Clustered file systems for mix of trusted and untrusted nodes
IPC분류정보
국가/구분
United States(US) Patent
등록
국제특허분류(IPC7판)
H04L-029/06
G06F-021/00
출원번호
US-0438304
(2012-04-03)
등록번호
US-8578478
(2013-11-05)
발명자
/ 주소
Beck, Kenneth S.
출원인 / 주소
Silicon Graphics International Corp.
대리인 / 주소
Lewis Roca Rothgerber LLP
인용정보
피인용 횟수 :
1인용 특허 :
129
초록▼
A cluster of computer system nodes share direct read/write access to storage devices via a storage area network using a cluster filesystem. At least one trusted metadata server assigns a mandatory access control label as an extended attribute of each filesystem object regardless of whether required
A cluster of computer system nodes share direct read/write access to storage devices via a storage area network using a cluster filesystem. At least one trusted metadata server assigns a mandatory access control label as an extended attribute of each filesystem object regardless of whether required by a client node accessing the filesystem object. The mandatory access control label indicates the sensitivity and integrity of the filesystem object and is used by the trusted metadata server(s) to control access to the filesystem object by all client nodes.
대표청구항▼
1. A method of operating a cluster of computer system nodes sharing direct read/write access to filesystems, comprising: assigning a mandatory access control label as an extended attribute of a filesystem object administered by at least one trusted metadata server node, the mandatory access control
1. A method of operating a cluster of computer system nodes sharing direct read/write access to filesystems, comprising: assigning a mandatory access control label as an extended attribute of a filesystem object administered by at least one trusted metadata server node, the mandatory access control label including a first indication of sensitivity and a first indication of integrity, wherein the extended attribute includes a free form data area associated with the filesystem object;assigning a mandatory access control label having a second indication of sensitivity and a second indication of integrity to each node in the cluster; andpermitting access to the filesystem object by any node in the cluster when the second indication of sensitivity and the second indication of integrity assigned thereto meets criteria defined by the first indication of sensitivity and the first indication of integrity in the mandatory access control label of the filesystem object. 2. A method as recited in claim 1, wherein assigning of the mandatory access control label having the second indication of sensitivity and the second indication of integrity to each node uses a filesystem mandatory access control label if previously assigned to the filesystem object when the node requesting access to the filesystem object has no networking mandatory access control label for accessing the filesystem object. 3. A method as recited in claim 1, wherein assigning of the mandatory access control label having the second indication of sensitivity and the second indication of integrity uses a networking mandatory access control label if previously assigned to the node and no filesystem mandatory access control label is assigned to the filesystem object. 4. A method as recited in claim 3, wherein the mandatory access control label including the second indication of sensitivity and the second indication of integrity is assigned with a high indication of sensitivity and a low indication of integrity in response to no networking mandatory access control label being assigned to the node. 5. A method as recited in claim 1, wherein: an indication of sensitivity identifies what user or process can look at the filesystem object; andan indication of integrity identifies that the filesystem object came from a reliable source. 6. A non-transitory computer readable storage medium including code for operating a cluster of computer system nodes sharing direct read/write access to filesystem objects, the code operable to: assign a mandatory access control label as an extended attribute of a filesystem object administered by at least one trusted metadata server node, the mandatory access control label including a first indication of sensitivity and a first indication of integrity, wherein the extended attribute includes a free form data area associated with the filesystem object;assigning a mandatory access control label including a second indication of sensitivity and a second indication of integrity to each node of the cluster; andpermitting access to the filesystem object by any node when the second indication of sensitivity and the second indication of integrity assigned thereto meets criteria defined by the first indication of sensitivity and the first indication of integrity in the mandatory access control label of the filesystem object. 7. The non-transitory computer readable storage medium of claim 6, wherein assigning of the mandatory access control label including the second indication of sensitivity and the second indication of integrity uses a filesystem mandatory access control label if previously assigned to the filesystem object when the node requesting access to the filesystem object has no networking mandatory access control label for accessing the filesystem object. 8. The non-transitory computer readable storage medium of claim 6, wherein assigning of the mandatory access control label including the second indication of sensitivity and the second indication of integrity uses a networking mandatory access control label if previously assigned to the node and no filesystem mandatory access control label is assigned to the filesystem object. 9. The non-transitory computer readable storage medium of claim 8, wherein the mandatory access control label including the second indication of sensitivity and the second indication of integrity is assigned with a high indication of sensitivity and a low indication of integrity in response to no networking mandatory access control label being assigned to the node. 10. The non-transitory computer readable storage medium of claim 6, wherein: an indication of sensitivity identifies what user or process can look at the filesystem object; andan indication of integrity identifies that the filesystem object came from a reliable source. 11. A cluster of computer systems, comprising: storage devices storing at least one filesystem object;a storage area network coupled to the storage devices;metadata client nodes coupled to the storage area network; anda trusted metadata server node coupled to the storage area network, wherein the trusted metada server node assigns a mandatory access control label as an extended attribute of the at least one filesystem object, wherein the extended attribute includes a free form data area associated with the at least one filesystem object, wherein the mandatory access control label includes a first indication of sensitivity and a first indication of integrity, wherein the trusted metadata server node assigns a mandatory access control label including a second indication of sensitivity and a second indication of integrity to each node, and wherein the trusted metadata server node permits access to the filesystem object by any node when the second indication of sensitivity and the second indication of integrity assigned thereto meets criteria defined by the first indication of sensitivity and the first indication of integrity in the mandatory access control label of the filesystem object. 12. A cluster of computer systems of claim 11, wherein the trusted metadata server node assigns the mandatory access control label including the second indication of sensitivity and the second indication of integrity using a filesystem mandatory access control label if previously assigned to the filesystem object when the node requesting access to the filesystem object has no networking mandatory access control label for accessing the filesystem object. 13. A cluster of computer systems of claim 11, wherein the trusted metadata server node assigns the mandatory access control label including the second indication of sensitivity and the second indication of integrity using a networking mandatory access control label if previously assigned to the node and no filesystem mandatory access control label is assigned to the filesystem object. 14. The cluster of computer system of claim 13, wherein the mandatory access control label including the second indication of sensitivity and the second indication of integrity is assigned with a high indication of sensitivity and a low indication of integrity in response to no networking mandatory access control label being assigned to the node. 15. A cluster of computer systems of claim 11, wherein: an indication of sensitivity identifies what user or process can look at the filesystem object; andan indication of integrity identifies whether the filesystem object came from a reliable source. 16. A system of operating a cluster of computer system nodes sharing direct read/write access to filesystems, comprising: a trusted metadata server node, wherein access to mass storage is shared by a mixture of trusted and untrusted nodes, wherein shared data is stored with labeling used by the trusted nodes in the cluster of computer system nodes, and wherein the trusted metadata server node: assigns a mandatory access control label as an extended attribute of a filesystem object, the mandatory access control label including a first indication of sensitivity and a first indication of integrity, wherein the extended attribute includes a free form data area associated with the filesystem object;assigns a mandatory access control label having a second indication of sensitivity and a second indication of integrity to each node in the cluster; andpermits access to the filesystem object by any node when the second indication of sensitivity and the second indication of integrity assigned thereto meets criteria defined by the first indication of sensitivity and the first indication of integrity in the mandatory access control label of the filesystem object. 17. The system of claim 16, wherein the trusted metadata server node assigns the mandatory access control label having the second indication of sensitivity and the second indication of integrity to each node uses a filesystem mandatory access control label if previously assigned to the filesystem object when the node requesting access to the filesystem object has no networking mandatory access control label for accessing the filesystem object. 18. The system of claim 16, wherein the trusted metadata server node assigns the mandatory access control label having the second indication of sensitivity and the second indication of integrity uses a networking mandatory access control label if previously assigned to the node and no filesystem mandatory access control label is assigned to the filesystem object. 19. The system of claim 18, wherein the mandatory access control label including the second indication of sensitivity and the second indication of integrity is assigned with a high indication of sensitivity and a low indication of integrity in response to no networking mandatory access control label being assigned to the node. 20. The system of claim 16, wherein: an indication of sensitivity identifies what user or process can look at the filesystem object; and an indication of integrity identifies that the filesystem object came from a reliable source.
연구과제 타임라인
LOADING...
LOADING...
LOADING...
LOADING...
LOADING...
이 특허에 인용된 특허 (129)
Duvvury, Murali, Apparatus and method for automatic cluster network device address assignment.
Leonidas Kontothanassis ; Michael L. Scott ; Robert Stets ; Sandhya Dwarkadas ; Nikos Hardavellas ; Galen Hunt, Apparatus and method for maintaining data coherence within a cluster of symmetric multiprocessors.
Yuval Ofek ; Zoran Cakeljic ; Samuel Krikler IL; Sharon Galtzur IL; Michael Hirsch IL; Dan Arnon ; Peter Kamvysselis, Apparatus and methods for copying, backing up, and restoring data using a backup segment size larger than the storage block size.
Miller, John A.; Svenkeson, Penny L.; Tucker, Brett W.; Erickson, Philip J.; Wilson, Peter C., Communications between partitioned host processors and management processor.
Narad,Charles E.; Fall,Kevin; MacAvoy,Neil; Shankar,Pradip; Rand,Leonard M.; Hall,Jerry J., Compiler for computer programming language including instruction statements for handling network packets.
Moran Thomas P. ; Kimber Donald G. ; van Melle William J. ; Kurtenbach Gordon P.,CAX, Computer controlled display system activities using correlated graphical and timeline interfaces for controlling replay.
Koseki, Michihiko; Yokoyama, Mamoru; Sumi, Masashi; Yamaguchi, Satoru; Taniwaki, Sadayoshi; Hamanaka, Seishiro, Data processing system with mechanism for restoring file systems based on transaction logs.
John Maddalozzo, Jr. ; Gerald Francis McBrearty ; Johnny Meng-Han Shieh, Data processor storage systems with dynamic resynchronization of mirrored logical data volumes subsequent to a storage system failure.
Wilkerson Thomas Adam ; Bechtel Roger Lynn ; Cessna James Robert ; Costello David Francis ; Frentrop James Louis ; Ryan Edwin Lee ; Shaw Gary Douglas, Database automated recovery system.
Ginter,Karl L.; Shear,Victor H.; Spahn,Francis J.; Van Wie,David M.; Weber,Robert P., Digital certificate support system, methods and techniques for secure electronic commerce transaction and rights management.
Boucher,Laurence B.; Blightman,Stephen E. J.; Craft,Peter K.; Higgen,David A.; Philbrick,Clive M.; Starr,Daryl D., Fast-path apparatus for receiving data corresponding to a TCP connection.
Uresh K. Vahalia ; Xiaoye Jiang ; Jeffrey Jon Darcy ; Boris Zuckerman ; Ronald Curtis Searls, File manager providing distributed locking and metadata management for shared data access by clients relinquishing locks after time period expiration.
Vahalia, Uresh K.; Tzelnic, Percy, File server system providing direct data sharing between clients with a server acting as an arbiter and coordinator.
Xiaoye Jiang ; Uresh K. Vahalia ; Uday Gupta ; Percy Tzelnic, File server system using connection-oriented protocol and sharing data sets among data movers.
Xu Yikang ; Vahalia Uresh K. ; Jiang Xiaoye ; Gupta Uday ; Tzelnic Percy, File server system using file system storage, data movers, and an exchange of meta data among data movers for file locking and direct access to shared file systems.
Eshel, Marc M.; Haskin, Roger L.; Sawdon, Wayne A.; Schmuck, Frank B., Generating data set of the first file system by determining a set of changes between data stored in first snapshot of the first file system, and data stored in second snapshot of the first file syste.
Steven R. Soltis ; Matthew T. O'Keefe ; Thomas M. Ruwart ; Gerald A. Houlder ; James A. Coomes ; Michael H. Miller ; Edward A. Soltis ; Raymond W. Gilson ; Kenneth W. Preslan, Global file system and data storage device locks.
Viswanathan Srinivasan ; Nazari Siamak ; Swaroop Anil ; Khalidi Yousef, Global file system-based system and method for rendering devices on a cluster globally visible.
Bendert Edward Joseph (Vestal NY) Bennett Robert Bradley (Endwell NY) Berman Eve Suzanne (Binghamton NY) Farrell Susan Marie (Vestal NY) Johnson Eugene (Vestal NY) Nugent Robert Michael (Nichols NY) , Heterogeneous filing system with common API and reconciled file management rules.
Ferrel Patrick J. ; Kerr Randy ; Nareddy Krishna ; Uppala Krishna, Information retrieval system in an on-line network including separate content and layout of published titles.
Kalia, Suman K.; Spriet, David A.; Starkey, Michael, Meta-model for associating multiple physical representations of logically equivalent entities in messaging and other applications.
Salas Pito ; Beir Jeffrey ; Leffler Melissa ; Glenn McDonald ; Kleppner Paul ; Morrissey Craig ; Tonra ; Jr. James E., Method and apparatus for controlling access to a product.
Cabrera Luis Felipe ; Long Darrell Don Earl, Method and apparatus for establishing and maintaining the status of membership sets used in mirrored read and write inpu.
Salas Pito ; Beir Jeffrey ; Leffler Melissa ; McDonald Glenn ; Kleppner Paul ; Finnegan Neal ; Morrisey Craig ; Crowley Patrick, Method and apparatus for facilitating communication between collaborators in a networked environment.
Leivent, Jonathan I., Method and apparatus for pointer relocation optimization for virtual memory mapping and transaction management in a database system.
Berg, Diane M.; Bova, Thomas J.; Krivoruchka, Jr., Theodore S.; Morneault, Kenneth A., Method and apparatus for providing continuous voice and call communications between a data network and a telephony network.
Theimer Marvin M. (Mountain View CA) Spreitzer Michael J. (Tracy CA) Weiser Mark D. (Palo Alto CA) Goldstein Richard J. (San Francisco CA) Elrod Scott A. (Redwood City CA) Swinehart Daniel C. (Palo A, Method for selectively performing event on computer controlled device whose location and allowable operation is consiste.
Novaes,Marcos N.; Laib,Gregory D.; Goering,Ronald T.; Lucash,Jeffrey S.; Sohos,George, Method, system and program products for ordering lists of service addresses to provide load balancing of a clustered environment.
Sarit Mukherjee ; Ibrahim Kamel ; Prasant Mohapatra, Multimedia file systems using file managers located on clients for managing network attached storage devices.
Curtis David C. ; Curtis Kathleen P. ; Denunzio David D. ; Reed William P. ; Wolak Robert A., Network configuration management system for digital communication networks.
Schmuck Frank B. ; Zlotek Anthony J. ; Shmueli Boaz,ILX ; Mandler Benjamin,ILX ; Yehudai Zvi Yosef,ILX ; Kish William A., Parallel file system with method using tokens for locking modes.
Cabrera, Luis Felipe; Jones, Deborah C.; Pudipeddi, Ravisankar; Steiner, Stefan R., Partial migration of an object to another storage location in a computer system.
Poznanovic,Daniel; Hammes,Jeffrey; Krause,Lisa; Steidel,Jon; Barker,David; Brooks,Jeffrey Paul, Process for converting programs in high-level programming languages to a unified executable for hybrid computing platforms.
Nishi,Koji, Quality assured network service provision system compatible with a multi-domain network and service provision method and service broker device.
Hayman Kenneth John ; Keene Michael Donovan ; Lewine Eric Scott ; Meyers William James ; Spencer Jon Frederick ; Taylor ; II Millard Cranford, Security system for computer systems.
Polonsky,Leonid; Hunt,Francis Edward Simon; Werwath,James Richard; Wallace,Kevin Nigel; Trapani,Matthew Frank, System and method for accessing customized information over the internet using a browser for a plurality of electronic devices.
Buisman,William J.; Cohen,Gary; Fox,Steven R.; Kruse,Charles; Sulpizio,Christine, System and method for converting information on paper forms to electronic data.
Hugly,Jean Christophe; Abdelaziz,Mohamed M.; Pouyoul,Eric; Traversat,Bernard A.; Duigou,Michael J., System and method for providing multiple embodiments of abstract software modules in peer-to-peer network environments.
Miller, C. Kenneth; Andresen, Thomas; Gardner, Thomas; Michelson, Craig; Cates, Kenneth; White, Marc; Robertson, Kary, System and method for sending packets over a computer network.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.