This invention relates generally to the field of information processing, and in particular to the efficient propagation of updated inherited information for objects.
A portion of the disclosure of this patent document contains material which is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure as it appears in the Patent and Trademark Office patent file or records, but otherwise reserves all copyright rights whatsoever. The following notice applies to the software and data as described below and in the drawing hereto: Copyright(copyright)1998, Microsoft Corporation, All Rights Reserved.
Computer operating systems need a way to keep track of information which is stored in or describes objects. A directory service is a program that performs that function. It keeps a database of information relating to each object which is stored in a domain. The domain can be thought of as all the storage space available for objects on one computer or multiple networked computers. When the domain comprises multiple computers, there may be copies of the directory service database on each of the computers. When an object is changed, and the information in the database needs to change to reflect that change in the object, a replicator function is used to initiate the change in the object""s database information. The replicator also sends a message to other computers in the network to make the same change to the directory database.
In WindowsNT(copyright), the directory database contains information which is intrinsic, or actually within an object as well as information which is inherited from other objects, referred to as parent objects. The actual inherited information is duplicated in the database. It may be passed on to children of the objects and grandchildren, and so on. When a change to information, which may be inherited, is made, one way to update the information would be to replicate the change in each object to which it applied by sending messages to other systems on an object by object basis. For large object hierarchies, a change in a high level object may cause many such messages to be sent as the change propagates down to lower level objects. This may result in a large amount of network traffic, which could degrade the overall system performance.
There is a need to efficiently and reliably change directory information without generating a large amount of network traffic. There is a need to ensure that such changes are made correctly even when other objects are attempted to be modified during the changes.
Inherited information changes are propagated in a directory associated with objects independent of replication of such changes to other copies of the directory. By propagating such changes in each directory without generating a replication message for each object so changed, network traffic is greatly reduced.
The inherited information comprises security descriptors in one instance of the invention. The security descriptors are represented in a directory database and comprise permissions for accessing and modifying objects. The inherited information comprises parent lists that identify parents of each object in another instance of this invention. Each object in a hierarchy of objects is represented by a row in the database. Alternatively, a text file with one line per object, or files in a file system are used to represent objects. When a security descriptor is modified by a user, the directory service makes the change and a replicator sends a message to other copies of the directory database, which in one embodiment is represented in tree structure. Also, the directory service sends an event notification to a security descriptor propagator. The propagator traverses the directory tree in a breadth first manner, and modifies the security descriptors of all related objects. While breadth first provides some efficiencies, other traversal methods, such as depth first may also be used. Only when all the changes are committed, will the propagator complete the updating operation.
A gate is used to control some types of access to the directory so that only one type of operation may proceed at any given time. A thread must enter the gate before starting a database transaction that will add a new object, and before entering a transaction that modifies inherited information on behalf of the propagator. Threads leave the gate after closing the database transaction. The gate ensures accuracy of the database in a dynamic changing environment.
The propagation of changes is moved into the core of the directory service, relieving calling applications from having to replicate changes themselves, and avoiding large amounts of network traffic which would result from such replication.