1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
|
Internet Engineering Task Force (IETF) J. Lentini
Request for Comments: 5716 C. Everhart
Category: Informational NetApp
ISSN: 2070-1721 D. Ellard
BBN Technologies
R. Tewari
M. Naik
IBM Almaden
January 2010
Requirements for Federated File Systems
Abstract
This document describes and lists the functional requirements of a
federated file system and defines related terms.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc5716.
Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Lentini, et al. Informational [Page 1]
^L
RFC 5716 Requirements for Federated File Systems January 2010
This document may contain material from IETF Documents or IETF
Contributions published or made publicly available before November
10, 2008. The person(s) controlling the copyright in some of this
material may not have granted the IETF Trust the right to allow
modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other
than English.
Table of Contents
1. Overview ........................................................3
1.1. Requirements Language ......................................4
2. Purpose .........................................................5
3. Examples and Discussion .........................................5
3.1. Create a Fileset and Its FSL(s) ............................5
3.1.1. Creating a Fileset and an FSN .......................6
3.1.2. Adding a Replica of a Fileset .......................6
3.2. Junction Resolution ........................................7
3.3. Junction Creation ..........................................9
4. Glossary ........................................................9
5. Proposed Requirements ..........................................11
5.1. Basic Assumptions .........................................11
5.2. Requirements ..............................................14
6. Non-Requirements ...............................................20
7. Security Considerations ........................................21
8. References .....................................................22
8.1. Normative References ......................................22
8.2. Informative References ....................................23
Appendix A. Acknowledgments ......................................25
Lentini, et al. Informational [Page 2]
^L
RFC 5716 Requirements for Federated File Systems January 2010
1. Overview
This document describes and lists the functional requirements of a
federated file system and defines related terms.
We do not describe the mechanisms that might be used to implement
this functionality except in cases where specific mechanisms, in our
opinion, follow inevitably from the requirements. Our focus is on
the interfaces between the entities of the system, not on the
protocols or their implementations.
Today, there are collections of fileservers that inter-operate to
provide a single namespace comprised of filesystem resources provided
by different members of the collection, joined together with inter-
filesystem references. The namespace can either be assembled at the
fileservers, the clients, or by an external namespace service, and is
often not easy or uniform to manage. The requirements in this
document are meant to lead to a uniform server-based namespace that
is capable of spanning a whole enterprise and that is easy to manage.
We define some terms to better describe the solution space. A
"fileset" is the abstract view of a filesystem in a uniform
namespace, and may be implemented behind that abstraction by one or
more physical filesystems at any given time. Each fileset has a name
called an "FSN" (fileset name), and each physical filesystem has a
fileset location ("FSL"). A fileset is a directory tree containing
files and directories, and it may also contain references to other
filesets. These references are called "junctions". To provide
location independence, a junction does not contain information about
the location of the real resource(s), but instead contains an FSN
that can be used to look up the location information. The service
that can be used to map from the FSN to the FSL(s) is called a
namespace database (NSDB) service. The NSDB provides a level of
indirection from the virtual paths in the uniform namespace to the
actual locations of files. By design, the NSDB does not store the
junctions. This allows junction administration and NSDB
administration to be separate roles.
The servers direct clients to the proper locations by existing
mechanisms (e.g., the referrals mechanism within [RFC3530] and
[RFC5661]). Updates to the locations make it possible to support
migration and replication of physical filesystems that comprise the
namespace, in a way that is transparent to filesystem applications.
Lentini, et al. Informational [Page 3]
^L
RFC 5716 Requirements for Federated File Systems January 2010
Figure 1 shows an example of a federation. This federation has two
members, named ALPHA and BETA. Federation members may contain an
arbitrary number of fileservers and NSDB nodes; in this illustration,
ALPHA and BETA each have three servers, one NSDB node, and are
administered separately.
+----------------------+ +----------------------+
| Federation Member | | Federation Member |
| ALPHA | | BETA |
| | | |
| | | |
| +------------+ | | +------------+ |
| | NSDB | | | | NSDB | |
| | | | | | | |
| +------------+ | | +------------+ |
| | | |
| | | |
| | | |
| +----------+ | | +----------+ |
| | | | | | | |
| +-- | Servers | | | +-- | Servers | |
| | | | | | | | | |
| +-- | | | | | +-- | | | |
| | | +----------+ | | | | +----------+ |
| | | | | | | | | |
| | +----------+ | | | +----------+ |
| | | | | | | |
| +----------+ | | +----------+ |
+----------------------+ +----------------------+
Figure 1
1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Note that this is a requirements document, and in many instances
where these words are used in this document they refer to qualities
of a specification for a system that satisfies the document, or
requirements of a system that matches that specification. These
cases are distinguished when there is potential for ambiguity.
Lentini, et al. Informational [Page 4]
^L
RFC 5716 Requirements for Federated File Systems January 2010
2. Purpose
Our objective is to specify a set of protocols by which fileservers
or collections of fileservers, with different administrators, can
form a federation of fileservers and NSDB nodes that provides a
namespace composed of the filesets hosted on the different
fileservers and fileserver collections.
It should be possible, using a system that implements the protocols,
to share a common namespace across all the fileservers in the
federation. It should also be possible for different fileservers in
the federation to project different namespaces and enable clients to
traverse them.
Such a federation may contain an arbitrary number of NSDB nodes, each
belonging to a different administrative entity, and each providing
the mappings that define a part of a namespace. Such a federation
may also have an arbitrary number of administrative entities, each
responsible for administering a subset of the fileservers and NSDB
nodes. Acting in concert, the administrators should be able to build
and administer this multi-fileserver, multi-collection namespace.
It is not the intent of the federation to guarantee namespace
consistency across all client views. Since different parts of the
namespace may be administered by different entities, it is possible
that a client could be accessing a stale area of the namespace
managed by one entity because a part of the namespace above it,
managed by another entity, has changed.
3. Examples and Discussion
In this section we provide examples and discussion of the basic
operations facilitated by the federated file system protocol:
creating a fileset, adding a replica of a fileset, resolving a
junction, and creating a junction.
3.1. Create a Fileset and Its FSL(s)
A fileset is the abstraction of a set of files and the directory tree
that contains them. The fileset abstraction is the fundamental unit
of data management in the federation. This abstraction is
implemented by an actual directory tree whose root location is
specified by a fileset location (FSL).
In this section, we describe the basic requirements for starting with
a directory tree and creating a fileset that can be used in the
federation protocols. Note that we do not assume that the process of
creating a fileset requires any transformation of the files or the
Lentini, et al. Informational [Page 5]
^L
RFC 5716 Requirements for Federated File Systems January 2010
directory hierarchy. The only thing that is required by this process
is assigning the fileset a fileset name (FSN) and expressing the
location(s) of the implementation of the fileset as FSL(s).
There are many possible variations to this procedure, depending on
how the FSN that binds the FSL is created, and whether other replicas
of the fileset exist, are known to the federation, and need to be
bound to the same FSN.
It is easiest to describe this in terms of how to create the initial
implementation of the fileset, and then describe how to add replicas.
3.1.1. Creating a Fileset and an FSN
1. Choose the NSDB node that will keep track of the FSL(s) and
related information for the fileset.
2. Request that the NSDB node register a new FSN for the fileset.
The FSN may either be chosen by the NSDB node or by the server.
The latter case is used if the fileset is being restored, perhaps
as part of disaster recovery, and the server wishes to specify
the FSN in order to permit existing junctions that reference that
FSN to work again.
At this point, the FSN exists, but its location is unspecified.
3. Send the FSN, the local volume path, the export path, and the
export options for the local implementation of the fileset to the
NSDB node. Annotations about the FSN or the location may also be
sent.
The NSDB node records this information and creates the initial
FSL for the fileset.
3.1.2. Adding a Replica of a Fileset
Adding a replica is straightforward: the NSDB node and the FSN are
already known. The only remaining step is to add another FSL.
Note that the federation protocols do not include methods for
creating or managing replicas: this is assumed to be a platform-
dependent operation (at least at this time). The only requirement is
that these fileset replicas be registered and unregistered with the
NSDB.
Lentini, et al. Informational [Page 6]
^L
RFC 5716 Requirements for Federated File Systems January 2010
3.2. Junction Resolution
A fileset may contain references to other filesets. These references
are represented by junctions. If a client requests access to a
fileset object that is a junction, the server resolves the junction
to discover the FSL(s) that implements the referenced fileset.
There are many possible variations to this procedure, depending on
how the junctions are represented and how the information necessary
to perform resolution is represented by the server.
Step 4 is the only step that interacts directly with the federation
protocols. The rest of the steps may use platform-specific
interfaces.
1. The server determines that the object being accessed is a
junction.
2. Using the junction, the server does a local lookup to find the
FSN of the target fileset.
3. Using the FSN, the server finds the NSDB node responsible for the
target object.
4. The server contacts that NSDB node and asks for the set of FSLs
that implement the target FSN. The NSDB node responds with a set
of FSLs.
5. The server converts one or more of the FSLs to the location type
used by the client (e.g., a Network File System (NFSv4)
fs_location, as described in [RFC3530]).
6. The server redirects (in whatever manner is appropriate for the
client) the client to the location(s).
These steps are illustrated in Figure 2. The client sends request 1
to server X, in federation member ALPHA, in an attempt to reference
an object (which appears to the client as a directory). Server X
recognizes that the referenced object is actually a junction that
refers to a directory in a different fileset. Server X finds, from
the FSN in the junction, that the NSDB responsible for knowing the
location of the target of the junction is the NSDB of federation
member BETA. Server X sends request 2 to the NSDB of BETA, asking
for the current location of the directory. The NSDB sends response 3
to server X, telling the server that the directory is located on
server Y. Server X sends response 4 to the client, indicating that
the directory is in a "new" location on server Y. The client then
sends request 5 to server Y, repeating the initial request.
Lentini, et al. Informational [Page 7]
^L
RFC 5716 Requirements for Federated File Systems January 2010
Given the current requirements and definitions, this resolution
method MUST work. However, there is no requirement that this is the
only resolution method that can be used. This method may be used as
the fallback when all else fails (or, for a simple implementation, it
could be the only method). This is a degenerate implementation of
the NSDB service as a simple composition of NSDB nodes; we expect
that large federations will use more sophisticated methods to share
the FSN and FSL information among multiple NSDB nodes.
+---------------+
| |
| Client | >--------------------------+
| | |
+---------------+ |
v ^ |
+-----+---+-------------+ +-----------------+-----+
| | | Federation| |Federation | |
| | | member | |member | |
| | | ALPHA | |BETA | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | +---------+ | |
| | | +---------+------+-> | | | |
| | | | | | | NSDB Y | | |
| | | | +-----+------+-< | | | |
| | | | | | | +---------+ | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| 1| 4| 2| 3| | | 5| |
| v ^ ^ v | | v |
| +---------------+ | | +---------------+ |
| | | | | | | |
| | Server X | | | | Server Y | |
| | | | | | | |
| +---------------+ | | +---------------+ |
| | | |
+-----------------------+ +-----------------------+
Figure 2
Lentini, et al. Informational [Page 8]
^L
RFC 5716 Requirements for Federated File Systems January 2010
3.3. Junction Creation
Given a local path and the FSN of a remote fileset, an administrator
can create a junction from the local path to the remote fileset.
There are many possible variations to this procedure, depending on
how the junctions are represented and how the information necessary
to perform resolution is represented by the server.
Step 1 is the only step that uses the federation interfaces. The
remaining step may use platform-specific interfaces.
1. The administrator requests the server create a junction to the
FSN of the remote fileset at the given path.
2. The server inserts the junction to the FSN, at the given path,
into the local filesystem.
4. Glossary
Administrator: user with the necessary authority to initiate
administrative tasks on one or more servers.
Admin Entity: A server or agent that administers a collection of
fileservers and persistently stores the namespace information.
Client: Any client that accesses the fileserver data using a
supported filesystem access protocol.
Federation: A set of server collections and singleton servers that
use a common set of interfaces and protocols in order to provide
to their clients a federated namespace accessible through a
filesystem access protocol.
Fileserver: A server exporting a filesystem via a network filesystem
access protocol.
Fileset: The abstraction of a set of files and the directory tree
that contains them. A fileset is the fundamental unit of data
management in the federation.
Note that all files within a fileset are descendants of one
directory, and that filesets do not span filesystems.
Lentini, et al. Informational [Page 9]
^L
RFC 5716 Requirements for Federated File Systems January 2010
Filesystem: A self-contained unit of export for a fileserver, and
the mechanism used to implement filesets. The fileset does not
need to be rooted at the root of the filesystem, nor at the export
point for the filesystem.
A single filesystem MAY implement more than one fileset, if the
client protocol and the fileserver permit this.
Filesystem Access Protocol: A network filesystem access protocol
such as NFSv2 [RFC1094], NFSv3 [RFC1813], NFSv4 [RFC3530], or CIFS
(Common Internet File System) [MS-SMB] [MS-SMB2] [MS-CIFS].
FSL (Fileset Location): The location of the implementation of a
fileset at a particular moment in time. An FSL MUST be something
that can be translated into a protocol-specific description of a
resource that a client can access directly, such as an fs_location
(for NFSv4), or share name (for CIFS). Note that not all FSLs
need to be explicitly exported as long as they are contained
within an exported path on the fileserver.
FSN (Fileset Name): A platform-independent and globally unique name
for a fileset. Two FSLs that implement replicas of the same
fileset MUST have the same FSN, and if a fileset is migrated from
one location to another, the FSN of that fileset MUST remain the
same.
Junction: A filesystem object used to link a directory name in the
current fileset with an object within another fileset. The
server-side "link" from a leaf node in one fileset to the root of
another fileset.
Namespace: A filename/directory tree that a sufficiently authorized
client can observe.
NSDB (Namespace Database) Service: A service that maps FSNs to FSLs.
The NSDB may also be used to store other information, such as
annotations for these mappings and their components.
NSDB Node: The name or location of a server that implements part of
the NSDB service and is responsible for keeping track of the FSLs
(and related info) that implement a given partition of the FSNs.
Referral: A server response to a client access that directs the
client to evaluate the current object as a reference to an object
at a different location (specified by an FSL) in another fileset,
and possibly hosted on another fileserver. The client re-attempts
the access to the object at the new location.
Lentini, et al. Informational [Page 10]
^L
RFC 5716 Requirements for Federated File Systems January 2010
Replica: A replica is a redundant implementation of a fileset. Each
replica shares the same FSN, but has a different FSL.
Replicas may be used to increase availability or performance.
Updates to replicas of the same fileset MUST appear to occur in
the same order, and therefore each replica is self-consistent at
any moment.
We do not assume that updates to each replica occur
simultaneously. If a replica is offline or unreachable, the other
replicas may be updated.
Server Collection: A set of fileservers administered as a unit. A
server collection may be administered with vendor-specific
software.
The namespace provided by a server collection could be part of the
federated namespace.
Singleton Server: A server collection containing only one server; a
stand-alone fileserver.
5. Proposed Requirements
The phrase "USING THE FEDERATION INTERFACES" implies that the
subsequent requirement must be satisfied, in its entirety, via the
federation interfaces.
Note that the requirements are described in terms of correct behavior
by all entities. We do not address the requirements of the system in
the presence of faults.
5.1. Basic Assumptions
Several of the requirements are so fundamental that we treat them as
basic assumptions; if any of these assumptions are violated, the rest
of the requirements must be reviewed in their entirety.
A1: The federation protocols do not require any changes to existing
client-facing protocols, and MAY be extended to incorporate new
client-facing protocols.
Lentini, et al. Informational [Page 11]
^L
RFC 5716 Requirements for Federated File Systems January 2010
A2: A client SHOULD NOT require any a priori knowledge of the
general structure or composition of the federation.
The client may require some specific knowledge in order to find
and access an instance of the fileset that defines the root of
its view of the namespace. As the client traverses the
namespace, the client discovers the information it needs in
order to locate the filesets it accesses.
A3: All requirements MUST be satisfiable via the federation
protocols and the standard protocols used by the fileservers
(i.e., NFS, CIFS, DNS, etc.).
USING THE FEDERATION INTERFACES, a federation operation that
requires an interaction between two (or more) entities that are
members of the federation MUST be possible without requiring any
proprietary protocols.
A4: All the entities participating in a federation operation MUST be
able to authenticate each other.
All principals (clients, users, administrator of a singleton or
server collection, hosts, NSDB nodes, etc.) that can assume a
role defined by the federation protocol can identify themselves
to each other via an authentication mechanism. This mechanism
is not defined or further described in this document.
The authority of a principal to request that a second principal
perform a specific operation is ultimately determined by the
second. Authorization may be partitioned by server collection
or set of servers as well as by operation. For example, if a
user has administrative privileges on one server in the
federation, this does not imply that they have administrative
privileges (or, for that matter, any privileges whatsoever) on
any other server in the federation.
In order to access the functionality provided by the federation
interfaces, it may be necessary to have elevated privileges or
authorization. The authority required by different operations
may be different. For example, the authority required to query
the NSDB about the FSLs bound to an FSN may be different than
the authority required to change the bindings of that FSN.
An operation attempted by an unauthorized entity MUST fail in a
manner that indicates that the failure was due to insufficient
authorization.
Lentini, et al. Informational [Page 12]
^L
RFC 5716 Requirements for Federated File Systems January 2010
This document does not enumerate the authorization necessary for
any operation.
A5: The federation protocols MUST NOT require changes to existing
authentication/authorization mechanisms in use at the
fileservers for client-facing protocols.
A user's view of the namespace may be limited by the
authentication and authorization privileges it has on the
different fileservers in the federation. As such, users may
only be able to traverse the parts of the namespace to which
they have access.
The federation protocols do not impose any restrictions on how
users are represented within the federation. For example, a
single enterprise could employ a common identity for users
across the federation. A grid environment could utilize user
mapping or translations across different administrative domains.
A6: In a federated system, we assume that an FSN MUST express, or
can be used to discover, the following two pieces of
information:
1. The location of the NSDB node that is responsible for
knowing the filesystem location(s) (FSLs) of the named
fileset.
The NSDB node must be specified because there may be many
NSDB nodes in a federation. We do not assume that any
single entity knows the location of all of the NSDB nodes,
and therefore exhaustive search is not an option.
There are several ways in which a fileserver can locate the
NSDB node responsible for a given fileset. One approach,
given a DNS infrastructure, is to specify the location of
the NSDB node by the Fully-Qualified Domain Name (FQDN) of
the server hosting the NSDB node. Another approach is to
use a separate DNS-style hierarchy to resolve the location
of the NSDB node.
2. The FSN identifier.
The FSN identifier is the index used by the NSDB node to
identify the target fileset.
There are several ways to represent FSN identifiers. One
approach could use 128-bit Universally Unique IDentifiers
(UUIDs) as described in [RFC4122].
Lentini, et al. Informational [Page 13]
^L
RFC 5716 Requirements for Federated File Systems January 2010
As an example, an FSN could be represented by a URL of the form
nsdb://nsdb.example.com/UUID where nsdb is the scheme name,
nsdb.example.com is the FQDN of the server hosting the NSDB
node, and UUID is the string representation of the identifier.
Note that it is not assumed that it is always required for a
server to contact the NSDB node specified by the FSN in order to
find the FSLs. The relevant information stored in that NSDB
node may also be cached local to the server or on a proxy NSDB
node "near" the server.
A7: All federation servers and NSDB nodes are assumed to execute the
federation protocols correctly. The behavior of the federation
is undefined in the case of Byzantine behavior by any federation
server or NSDB node.
A8: The locations of federation services (such as NSDBs and FSLs)
can be specified in a manner such that they can be correctly
interpreted by all members of the federation that will access
them.
For example, if an NSDB node is specified by an FQDN, then this
implies that every member of the federation that needs to access
this NSDB node can resolve this FQDN to an IP address for that
NSDB node. (It is not necessary that the FQDN always resolve to
the same address; the same service may appear at different
addresses on different networks.)
It is the responsibility of each federation member to ensure
that the resources it wishes to expose have accessible network
locations and that the necessary resolution mechanisms (i.e.,
DNS) are given the necessary data to perform the resolution
correctly.
5.2. Requirements
R1: Requirements of each FSN:
a. Each FSN MUST be unique within the scope of its NSDB (so
that the FSN is globally unique).
b. The FSN MUST be sufficiently descriptive to locate an
instance of the fileset it names within the federation at
any time.
c. All FSNs MUST be invariant when their underlying
filesystems move or are replicated; only mappings from FSN
to FSL(s) change under these transformations.
Lentini, et al. Informational [Page 14]
^L
RFC 5716 Requirements for Federated File Systems January 2010
d. All files accessible from the global namespace MUST be part
of a fileset that has an assigned FSN.
Not all filesets in the federation are required to have an FSN
or be reachable by an FSL. Only those filesets that are the
target of a junction (as described in R3) are required to have
an FSN.
The FSN format MAY be of variable size. If the format is
variable in size, fileserver implementations MAY have a maximum
supported FSN size. By bounding the FSN size, some fileserver
implementations might be able to efficiently organize FSNs in
stable storage. For interoperability, the federation protocols
SHOULD define an FSN size that all fileservers support.
R2: USING THE FEDERATION INTERFACES, it MUST be possible to create
an FSN for a fileset, and it must be possible to bind an FSL to
that FSN. These operations are NSDB operations and do not
require any action on the part of a file server.
It is possible to create an FSN for a fileset that has not
actually been created. It is also possible to bind a
nonexistent FSL to an FSN. It is also possible to create a
fileset without assigning it an FSN. The binding between an
FSN and an FSL is defined entirely within the context of the
NSDB; the servers do not "know" whether the filesets they host
have been assigned FSNs (or, if so, what those FSNs are).
The requirement that filesets can exist prior to being assigned
an FSN and the requirement that FSNs can exist independent of
filesets are intended to simplify the construction of the
namespace in a convenient manner. For example, they permit an
admin to assign FSNs to existing filesets and thereby
incorporate existing filesets into the namespace. They also
permit the structure of the namespace to be defined prior to
creation of the component filesets. In either case, it is the
responsibility of the entity updating the NSDB with FSNs and
FSN-to-FSL mappings to ensure that the namespace is constructed
in a consistent manner. (The simplest way to accomplish this
is to ensure that the FSN and FSN-to-FSL mappings are always
recorded in the NSDB prior to the creation of any junctions
that refer to that FSN.)
a. An administrator MAY specify the entire FSN (including both
the NSDB node location and the identifier) of the newly
created FSL, or the administrator MAY specify only the NSDB
node and have the system choose the identifier.
Lentini, et al. Informational [Page 15]
^L
RFC 5716 Requirements for Federated File Systems January 2010
The admin can choose to specify the FSN explicitly in order
to recreate a lost fileset with a given FSN (for example,
as part of disaster recovery). It is an error to assign an
FSN that is already in use by an active fileset.
Note that creating a replica of an existing filesystem is
NOT accomplished by assigning the FSN of the filesystem you
wish to replicate to a new filesystem.
b. USING THE FEDERATION INTERFACES, it MUST be possible to
create a federation FSL by specifying a specific local
volume, path, export path, and export options.
R3: USING THE FEDERATION INTERFACES, and given the FSN of a target
fileset, it MUST be possible to create a junction to that
fileset at a named place in another fileset.
After a junction has been created, clients that access the
junction transparently interpret it as a reference to the
FSL(s) that implement the FSN associated with the junction.
a. It SHOULD be possible to have more than one junction whose
target is a given fileset. In other words, it SHOULD be
possible to mount a fileset at multiple named places.
b. If the fileset in which the junction is created is
replicated, then the junction MUST eventually appear in all
of its replicas.
The operation of creating a junction within a fileset is
treated as an update to the fileset, and therefore obeys
the general rules about updates to replicated filesets.
R4: USING THE FEDERATION INTERFACES, it MUST be possible to delete
a specific junction from a fileset.
If a junction is deleted, clients who are already viewing the
fileset referred to by the junction after traversing the
junction MAY continue to view the old namespace. They might
not discover that the junction no longer exists (or has been
deleted and replaced with a new junction, possibly referring to
a different FSN).
After a junction is deleted, another object with the same name
(another junction, or an ordinary filesystem object) may be
created.
Lentini, et al. Informational [Page 16]
^L
RFC 5716 Requirements for Federated File Systems January 2010
The operation of deleting a junction within a fileset is
treated as an update to the fileset, and therefore obeys the
general rules about updates to replicated filesets.
R5: USING THE FEDERATION INTERFACES, it MUST be possible to
invalidate an FSN.
a. If a junction refers to an FSN that is invalid, attempting
to traverse the junction MUST fail.
An FSN that has been invalidated MAY become valid again if the
FSN is recreated (i.e., as part of a disaster recovery
process).
If an FSN is invalidated, clients who are already viewing the
fileset named by the FSN MAY continue to view the old
namespace. They might not discover that the FSN is no longer
valid until they try to traverse a junction that refers to it.
R6: USING THE FEDERATION INTERFACES, it MUST be possible to
invalidate an FSL.
a. An invalid FSL MUST NOT be returned as the result of
resolving a junction.
An FSL that has been invalidated MAY become valid again if the
FSL is recreated (i.e., as part of a disaster recovery
process).
If an FSL is invalidated, clients who are already viewing the
fileset implemented by the FSL MAY continue to use that FSL.
They might not discover that the FSL is no longer valid until
they try to traverse a junction that refers to the fileset
implemented by the FSL.
Note that invalidating an FSL does not imply that the
underlying export or share (depending on the file access
protocol in use) is changed in any way -- it only changes the
mappings from FSNs to FSLs on the NSDB.
R7: It MUST be possible for the federation of servers to provide
multiple namespaces.
R8: USING THE FEDERATION INTERFACES:
a. It MUST be possible to query the fileserver named in an FSL
to discover whether a junction exists at a given path
within that FSL.
Lentini, et al. Informational [Page 17]
^L
RFC 5716 Requirements for Federated File Systems January 2010
b. It MAY be possible to query the fileserver named in an FSL
to discover the junctions, if any, in that FSL. If this
feature is implemented, the fileserver SHOULD report each
junction's path within the FSL and the targeted FSN.
R9: The projected namespace (and the objects named by the
namespace) MUST be accessible to clients via at least one of
the following standard filesystem access protocols:
a. The namespace SHOULD be accessible to clients via versions
of the CIFS (Common Internet File System) protocol as
described in [MS-SMB] [MS-SMB2] [MS-CIFS].
b. The namespace SHOULD be accessible to clients via the NFSv4
protocol as described in [RFC3530].
c. The namespace SHOULD be accessible to clients via the NFSv3
protocol as described in [RFC1813].
d. The namespace SHOULD be accessible to clients via the NFSv2
protocol as described in [RFC1094].
It must be understood that some of these protocols, such as
NFSv3 and NFSv2, have no innate ability to access a namespace
of this kind. Where such protocols have been augmented with
other protocols and mechanisms (such as autofs or amd for
NFSv3) to provide an extended namespace, we propose that these
protocols and mechanisms may be used, or extended, in order to
satisfy the requirements given in this document, and different
clients may use different mechanisms.
R10: USING THE FEDERATION INTERFACES, it MUST be possible to modify
the NSDB mapping from an FSN to a set of FSLs to reflect the
migration from one FSL to another.
R11: FSL migration SHOULD have little or no impact on the clients,
but this is not guaranteed across all federation members.
Whether FSL migration is performed transparently depends on
whether the source and destination servers are able to do so.
It is the responsibility of the administrator to recognize
whether or not the migration will be transparent, and advise
the system accordingly. The federation, in turn, MUST advise
the servers to notify their clients, if necessary.
Lentini, et al. Informational [Page 18]
^L
RFC 5716 Requirements for Federated File Systems January 2010
For example, on some systems, it may be possible to migrate a
fileset from one system to another with minimal client impact
because all client-visible metadata (inode numbers, etc.) are
preserved during migration. On other systems, migration might
be quite disruptive.
R12: USING THE FEDERATION INTERFACES, it MUST be possible to modify
the NSDB mapping from an FSN to a set of FSLs to reflect the
addition/removal of a replica at a given FSL.
R13: Replication SHOULD have little or no negative impact on the
clients.
Whether FSL replication is performed transparently depends on
whether the source and destination servers are able to do so.
It is the responsibility of the administrator initiating the
replication to recognize whether or not the replication will be
transparent, and advise the federation accordingly. The
federation MUST advise the servers to notify their clients, if
necessary.
For example, on some systems, it may be possible to mount any
FSL of an FSN read/write, while on other systems, there may be
any number of read-only replicas but only one FSL that can be
mounted as read/write.
R14: USING THE FEDERATION INTERFACES, it SHOULD be possible to
annotate the objects and relations managed by the federation
protocol with arbitrary name/value pairs.
These annotations are not used by the federation protocols --
they are intended for use by higher-level protocols. For
example, an annotation that might be useful for a system
administrator browsing the federation would be the "owner" of
each FSN (i.e., "this FSN is for the home directory of Joe
Smith"). As another example, the annotations may express hints
used by the clients (such as priority information for NFSv4.1).
Both FSNs and FSLs may be annotated. For example, an FSN
property might be "This is Joe Smith's home directory", and an
FSL property might be "This instance of the FSN is at the
remote backup site".
a. USING THE FEDERATION INTERFACES, it MUST be possible to
query the system to find the annotations for a junction.
Lentini, et al. Informational [Page 19]
^L
RFC 5716 Requirements for Federated File Systems January 2010
b. USING THE FEDERATION INTERFACES, it MUST be possible to
query the system to find the annotations for an FSN.
c. USING THE FEDERATION INTERFACES, it MUST be possible to
query the system to find the annotations for an FSL.
R15: It MUST be possible for the federation to project a namespace
with a common root.
a. It SHOULD be possible to define a root fileset that is
exported by one or more fileservers in the federation as
the top level of a namespace. (Corollary: There is one
root fileset per namespace and it is possible to support
multiple namespaces per federation.)
b. It SHOULD be possible for a fileserver to locate an NSDB
that stores the layout of a root fileset.
c. It SHOULD be possible to access, store, and update
information related to a root fileset using the federation
protocols.
d. It SHOULD be possible to replicate root fileset information
across multiple repositories.
e. If a root fileset is defined, it SHOULD be possible to
enable a fileserver to export that root fileset for client
access.
f. If a root fileset is defined, it SHOULD be possible for
multiple fileservers to project a common root with defined
consistency semantics.
g. If a root fileset is defined, it SHOULD be stored using a
compact representation that is compatible with
heterogeneous fileserver implementations. The root
fileset's internal format SHOULD contain enough information
to generate any attributes, including referrals, required
by the standard filesystem access protocols in R9.
Lentini, et al. Informational [Page 20]
^L
RFC 5716 Requirements for Federated File Systems January 2010
6. Non-Requirements
N1: It is not necessary for the namespace to be known by any
specific fileserver.
In the same manner that clients do not need to have a priori
knowledge of the structure of the namespace or its mapping onto
federation members, the projected namespace can exist without
individual fileservers knowing the entire organizational
structure, or, indeed, without knowing exactly where in the
projected namespace the filesets they host exist.
Fileservers do need to be able to handle referrals from other
fileservers, but they do not need to know what path the client
was accessing when the referral was generated.
N2: It is not necessary for updates and accesses to the NSDB data to
occur in transaction or transaction-like contexts.
One possible requirement that is omitted from our current list
is that updates and accesses to the data stored in the NSDB (or
individual NSDB nodes) occur within a transaction context. We
were not able to agree whether the benefits of transactions are
worth the complexity they add (both to the specification and its
eventual implementation), but this topic is open for discussion.
Below is the draft of a proposed requirement that provides
transactional semantics:
There MUST be a way to ensure that sequences of operations,
including observations of the namespace (including finding
the locations corresponding to a set of FSNs) and changes to
the namespace or related data stored in the system (including
the creation, renaming, or deletion of junctions, and the
creation, altering, or deletion of mappings between FSN and
filesystem locations), can be performed in a manner that
provides predictable semantics for the relationship between
the observed values and the effect of the changes.
It MUST be possible to protect sequences of operations by
transactions with NSDB-wide or server-wide Atomicity,
Consistency, Isolation, and Durability (ACID) semantics.
Lentini, et al. Informational [Page 21]
^L
RFC 5716 Requirements for Federated File Systems January 2010
7. Security Considerations
Assuming the Internet threat model, the federated resolution
mechanism described in this document MUST be implemented in such a
way to prevent loss of CONFIDENTIALITY, DATA INTEGRITY, and PEER
ENTITY AUTHENTICATION, as described in [RFC3552].
CONFIDENTIALITY may be violated if an unauthorized party is able to
eavesdrop on the communication between authorized servers and NSDB
nodes and thereby learn the locations or other information about FSNs
that they would not be authorized to discover via direct queries.
DATA INTEGRITY may be compromised if a third party is able to
undetectably alter the contents of the communication between servers
and NSDB nodes. PEER ENTITY AUTHENTICATION is defeated if one server
can masquerade as another server without proper authority, or if an
arbitrary host can masquerade as a NSDB node.
Well-established techniques for providing authenticated channels may
be used to defeat these attacks, and the protocol MUST support at
least one of them.
For example, if Lightweight Directory Access Protocol (LDAP) is used
to implement the query mechanism [RFC4510], then Transport Layer
Security (TLS) may be used to provide both authentication and
integrity [RFC5246] [RFC4513]. If the query protocol is implemented
on top of Open Network Computing / Remote Procedure Call (ONC/RPC),
then RPCSEC_GSS may be used to fill the same role [RFC2203]
[RFC2743].
A federation could contain multiple Public Key Infrastructure (PKI)
trust anchors [RFC5280]. The federation protocols SHOULD define a
mechanism for managing a fileserver's NSDB trust anchors
[TA-MGMT-REQS]. A general purpose trust anchor management protocol
[TAMP] would be appropriate, though it might be desirable for the
federation protocols to facilitate trust anchor management by, for
example, using trust anchor interchange formats [TA-FORMAT].
It is useful to note that the requirements described in this document
lead naturally to a system with distributed authorization, which has
scalability and manageability benefits.
FSNs are likely to be long-lived resources. Therefore, the privilege
to create FSNs SHOULD be carefully controlled. To assist in
determining if an FSN is referenced by a junction somewhere in the
federation, the NSDB records SHOULD include non-authoritative
informational annotations recording the locations of any such
junctions. These annotations are non-authoritative because a
Lentini, et al. Informational [Page 22]
^L
RFC 5716 Requirements for Federated File Systems January 2010
junction might be created, deleted, or modified by an individual that
does not have permission to modify the NSDB records.
8. References
8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3530] Shepler, S., Callaghan, B., Robinson, D., Thurlow,
R., Beame, C., Eisler, M., and D. Noveck, "Network
File System (NFS) version 4 Protocol", RFC 3530,
April 2003.
[RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing
RFC Text on Security Considerations", BCP 72,
RFC 3552, July 2003.
[RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally
Unique IDentifier (UUID) URN Namespace", RFC 4122,
July 2005.
[RFC4510] Zeilenga, K., "Lightweight Directory Access Protocol
(LDAP): Technical Specification Road Map", RFC 4510,
June 2006.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation
List (CRL) Profile", RFC 5280, May 2008.
[RFC5661] Shepler, S., Eisler, M., and D. Noveck, "Network File
System Version 4 Minor Version 1", RFC 5661,
January 2010.
8.2. Informative References
[MS-CIFS] Microsoft Corporation, "Common Internet File System
(CIFS) Protocol Specification", MS-CIFS 2.0,
November 2009.
[MS-SMB] Microsoft Corporation, "Server Message Block (SMB)
Protocol Specification", MS-SMB 17.0, November 2009.
[MS-SMB2] Microsoft Corporation, "Server Message Block (SMB)
Version 2 Protocol Specification", MS-SMB2 19.0,
November 2009.
Lentini, et al. Informational [Page 23]
^L
RFC 5716 Requirements for Federated File Systems January 2010
[RFC1094] Nowicki, B., "NFS: Network File System Protocol
specification", RFC 1094, March 1989.
[RFC1813] Callaghan, B., Pawlowski, B., and P. Staubach, "NFS
Version 3 Protocol Specification", RFC 1813,
June 1995.
[RFC2203] Eisler, M., Chiu, A., and L. Ling, "RPCSEC_GSS
Protocol Specification", RFC 2203, September 1997.
[RFC2743] Linn, J., "Generic Security Service Application
Program Interface Version 2, Update 1", RFC 2743,
January 2000.
[RFC4513] Harrison, R., "Lightweight Directory Access Protocol
(LDAP): Authentication Methods and Security
Mechanisms", RFC 4513, June 2006.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer
Security (TLS) Protocol Version 1.2", RFC 5246,
August 2008.
[TA-FORMAT] Housley, R., Ashmore, S., and C. Wallace, "Trust
Anchor Format", Work in Progress, October 2009.
[TA-MGMT-REQS] Reddy, R. and C. Wallace, "Trust Anchor Management
Requirements", Work in Progress, September 2009.
[TAMP] Housley, R., Ashmore, S., and C. Wallace, "Trust
Anchor Management Protocol (TAMP)", Work in Progress,
December 2009.
Lentini, et al. Informational [Page 24]
^L
RFC 5716 Requirements for Federated File Systems January 2010
Appendix A. Acknowledgments
We would like to thank Robert Thurlow of Sun Microsystems for helping
to author this document.
We would also like to thank Peter McCann and Nicolas Williams for
their comments and suggestions.
Authors' Addresses
James Lentini
NetApp
1601 Trapelo Rd, Suite 16
Waltham, MA 02451
US
Phone: +1 781-768-5359
EMail: jlentini@netapp.com
Craig Everhart
NetApp
7301 Kit Creek Rd
Research Triangle Park, NC 27709
US
Phone: +1 919-476-5320
EMail: everhart@netapp.com
Daniel Ellard
BBN Technologies
10 Moulton Street
Cambridge, MA 02138
US
Phone: +1 617-873-8000
EMail: dellard@bbn.com
Renu Tewari
IBM Almaden
650 Harry Rd
San Jose, CA 95120
US
EMail: tewarir@us.ibm.com
Lentini, et al. Informational [Page 25]
^L
RFC 5716 Requirements for Federated File Systems January 2010
Manoj Naik
IBM Almaden
650 Harry Rd
San Jose, CA 95120
US
EMail: manoj@almaden.ibm.com
Lentini, et al. Informational [Page 26]
^L
|
