user for the particular storage item,wherein the system is further configured to extract a relevant permission pertaining to the user for the particular storage item and store a permission profile for the user in the cache of the memory, the permission profile including the relevant permission pertaining to the user for the particular storage item, andwherein the system is further configured to, based on receiving another access request directed to the particular storage item associated with the user, check the permission profile stored in the cache to determine whether the another access request is permissible.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1, wherein the permission profile comprises a bitmask.
  - 3. The system of claim 2, wherein the bitmask is a four kilobyte bitmask.
  - 4. The system of claim 1, wherein the access request is a different access type than the another access request.
  - 5. The system of claim 1, wherein the system is further configured to clear the permission profile stored in the cache after a set period of time.
  - 6. The system of claim 1, wherein the system is further configured to clear the permission profile stored in the cache in response to termination of a session associated with the user.
  - 7. The system of claim 1, wherein the system is further configured to retrieve the access control list from a metadata database configured to store metadata associated with the plurality of storage items.
  - 8. The system of claim 1, wherein the permission profile for the user comprises all permissions pertaining to the user for the storage item.
  - 9. The system of claim 1, wherein the system comprises a plurality of file server virtual machines (FSVMs), including the FSVM, the plurality of FSVMs configured to manage the plurality of storage items in the storage pool.
  - 10. The system of claim 1, wherein each host machine of the cluster of host machines is configured to host at least one FSVM.
  - 11. The system of claim 10, wherein the plurality of FSVMs across the cluster of host machines are configured to manage the storage items stored in the storage pool.
  - 12. The system of claim 1, wherein the corresponding permissions include one or more access rights allowed, denied, audited, or combinations thereof.

13. A method comprising:
- hosting a file server virtual machine (FSVM) on a host machine of a cluster of host machines, the host machine including a memory having a cache, the FSVM configured to manage storage items stored in a storage pool distributed across the cluster, the storage pool including local storage coupled to at least the host machine, wherein the storage pool is configured to store respective access control lists (ACLs) corresponding to permissions granted to users for the storage items;
  
  receiving an access request associated with a user and directed to a storage item stored in the storage pool;
  
  retrieving an access control list of the ACLs and corresponding permissions, including one or more access rights granted to the user for the storage item;
  
  extracting a relevant permission pertaining to the user for the storage item and storing a permission profile for the user in the cache of the memory, the permission profile including the relevant permission pertaining to the user for the storage item; and
  
  based on receiving another access request directed to the storage item associated with the user, checking the permission profile stored in the cache to determine whether the another access request is permissible.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. The method of claim 13, further comprising forming a bitmask to store in the cache as the permission profile.
  - 15. The method of claim 13, further comprising, in response to receiving an access request from each of a plurality of users related to a particular access type for the storage item over a specific period of time, storing all permissions for the particular access type for the storage item.
  - 16. The method of claim 13, further comprising clearing the permission profile stored in the cache after a set period of time.
  - 17. The method of claim 13, further comprising clearing the permission profile stored in the cache in response to termination of a session associated with the user.
  - 18. The method of claim 13, wherein the permission profile for the user comprises all permissions pertaining to the user for the storage item.
  - 19. The method of claim 13, further comprising managing, by a plurality of FSVMs including the FSVM, the storage pool comprising the storage items.
  - 20. The method of claim 19, further comprising hosting, at least one of the plurality of FSVMs on each host machine of the cluster of host machines.
  - 21. The method of claim 13, wherein the corresponding permissions include one or more access rights allowed, denied, audited, or combinations thereof.

22. A method comprising:
- hosting a file server virtual machine (FSVM) on a host machine of a cluster of host machines, the host machine including a memory having a cache, the FSVM configured to manage storage items stored in a storage pool distributed across the cluster, the storage pool including local storage coupled to at least the host machine, wherein the storage pool is configured to store respective access control lists (ACLs) corresponding to permissions granted to users for the storage items;
  
  receiving a request to create another access control list entry in a metadata database for a new storage item in a directory managed by the file server virtual machine (FSVM), wherein the another access control list comprises permission information associated with the new storage item;
  
  retrieving a parent directory access control list associated with the directory;
  
  in response to a determination that the access control list matches the parent directory access control list, inserting a pointer to the parent directory access control list for the access control list entry for the new storage item;
  
  in response to receiving a request associated with a user for permission information for the directory including the new storage item, extracting a relevant permission pertaining to the user for the new storage item and storing the parent directory access control list in the cache, including the relevant permission pertaining to the user for the new storage item; and
  
  in response to receiving another request directed to the new storage item associated with the user, checking the parent directory access control list in the cache to determine whether the another request is permissible.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 23. The method of claim 22, further comprising, in response to a determination that the access control list is different than the parent directory access control list, including the access control list in the access control list entry for the new storage item.
  - 24. The method of claim 22, further comprising comparing the access control list to the parent directory access control list.
  - 25. The method of claim 22, further comprising, in response to receiving the request for permissions information for the directory including the new storage item, following the pointer to the parent directory access control list to evaluate the permissions information associated with the new storage item.
  - 26. The method of claim 22, wherein the new storage item is a file or a folder.
  - 27. The method of claim 22, further comprising:
    - in response to caching the parent directory access control list, using the cached parent directly access control list to evaluate the permission information associated with the new storage item.
  - 28. The method of claim 22, further comprising managing, by a plurality of FSVMs including the FSVM, the storage pool comprising the storage items including the new storage item.
  - 29. The method of claim 22, further comprising hosting, at each of the host machines in the cluster of host machines, at least one FSVM to provide a plurality of FSVMs including the FSVM.
  - 30. The method of claim 29, wherein the plurality of FSVMs are configured to manage the storage items in the storage pool.
  - 31. The method of claim 22, wherein the corresponding permissions include one or more access rights allowed, denied, audited, or combinations thereof.

32. At least one non-transitory computer readable medium encoded with instructions which, when executed, cause a system to perform actions comprising:
- hosting a file server virtual machine (FSVM) on a host machine of a cluster of host machines, the host machine including a memory having a cache, the FSVM configured to manage storage items stored in a storage pool distributed across the cluster, the storage pool including local storage coupled to at least the host machine, wherein the storage pool is configured to store respective access control lists (ACLs) corresponding to permissions granted to users for the storage items;
  
  receiving, at the FSVM, an access request associated with a user and directed to a storage item stored in the storage pool;
  
  retrieving an access control list of the ACLs and corresponding permissions, including one or more access rights granted to the user for the storage item;
  
  extracting a relevant permission pertaining to the user for the storage item and storing a permission profile for the user in the cache of the memory, the permission profile including the relevant permission pertaining to the user for the storage item; and
  
  based on receiving another access request directed to the storage item associated with the user, checking the permission profile stored in the cache to determine whether the another access request is permissible.
- View Dependent Claims (33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 33. The non-transitory computer readable medium of claim 32, the actions further comprising:
    - forming a bitmask to store in the cache as the permission profile.
  - 34. The non-transitory computer readable medium of claim 32, the actions further comprising:
    - in response to receiving an access request from each of a plurality of users related to a particular access type for the storage item over a specific period of time, storing multiple permission profiles for the particular access type for the storage item in the cache.
  - 35. The non-transitory computer readable medium of claim 32, the actions further comprising:
    - clearing the permission profile stored in the cache after a set period of time.
  - 36. The non-transitory computer readable medium of claim 32, the actions further comprising:
    - clearing the permission profile stored in the cache in response to termination of a session associated with the user.
  - 37. The non-transitory computer readable medium of claim 32, wherein the permission profile for the user comprises all permissions pertaining to the user for the storage item.
  - 38. The non-transitory computer readable medium of claim 32, wherein the actions further comprise:
    - managing, by a plurality of FSVMs including the FSVM, the storage pool comprising the storage items.
  - 39. The non-transitory computer readable medium of claim 32, wherein the actions further comprise:
    - hosting at least one additional file server virtual machine on each other host machine in the cluster of host machines, in addition to the FSVM hosted on the host machine.
  - 40. The non-transitory computer readable medium of claim 39, wherein the actions further comprise:
    - managing the storage items of the storage pool using a plurality of FSVMs including the FSVM and the at least one additional file server virtual machine on each other host machine.
  - 41. The non-transitory computer readable medium of claim 32, wherein the corresponding permissions include one or more access rights allowed, denied, audited, or combinations thereof.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nutanix Incorporated
Original Assignee
Nutanix Incorporated
Inventors
Nair, Saji Kumar Vijaya Kumari Rajendran, Thummala, Hemanth Kumar, Tammineedi, Veerraju, Rathi, Shyamsunder Prayagchand, Naik, Manoj, Gupta, Manish, Arikatla, Durga Mahesh, Kumar, Gaurav
Primary Examiner(s)
Pham, Michael

Application Number

US15/829,602
Publication Number

US 20180157860A1
Time in Patent Office

1,887 Days
Field of Search

707785
US Class Current
CPC Class Codes

G06F 16/172   Caching, prefetching or hoa...

G06F 16/192   Implementing virtual folder...

G06F 2009/45579   I/O management, e.g. provid...

G06F 2009/45595   Network integration; Enabli...

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 9/45558   Hypervisor-specific managem...

Handling permissions for virtualized file servers

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

480 Citations

41 Claims

Specification

Solutions

Use Cases

Quick Links

Handling permissions for virtualized file servers

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

480 Citations

41 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links