This invention relates to a device that virtualizes a file system namespace provided to a client by a file server.
A file server provides a file sharing service to a plurality of clients via a network. A client shares a file stored in the file server with other clients. Thus, a plurality of users can share data in a specific file.
An increasing amount of data is stored in file servers, raising the count of file servers run in one company or organization. Files are scattered over those many file servers, and it is difficult to grasp where any particular file is stored.
Global name space (GNS) presents a solution to this problem. GNS integrates file namespaces managed separately by individual file servers into one virtual file namespace, and provides the created virtual namespace to clients. Data in different servers can thus be accessed through a unified file access path. GNS provides a function of virtualizing file servers in this manner.
Access to files managed by a file server is controlled in order to limit users that can access the files. Usually, file servers are run on a department basis or the like, and only users belonging to the department are allowed access to files managed by the department's file server. Which user has access can be set to each file as a further preventive measure against information leakage. One of such access control methods is a method called an access control list (ACL).
An ACL is an aggregation of access control entries (ACEs) each of which is a combination of “user,” “operation,” and “access right.”
However, an ACL may contain zero ACE and, in that case, any other user than the owner of the file is denied access to the file.
The ACL method includes an “inheritance function” with which an ACL set to one directory is set to file system objects (e.g., files and directories) contained in the directory. An ACL with its inheritance function turned on is called an inheritable ACL. A directory above a directory which stores a file system object is called a parent directory, and a file system object which is stored in a parent directory is called a child file or a child directory.
In GNS, a root node integrates file servers to provide a virtual namespace to clients. The clients send access requests to the root node in the same way as in normal access to the file servers. Since the root node is recognized as a normal file server, an access control function is necessary in GNS, too.
GNS connects file namespaces provided by a plurality of file servers to one virtual file namespace. A client makes a file access request to a file tree in the virtual file namespace.
If the client sets here an inheritable ACL to a directory in the virtual file namespace, the inheritable ACL is also set to file system objects stored in the directory. For example, when a directory in a file server A is a parent directory and a file server B is connected to a directory under the parent directory, the parent directory in the file server A and file system objects in the file server B have different inheritable ACLs.
Let us now discuss how a GNS is configured and an inheritable ACL is set. GNS connects a file server to a virtual file namespace. When there is an inheritable ACL set to a parent directory that is the connection source, connecting the file server to the virtual file namespace as it is results in no inheritable ACL being set halfway down the file tree.
Accordingly, no inheritable ACL is set to a child file or a child directory despite the fact that there is an inheritable ACL set to the parent directory. If GNS is run in this state and a user's access right is judged based on the ACL of the parent directory, there is a possibility that a user who should be denied access to the child file is allowed access.
Further, when a file server connected to a file tree is disconnected while GNS is run with an inheritable ACL set to the connection source, the inheritable ACL remains set to file system objects in the file server after the file server is disconnected. If this file server is connected to another GNS tree, the unnecessary inheritable ACL still remains and presents the risk of permitting file access to a user who should be denied access.
This invention has been made in view of the above, and it is therefore an object of this invention to set a correct inheritable ACL before and after a configuration definition is changed in GNS, so whether access to a file should be allowed or denied is judged properly.