Cluster federation and trust

US 8,930,693 B2
Filed: 10/21/2011
Issued: 01/06/2015
Est. Priority Date: 03/08/2011
Status: Expired due to Fees

First Claim

Patent Images

1. A method of establishing trust and federation relationship between a first cluster and a second cluster, the method comprising:

designating a first cluster as a trust root, the first cluster including a first set of containers, each container of the first set of containers including one or more objects and being based on one or more user accounts;

receiving contact from a remote cluster at the trust root over a communications medium, the remote cluster including a second set of containers, each container of the second set of containers including one or more objects and being based on one or more user accounts;

setting a synchronization attribute of a first container of the first set of containers to a URL of a second container of the second set of containers, wherein both the first container and second container are based on a common user account;

setting a secret key attribute of the first container to a key value;

setting a synchronization attribute of the second container to a URL of the first container;

setting a secret key attribute of the second container to the key value, wherein a target of the synchronization is identified via a synchronization attribute and the secret key is identified via the secret key attribute;

receiving a remote cryptographic token from the remote cluster, and sending a local cryptographic token to the remote cluster;

verifying the identity of the remote cluster using the local and remote cryptographic tokens;

creating an encrypted connection between the trust root and the remote cluster; and

registering a service provided by the remote cluster as being available to the trust root.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An improved scalable object storage system allows multiple clusters to work together. In one embodiment, a trust and federation relationship is established between a first cluster and a second cluster. This is done by designating a first cluster as a trust root. The trust root receives contact from another cluster, and the two clusters exchange cryptographic credentials. The two clusters mutually authenticate each other based upon the credentials, and optionally relative to a third information service, and establish a service connection. Services from the remote cluster are registered as being available to the cluster designated as the trust root. Multi-cluster gateways can also be designated as the trust root, and joined clusters can be mutually untrusting. Two one-way trust and federation relationships can be set up to form a trusted bidirectional channel.

56 Citations

View as Search Results

20 Claims

1. A method of establishing trust and federation relationship between a first cluster and a second cluster, the method comprising:
- designating a first cluster as a trust root, the first cluster including a first set of containers, each container of the first set of containers including one or more objects and being based on one or more user accounts;
  
  receiving contact from a remote cluster at the trust root over a communications medium, the remote cluster including a second set of containers, each container of the second set of containers including one or more objects and being based on one or more user accounts;
  
  setting a synchronization attribute of a first container of the first set of containers to a URL of a second container of the second set of containers, wherein both the first container and second container are based on a common user account;
  
  setting a secret key attribute of the first container to a key value;
  
  setting a synchronization attribute of the second container to a URL of the first container;
  
  setting a secret key attribute of the second container to the key value, wherein a target of the synchronization is identified via a synchronization attribute and the secret key is identified via the secret key attribute;
  
  receiving a remote cryptographic token from the remote cluster, and sending a local cryptographic token to the remote cluster;
  
  verifying the identity of the remote cluster using the local and remote cryptographic tokens;
  
  creating an encrypted connection between the trust root and the remote cluster; and
  
  registering a service provided by the remote cluster as being available to the trust root.
- View Dependent Claims (4, 8, 10, 11)
- - 4. The method of claim 1, wherein one of the remote cryptographic token and the local cryptographic token is one of a value encrypted using a shared secret, a public key, a certificate, Kerberos ticket, and an OAUTH token.
  - 8. The method of claim 1, wherein the service provided by the remote cluster is a replication service, and wherein the method further comprises the step of setting a first container of the second set of containers in the remote cluster as a replication target for a second container of the first set of containers in the first cluster.
  - 10. The method of claim 1, wherein the method further comprises the step of designating a second trust root, and establishing a trust and federation relationship using the second trust root.
  - 11. The method of claim 1, wherein the trust root is controlled by a first party and the remote cluster is controlled by a second party.

2. A method of establishing trust and federation relationship between a multi-cluster gateway and a remote cluster, the method comprising:
- designating a multi-cluster gateway as a trust root;
  
  receiving contact from a remote cluster at the trust root over a communications medium, the remote cluster including a first set of containers, each container of the first set of containers including one or more objects and being based on one or more user accounts;
  
  setting a synchronization attribute of a first container of the first set of containers to a URL of a second container of the second set of containers, wherein both the first container and second container are based on a common user account;
  
  setting a secret key attribute of the first container to a key value;
  
  setting a synchronization attribute of the second container to a URL of the first container;
  
  setting a secret key attribute of the second container to the key value, wherein a target of the synchronization is identified via a synchronization attribute and the secret key is identified via the secret key attribute;
  
  receiving a remote cryptographic token from the remote cluster, and sending a local cryptographic token to the remote cluster;
  
  verifying the identity of the remote cluster using the local and remote cryptographic tokens;
  
  creating an encrypted connection between the trust root and the remote cluster; and
  
  registering a service provided by the remote cluster as being available to the trust root.
- View Dependent Claims (3, 5, 6, 7, 9, 12)
- - 3. The method of claim 2, wherein the method further comprises the steps of:
    - receiving contact from a second remote cluster at the trust root over a communications medium, the second remote cluster including a second set of containers, each container of the second set of containers including one or more objects and being based on one or more user accounts;
      
      receiving a second remote cryptographic token from the second remote cluster, and sending a local cryptographic token to the remote cluster;
      
      verifying the identity of the second remote cluster using the local and second remote cryptographic tokens;
      
      creating an encrypted connection between the trust root and the second remote cluster; and
      
      registering a service provided by the second remote cluster as being available to the trust root.
  - 5. The method of claim 2, wherein one of the remote cryptographic token and the local cryptographic token is one of a value encrypted using a shared secret, a public key, a certificate, Kerberos ticket, and an OAUTH token.
  - 6. The method of claim 3, wherein the method further comprises the step of establishing a trust and federation relationship between the remote cluster and the second remote cluster using the mutual trust root as a trust intermediary.
  - 7. The method of claim 3, wherein the method further comprises the step of establishing a trusted and encrypted connection between the remote cluster and the second remote cluster using the mutual trust root as an authentication intermediary.
  - 9. The method of claim 3, wherein the service provided by the remote cluster is a replication service, and wherein the method further comprises the step of setting a first container of the first set of containers in the remote cluster as a replication target for a second container of the second set of containers in the second remote cluster.
  - 12. The method of claim 3, wherein the trust root is controlled by a first party and one or both of the remote cluster and second remote cluster is not controlled by the first party.

13. A trusted federation system for a plurality of clusters, the system comprising:
- a first cluster including a plurality of information processing devices, the first cluster including a first set of containers, each container of the first set of containers including one or more objects and being based on one or more user accounts;
  
  a first cluster controller, the first cluster controller including an authenticator and an associated secret, the authenticator operable to cryptographically authenticate a request to interact with the system from a remote cluster using the associated secret, the remote cluster including a second set of containers, each container of the second set of containers including one or more objects and being based on one or more user accounts, wherein the first cluster controller sets a synchronization attribute of a first container of the first set of containers to a URL of a remote container of the remote cluster and sets a secret key attribute of the first container to a key value, wherein both the first container and remote container are based on a common user account;
  
  the first cluster controller further including a communications module operable to create an encrypted connection between the first cluster and the remote cluster, wherein a synchronization attribute of the remote container is set to a URL of the first container and a secret key attribute of the remote container is set to the key value, wherein the secret key is the associated secret; and
  
  the first cluster controller further including a service registry operable to register a service provided by the remote cluster as being available to the first cluster.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The system of claim 13, wherein one of the secret is one of a passphrase, a shared secret, a private key, and a certificate.
  - 15. The system of claim 13, wherein the authenticator operates in accordance with one of XAUTH, OAUTH, Kerberos, and RADIUS.
  - 16. The system of claim 13, wherein the communications module establishes the encrypted connection using a trusted intermediary.
  - 17. The system of claim 13, further comprising a multi-cluster gateway, wherein the first cluster controller is associated with the multi-cluster gateway.
  - 18. The system of claim 13, further comprising a replicator, operable to selectively replicate information from the first cluster to the remote system.
  - 19. The system of claim 13, further comprising a second cluster including a second plurality of information processing devices and a second cluster controller.
  - 20. The system of claim 19, further comprising a replicator, operable to selectively replicate information from the first cluster to the second cluster, wherein a first container of the second set of containers in the remote cluster is set as a replication target for a second container of the first set of containers in the first cluster.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Rackspace US Incorporated (Apollo Global Management, Inc.)
Original Assignee
Rackspace US Incorporated (Apollo Global Management, Inc.)
Inventors
Holt, Gregory Lee, Barton, Michael, Goetz, David Patrick, Gerrard, Clay
Primary Examiner(s)
Lagor, Alexander

Application Number

US13/278,807
Publication Number

US 20120233463A1
Time in Patent Office

1,173 Days
Field of Search

None
US Class Current

713/168
CPC Class Codes

G06F 16/1824   implemented using Network-a...

G06F 16/27   Replication, distribution o...

G06F 3/0608   Saving storage space on sto...

G06F 3/0619   in relation to data integri...

G06F 3/0631   by allocating resources to ...

G06F 3/0641   De-duplication techniques

G06F 3/0644   Management of space entitie...

G06F 3/067   Distributed or networked st...

G06F 9/5083   Techniques for rebalancing ...

H04L 47/80   Actions related to the user...

H04L 67/10   in which an application is ...

H04L 67/1006   with static server selectio...

H04L 67/1023   based on a hash applied to ...

H04L 67/1095   Replication or mirroring of...

H04L 67/1097   for distributed storage of ...

Y10S 707/9994   Distributed or remote access

Y10S 707/99953   Recoverability

Cluster federation and trust

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

56 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Cluster federation and trust

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

56 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links