Abstract: A state machine and system for redundantly backing up data. A first storage facility is controlled by a first state machine having a finite number of states, each state having a set of allowed operations. The first state machine includes at least one state for controlling the first storage facility to operate as a primary storage facility for storing and updating a primary copy of the data. A second storage facility is controlled by a second state-machine that has least one state for controlling the second storage facility to operate as a secondary storage facility for storing redundant data. The second state machine also has at least one state for controlling the second storage facility to operate as the primary storage facility. The second storage facility assumes the role of primary in response to a fault at the first storage facility or based on the origin of request traffic.

Abstract: Techniques for performing data redundancy operations using a portal and a host computer. In one aspect, a primary data storage facility stores a primary copy of data and a secondary facility stores data that is redundant of the primary copy of the data. The primary facility includes a host computer having a first redundancy component for storing data for a sequence of write requests in storage associated with the primary storage facility and a first redundancy portal for retrieving the data and for forwarding the data to the secondary storage facility. The first redundancy portal is outside a communication path between the host computer and the storage. This prevents the redundancy portal from becoming a communication bottleneck. A second redundancy portal may be provided at the secondary facility.

Abstract: An asynchronous data redundancy technique. A primary copy of data is held at a primary storage facility, while data that is redundant of the primary copy is held at a secondary storage facility. To inhibit propagation of errors from the primary copy to the redundant data, write transactions to the redundant data are queued at the second storage facility, until a specified time elapses or until a specified event occurs (or until combination thereof occurs). Write transactions may be collected in groups at the primary facility prior to forwarding to the secondary facility and may also be batched at the secondary facility prior to being applied to the redundant data. Overwrites may be allowed within a group at the primary facility to conserve communication bandwidth between the primary and secondary storage facilities. Overwrites may be allowed within a batch at the secondary facility to conserve space occupied by the transactions at the secondary facility.

Abstract: A system for protecting data integrity in a network attached block-device, such as a disk or a disk array, includes a capability issuer module coupled to a metadata server. The capability-issuer module creates capability data in accordance with a predetermined set of rules, and issues the capability data to the client over a secured channel. The capability data includes a group identifier, a capability identifier, a block-device identifier, a list of extents for specifying a range of blocks to which access is granted, an access mode for indicating the type of access allowed, and a cryptographic string for preventing forgery of capabilities by unauthorized parties. A capability checker module coupled to a network attached block-device verifies that the client's block access request is consistent with the capability data issued, and that the capability data is authentic. Upon verifying the client's capability data, the client's block access request is granted and executed at the network-attached block-device.

Abstract: A method for managing access control of a resource includes storing a revocation list containing a list of revoked capabilities and their corresponding groups; storing a group list containing a list of valid groups; receiving a capability revocation request to revoke a specified capability; selecting a revocation method from among a plurality of revocation methods, including an individual capability revocation method and a group revocation method; revoking the specified capability by invalidating the group to which the specified capability belongs if the group revocation method is selected; and revoking the specified capability by invalidating only the specified capability if the individual capability revocation method is selected.