NASD Attributes
Table 2: NASD Partition Operations Table 3: NASD Drive Operations Table 4: Well Known NASD Objects Table 5: NASD Object Attributes Table 6: NASD Key Hierarchy Table 7: NASD Protection Options
NASD Object, Partition and Drive Operations
In the NASD interface, drives store variable-length, logical byte streams
called objects, abandoning the notion that file managers must understand
and directly control storage layout. The filesystem, allocating storage
for a new file, requests one or more objects to hold the file's data.
Read and write operations apply to a byte region (or multiple regions)
within an object. The layout of an object on the physical media is determined
by the NASD drive. To exploit locality decisions made by the file manager,
sequential addresses in NASD objects are allocated on the media to achieve
fast sequential access. For inter-object clustering, NASD adopts a linked
list of objects where proximity in the list encourages proximity on the
media. Tables 1, 2, and 3
present NASD operations on objects, partitions and drives. Several attributes
associated with each NASD object and visible to file managers and clients
are enumerated in Table 5.
|
| Operation | Arguments | Return Values | Description |
| create | partition, initial attribute | new identifier and attribute, status | create new object on the specified partition, optionally setting initial attributes |
| remove | partition, identifier | status | remove an object from partition |
| getattr | partition, identifier | attribute, status | get attributes from an object |
| setattr | partition, identifier, attribute | new attribute, status | change a portion of an object's attributes, retrieving current attributes when complete |
| read | partition, identifier, regions | data, length, status | read from a strided list of scatter-gather regions |
| write | partition, identifier, regions, data | length, status | write to a strided list of scatter-gather regions |
| fastcopy | partition, source identifier | new identifier and attributes, status | efficiently clone an object |
| flush | partition, list of identifiers | status | commit any cached writes to stable store |
| blocksrequired | partition, identifier, regions | est. blocks required, max. blocks required, status | determine how many additional blocks are required to store an object after completely overwriting indicated regions within the object |
| Operation | Arguments | Return Values | Description |
| create partition | partition | status | create new partition (zero sized) |
| remove partition | partition | status | remove a partition |
| resize partition | partition, new size | status | set a partition's size |
| flush partition | partition | status | commit any cached writes for a partition to stable store |
| setpartitionkey | partition, key name, key value | status | set master key for a partition |
| Operation | Arguments | Return Values | Description |
| initialize | new master keys, clock value and skew, master key | status | sets master keys, sets time, invalidates all other keys, clears partitions |
| setdrivekey | new drive key, master key | status | sets primary control key for a drive |
| inquiry | - | drive information | retrieve basic drive information (vendor, model, existing partitions) |
Well Known NASD Objects
NASD partitions have four objects with well known names, Drive Control, Partition Control, Partition Contents, and First Object, that are created with each partition as described in Table 4. Drive Control describes the drive's physical parameters (magnetic, NVRAM, and RAM capacity, etc.), number and size of partitions, clock parameters and value, and interface extensions supported. There is only one drive control object per drive. Partition Control is unique in each partition and describes the partition's resources (bytes in use, bytes available, object descriptors in use, object descriptors available, etc.). The Partition Contents object is distinct in each partition and contains an array of object names, one for each object in use in that partition, for use by filesystem recovery mechanisms. First Object allows filesystems to locate an object with a well-known name that can be used as a starting point for filesystem-specific state.
| Name | Description |
| Drive Control | basic control information for drive: clock, physical parameters, extensions supported, bytes allocated |
| Partition Control | basic control information for partition: current size, byte usage, number of objects supported, number of objects allocated |
| Partition Contents | read only list of identifiers of NASD objects allocated in the partition |
| Trace Data | reads a log of operations performed on NASD |
NASD Object Attributes
Most attributes have values set externally under control of the file manager's capabilities, or communicate information used internally by the NASD drive. For example, in a particular NASD drive, the block_size attribute may not be adjustable, or may only be adjustable during the create operation. Timestamps are set by the NASD drive according to its internal clock. Because NASD drives may implement storage management strategies that dynamically change an object's representation internally, attribute_modify_time may not correspond to the time of any external operation on this object.
The fs-specific attribute is made available for filesystem book keeping and is not interpreted by NASD. For instance, a UNIX filesystem representing files as individual NASD objects could store owner, group and permission bits in the fs-specific attribute.
The fs_data_modify_time and fs_attribute_modify_time attributes are updated by NASD when data or attributes are modified, but a setattr operation can change these values. This feature allows a filesystem to achieve synchronous modification timestamps without synchronous oversight and without surrendering the ability to adjust timestamps. Thus, there is no need for a fs_create_time because this can be maintained by the filesystem in the much larger fs_specific attribute.
While most NASD operations apply to a single object, or independently to a set of objects, the fastcopy operation creates and returns a new object whose data is an identical copy of an existing object and whose copied_object attribute names the original object. Other attributes of the new object default to the equivalent in the copied object, but NASD-maintained fields are set in accordance with create operation semantics.
NASD-embedded compression similarly introduces a possibly temporary reduction in space needed to store an object. In both of these cases blocks_used is “honest”; for copy-on-write, the sum of the blocks_used attributes of the two objects is the total space needed to represent both. NASD drives let filesystems ensure that an object is able to grow to its full size through the blocksrequired operation and the blocks_allocated attribute. The blocksrequired operation reports the most likely and maximal number of blocks that would be added to the representation of an object if a region of its existing contents were completely overwritten with arbitrary data.
| Type | Name | Set by | Semantics |
| Access Control | access_control_system | setattr | changing ACV logically revokes capabilities |
| Clustering | nearby_object | setattr | locate this object near 'nearby_object' |
| Cloning | copied_object | NASD | object was created as fastcopy of 'copied_object' |
| Size | logical_size | setattr, write | largest offset written |
| blocks_allocated | NASD, setattr | number of blocks reserved for this object | |
| blocks_used | NASD, write | number of blocks used to store object's data and metadata | |
| block_size | NASD, setattr | number of bytes per block | |
| Time | create_time | NASD | timestamp at time of object creation |
| data_modify_time | NASD | timestamp at time of last data modification | |
| attribute_modify_time | NASD | timestamp at time of last attribute update | |
| File System | fs_data_modify_time | NASD, setattr | timestamp at time of last data modification; modifiable |
| fs_attribute_modify_time | NASD, setattr | timestamp at time of last attribute update; modifiable | |
| fs_specific | setattr | 256 bytes uninterpreted by NASD |
NASD Key Hierarchy
NASD efficiently supports asynchronous oversight (access control) and secure communications using capabilities that have been cryptographically sealed by the appropriate authority (filesystem manager or partition manager). This approach depends on a long-term relationship, based on a shared secret, between a NASD drive and the appropriate authority. NASD protects this relationship with a four-level key hierarchy as shown in Table 6. The master key is the longest-lived secret; it will be immutable once set and not recorded outside of the NASD drive. It is infrequently used to establish a new drive key.
The drive key is a long-term, online key used to manipulate NASD partitions and changed at compromise or desynchronization. It establishes new keys for each partition. Assuming a filesystem manages a partition, the partition key is the strongest and longest-term key available to the filesystem. The partition key is establishes a pair of working keys for each partition employed for the frequent act of generating capabilities. A working key is changed regularly to limit its use and exposure.
The previous working key is maintained to prevent the regular change of a working key from rendering all outstanding capabilities invalid. The key hierarchy, clock, and a per-object access_control_version are the only long-term states necessary for security and of these, only the key hierarchy must be kept private. All the other information relating to capabilities can be generated on the fly.
| Name | Storage; Use | Frequency of Use |
| master key | offline; by drive owner or site administrator | used only to set drive key |
| drive key | online; by drive administrator (partition or backup manager); manipulate partitions, set partition keys. Optionally for any object operation | minimal |
| partition key | online; by file system manager (or equivalent); set working keys and optionally for any object operation | minimal |
| current working key | online; by file system manager; basis for capability generation and optionally for object operations | high |
| previous working key | online; by a file system manager; basis for capabilities generated under the previous working key | high |
NASD Protection Options
Requests to a particular NASD drive are authorized by demonstrating that the appropriate capability is held by the requester; specifically, by computing and transmitting the capability and appropriate keyed digest. All of the data used in the drive's authorization check is transmitted with every request, except for the on-drive copy of the drive's minimum protection options (see Table 7 ), the object's access_control_version attribute, and the secret working keys. Because the NASD's on-drive copy of the object's access_control_version is used in the authorization digest computation, a file manager can synchronously revoke all of the currently distributed capabilities for a particular object by changing this attribute.
| Protection Options | Description |
| NO_PROTECTION | digest values are not used or checked |
| INTEGRITY_ARGS | digest includes only command, status control field and nonce, not transferred data |
| INTEGRITY_DATA | digests include transferred data |
| PRIVACY_ARGS | command, status control field and nonce are encrypted |
| PRIVACY_DATA | transferred data is encrypted |
| PRIVACY_CAPABILITY | capability is encrypted under the working key |
©
2008.
Last updated
11 November, 2004