Abstract: One or more techniques and/or systems are provided for implementing storage level access control for data grouping structures. For example, a storage level access guard may be defined for a data grouping structure (e.g., a Qtree, a portion of a volume, etc.) of a storage device. The storage level access guard may be defined at a storage level of the storage device such that clients and/or certain administrators such as domain administrators may be restricted from accessing and/or changing the storage level access guard, which may increase data security. A hidden and unmodifiable property may be applied to the storage level access guard, which may be stored in a directory associated with the data grouping structure so that a logical replication of the data grouping structure may also replicate the storage level access guard.

Abstract: Techniques for dynamic throttling of scan requests for multiple scanners in a cluster of nodes are described. An apparatus may comprise a dynamic throttling service component for executing the dynamic throttling of scan requests for the multiple scanners in the cluster of nodes. The dynamic throttling service component operative to estimate, by the scanner proxy, a resource limit count value representative of resource capacity for servicing scan requests for each one of the multiple scanners in the cluster of nodes; detect a first scan request exceeds the resource limit count value for a first scanner; dynamically throttle each subsequent scan request for the first scanner in response to the first scan request exceeding the resource limit count value; and revise the resource limit count value, by the scanner proxy, for the first scanner.

Abstract: Systems, devices, methods, and computer program products are provided for temporarily implementing storage access policies within a storage system on behalf of an external computing agent while the external computing agent is offline or otherwise unable to receive and process storage access requests. A storage system receives a set of storage rules from a partner computing system. The set of storage rules define a storage access policy that allows specific users or user groups to perform storage access operations within a file system hosted by the storage system. The set of storage rules also include a time to live (TTL) instruction defining a period of time for which to enable the storage access policy. Upon receiving a storage access request from an external client computing system, the storage system compares the storage access request against the storage access policy to allow or deny the storage access request.

Abstract: Systems, devices, methods, and computer program products are provided for implementing customizable notification filters within a storage system to fine tune the types of storage access notifications that are transmitted to external computing agents. A storage system receives a set of notification rules from a partner computing system. The set of notification rules define a notification filter that specify which of a plurality of storage access requests from one or more client computing devices to forward to the partner computing system. The storage system stores the notification filter within a notification filter repository accessible by the storage system. Upon receiving a storage access request from an external client computing system, the storage system compares the storage access request against the notification filter to transmit a notification regarding the storage access request to the partner computing system or allow the storage access request without requiring transmission of notification.

Abstract: Systems, devices, methods, and computer program products are provided for implementing storage access policies within a storage system on behalf of external computing agents. A storage system receives a set of storage rules from a partner computing system. The set of storage rules define a storage access policy that allows specific users or user groups to perform storage access operations within a file system hosted by the storage system. The storage system stores the storage access policy on behalf of the partner computing system. Upon receiving a storage access request from an external client computing system, the storage system compares the storage access request against the storage access policy to allow the storage access request or transmit an event notification of the storage access request to the partner computing system.

Abstract: Techniques for maintaining dynamic configuration information of a multi-host off-cluster service on a cluster are described. An apparatus may comprise a dynamic configuration validation service component to execute to execute a dynamic configuration validation service for scanning files in a cluster of nodes. The dynamic configuration validation service component operative to validate a scanner version for each one of multiple scanners for scanning a file in a cluster of nodes, maintain the scanner version in a list of valid scanner versions for the multiple scanners, and scan the file by one of the one of multiple scanners having the scanner version contained in the list of the valid scanner versions.

Abstract: Techniques for maintaining dynamic configuration information of a multi-host off-cluster service on a cluster are described. An apparatus may comprise a dynamic configuration validation service component to execute to execute a dynamic configuration validation service for scanning files in a cluster of nodes. The dynamic configuration validation service component operative to validate a scanner version for each one of multiple scanners for scanning a file in a cluster of nodes, maintain the scanner version in a list of valid scanner versions for the multiple scanners, and scan the file by one of the one of multiple scanners having the scanner version contained in the list of the valid scanner versions.

Abstract: Techniques for dynamic throttling of scan requests for multiple scanners in a cluster of nodes are described. An apparatus may comprise a dynamic throttling service component for executing the dynamic throttling of scan requests for the multiple scanners in the cluster of nodes. The dynamic throttling service component operative to estimate, by the scanner proxy, a resource limit count value representative of resource capacity for servicing scan requests for each one of the multiple scanners in the cluster of nodes; detect a first scan request exceeds the resource limit count value for a first scanner; dynamically throttle each subsequent scan request for the first scanner in response to the first scan request exceeding the resource limit count value; and revise the resource limit count value, by the scanner proxy, for the first scanner.

Abstract: Techniques for maintaining dynamic configuration information of a multi-host off-cluster service on a cluster are described. An apparatus may comprise a dynamic configuration validation service component to execute to execute a dynamic configuration validation service for scanning files in a cluster of nodes. The dynamic configuration validation service component operative to validate a scanner version for each one of multiple scanners for scanning a file in a cluster of nodes, maintain the scanner version in a list of valid scanner versions for the multiple scanners, and scan the file by one of the one of multiple scanners having the scanner version contained in the list of the valid scanner versions.

Abstract: One or more techniques and/or systems are provided for implementing storage level access control for data grouping structures. For example, a storage level access guard may be defined for a data grouping structure (e.g., a Qtree, a portion of a volume, etc.) of a storage device. The storage level access guard may be defined at a storage level of the storage device such that clients and/or certain administrators such as domain administrators may be restricted from accessing and/or changing the storage level access guard, which may increase data security. A hidden and unmodifiable property may be applied to the storage level access guard, which may be stored in a directory associated with the data grouping structure so that a logical replication of the data grouping structure may also replicate the storage level access guard.

Abstract: One or more techniques and/or systems are provided for storage functionality rule implementation on behalf of external client agents. For example, a network storage controller may be configured to perform storage operations on behalf of clients, such as providing read/write access to storage devices. The network storage controller may receive a storage functionality rule (e.g., a rule that tracing is to be enabled for write operations by user (B)) from an external client agent hosted on a client device. Responsive to identify a storage operation context that corresponds to the storage functionality rule (e.g., user (B) may attempt to perform a write operation), the network storage controller may implement the storage functionality rule for the storage operation context on behalf of the external client agent. In this way, network bandwidth and/or processing latency otherwise associated with obtaining storage operation processing instructions from the external client agent may be mitigated.

Abstract: Methods and system for determining if a data container has been modified are provided. A first data container signature and a second data signature are generated by a storage operating system based on metadata information for the data container. The second data container signature is compared with the first data container signature to determine if the data container has been modified since the first data container signature was generated.

Abstract: Method and system for access based directory enumeration is provided. When a directory is enumerated for a first time, user credentials are verified against an access control list (ACL) entry that is referenced by an ACL inode (referred to as Xnode). The Xnode number is obtained from a file handle for a directory entry. The verification is recorded in a data structure that stores the Xnode identifier and user identifier. When the directory is enumerated again, the data structure is used to verify that the user has been validated before, instead of loading and checking against an ACL entry.

Abstract: A request is received, by a storage server, to access a resource based on a filehandle for the resource. A determination is made of whether an entry of a plurality of entries in an exports table has a filehandle that matches the filehandle for the resource. The entry includes a physical path of the resource that is different than an advertised path of the resource, in response to the filehandle in the entry retrieved using the physical path. In response to determining that the filehandle in the entry matches the filehandle for the resource, a determination is made of whether a pathname in the entry matches a pathname for the resource. In response to determining that the pathname in the entry matches the pathname for the resource, a determination is made of whether the client has permission to access the resource. The request to access the resource is executed.

Abstract: A method for operating a server first assigns a plurality of storage volumes to one or more storage devices. A plurality of sub-volumes is established within a namespace of each of the plurality of storage volumes. An instance of a virtual server is created, the virtual server having a plurality of assigned sub-volumes, the assigned sub-volumes chosen from different storage volumes of the plurality of storage volumes. A file system function is shared between the server and the instance of the virtual server, the file system function using at least one of the plurality of assigned sub-volumes.

Abstract: A storage system, such as a file server, uses pathname aliasing and exports a stored resource to clients by advertising to the clients a different pathname than the actual pathname of the resource.

Abstract: A system and method enables gradual transitioning of a server, such as a filer, to a new security domain and/or IP address scheme. A single physical platform may comprise multiple logical servers, such as virtual filers (vfilers), that simultaneously participate in different security domains and IP address schemes. Each logical server is allocated its own set of storage resources, such as volumes and qtrees, and network resources, such as network addresses. Additionally, a common set of storage resources may store a data set that is accessible to logical servers that participate in the different security domains and/or IP address schemes. Therefore, the server can transition from an old security domain to a new, e.g., upgraded, security domain, by gradually phasing out file access requests sent to a logical server in the old domain and redirecting those requests to a logical server in the new security domain.

Abstract: A method and apparatus for operating a computer data storage system is disclosed. A computer data storage system is administered by a physical server administrator. The physical server administrator administers the computer data storage system with a full administrative capability. The physical server administrator creates one or more virtual servers, each virtual server administrated by a virtual server administrator. Each virtual server administrator has a designated subset of the full administrative capability for administrating the virtual server.

Abstract: A technique efficiently creates and serves a backup data set on a backup filer located at a remote site from a primary filer by essentially moving an entire operating environment of a primary data set to the backup filer. The primary filer is organized into one or more virtual filers (vfilers), one of which (the primary vfiler) is configured to serve data, such as the primary data set, for a client. In the event that the primary filer or primary vfiler becomes unavailable, the technique may be implemented as a disaster recovery or data migration sequence to enable efficient instantiation of a backup vfiler to serve the backup data set for the client.

Abstract: A storage system, such as a file server, uses pathname aliasing and exports a stored resource to clients by advertising to the clients a different pathname than the actual pathname of the resource.