This invention relates to access control, and more particularly to data management and access control based on a storage permitted location and an access permitted location of data in a group of computer systems intercoupled via a network.
With higher performance and lower prices of computer systems, the use of the computer systems have recently been diffused in various industries and applications. Accordingly, data conventionally handled on paper media or the like have been computerized, and electronically stored by the computer system.
Additionally, a form where a plurality of computer systems are intercoupled via a network has rapidly progressed. Distributed management and distributed processing of data can be realized, and so availability, reliability, and performance which had been difficult to be realized only by one computer system has become possible.
In the form of intercoupling the plurality of computer systems via the network, it has become more important to provide a technology of efficiently managing data and a technology of controlling access for the purpose of improving convenience for computer system users.
An overlay network technology of building and providing a logical network structure by hiding a physical network structure for intercoupling a plurality of computer systems has recently been used. The overlay network technology enables transparent access to the computer system irrespective of an installation location of the computer system to be used.
By using the overlay network technology, for example, file share services of a peer-to-peer form for distributing and storing shared files can be realized on the computer systems which build the overlay network.
In the file share services, the users can know on which of the computer systems shared files are present by requesting file acquisition based on identification information of the shared files to be obtained. Once the presence location of the shared file is known, each user can obtain the shared file by accessing a relevant arbitrary computer system.
In the case of accessing the arbitrary computer system, the user doesn't have to know where the computer system to be accessed is actually present but has to know only identification information of the computer system to be accessed in the overlay network. Based on the identification information, the user can access the computer system where the shared file is present via the overlay network.
Conventionally, to build the overlay network, identification information of a participating computer system, and identification information in the network which becomes necessary for accessing via an actual network are necessary. For example, the former is a host name of the computer system, and the latter is an IP address allocated to the computer system.
The computer system participating in the overlay network has to manage such identification information, and exchange identification information with the other computer system participating in the overlay network to update contents.
By executing the updating properly, the computer system can dynamically participate in or withdraw from the overlay network as occasion demands, and the computer systems which participate in the overlay network can be easily managed.
For management of the computer systems which participate in the overlay network, two methods are available, i.e., a method of managing information of all participating computer systems in each computer system, and a method of managing only information of some computer systems in each computer system. As each computer system can understand all the computer systems participating in the overlay network, the former method has a feature that a node storing a shared file is searched for in the case of actually accessing the shared file, and efficiency is high when access is made to the shared file. On the other hand, as update information has to be reflected in all the participating computer systems each time the computer system participates in or withdraws from the overlay network, there is a problem of reduced efficiency for managing the participating computer systems.
In the case of the latter method, each computer system manages information of some computer systems among the computer systems participating in the overlay network. Accordingly, updating of information managed by each computer system each time a computer system participates in or withdraws from the overlay network can be minimized, and its influence can be reduced. In the case of the latter method, when access to the shared file is actually made, by making an inquiry to the other computer systems participating in the overlay network, information of the computer system which has participated in or withdrawn from the network can be obtained. In this case, overheads occur because of the inquiry made about the information of the computer system. However, the overheads are much smaller as compared with those when the management information of the computer systems participating in the overlay network is updated. Especially, overheads are conspicuously large when a large-scale overlay network is run.