U.S. patent application number 09/157728 was filed with the patent office on 2002-01-03 for inherited information propagator for objects.
Invention is credited to STRAUBE, DAVE, WILLIAMS, TIM.
Application Number | 20020002557 09/157728 |
Document ID | / |
Family ID | 22565014 |
Filed Date | 2002-01-03 |
United States Patent
Application |
20020002557 |
Kind Code |
A1 |
STRAUBE, DAVE ; et
al. |
January 3, 2002 |
INHERITED INFORMATION PROPAGATOR FOR OBJECTS
Abstract
Dynamic inheritance for data in a replicated tree structured
database which is dynamically inherited from parent objects is
provided by only replicating original modifications, and then
causing each system to propagate inherited information across it's
local tree of objects. When a change to a security descriptor or a
reparenting of objects is received, a breadth first tree traversal
is used to find all the affected objects. An ID list is
incrementally deleted as each object is updated. A security
descriptor propagator queue is used to track the progress of
updates, and items are taken off the list only after they are
committed to the database. A gate is used to ensure that that
transactions which add new objects and the security descriptor
propagation transactions which write new security descriptors are
mutually exclusive. A new data structure for the propagation queue
comprises a table having a unique, incrementing number representing
an order, an identifier of the node to begin on, a flag indicting
whether the item may be trimmed a client id, an order index used to
find the next element in the queue and a trim index which tracks
all trimmable nodes.
Inventors: |
STRAUBE, DAVE; (REDMOND,
WA) ; WILLIAMS, TIM; (REDMOND, WA) |
Correspondence
Address: |
LEE & HAYES PLLC
421 W RIVERSIDE AVENUE SUITE 500
SPOKANE
WA
99201
|
Family ID: |
22565014 |
Appl. No.: |
09/157728 |
Filed: |
September 21, 1998 |
Current U.S.
Class: |
1/1 ;
707/999.001; 707/999.103; 707/999.201; 707/E17.005;
707/E17.032 |
Current CPC
Class: |
Y10S 707/99944 20130101;
G06F 16/27 20190101; Y10S 707/99943 20130101; Y10S 707/99945
20130101 |
Class at
Publication: |
707/103.00Z ;
707/201; 707/1 |
International
Class: |
G06F 017/30 |
Claims
We claim:
1. A method of modifying information inherited between objects when
one of the objects is modified, the method comprising: receiving a
modification to an object; searching for related objects;
recalculating portions of the related objects which need to be
modified as a result of the received modification; and modifying
the related objects with the recalculated portions.
2. The method of claim 1 and further comprising creating an id list
of the related objects.
3. The method of claim 1 and further comprising creating a list of
received modifications.
4. The method of claim 3 wherein the received modifications are
received from programs running on a single computer and are
received from programs running on networked computers.
5. The method of claim 3 and further comprising trimming the queue
to remove modifications that would be redundant.
6. The method of claim 1 wherein the modifications comprise
dynamically inherited security descriptors or parent lists.
7. The method of claim 1 wherein searching for related objects is
stopped for an object if the portion recalculated did not
change.
8. A method of updating replicated tree structured databases down
the tree from a modified object to appropriate child objects, the
method comprising: receiving an indication that an object has been
modified; performing a breadth first search of the tree from the
object that has been modified; retrieving objects found in the
search, including the object that has been modified; calculating
modifications for the retrieved objects; and modifying the
retrieved objects with the calculated modifications.
9. The method of claim 8 wherein the indication that an object has
been modified is received from a remote computer having a copy of
the replicated tree structured database that has an object which
has been modified.
10. A machine readable medium having instructions stored thereon
for causing a computer to perform a method of modifying information
inherited between objects when one of the objects is modified, the
method comprising: receiving a modification to an object; searching
for related objects; recalculating portions of the related objects
which need to be modified as a result of the received modification;
and modifying the related objects with the recalculated
portions.
11. The machine readable medium of claim 10 and further comprising
instructions for creating a queue of received modifications.
12. The method of claim 11 wherein the received modifications are
received from programs running on a single computer and are
received from programs running on networked computers.
13. The machine readable medium of claim 11 and further comprising
instructions for trimming the queue to remove modifications that
would be redundant.
14. A machine readable medium having instructions stored thereon
for causing a computer to perform a method of updating replicated
tree structured databases down the tree from a modified object to
appropriate child objects, the method comprising: receiving an
indication that an object has been modified; performing a breadth
first search of the tree from the object that has been modified;
retrieving objects found in the search, including the object that
has been modified; calculating modifications for the retrieved
objects; and modifying the retrieved objects with the calculated
modifications.
15. The machine readable medium of claim 14 wherein the indication
that an object has been modified is received from a remote computer
having a copy of the replicated tree structured database that has
an object which has been modified.
16. A computer system having a plurality of objects wherein
selected information is inherited between objects, the system
comprising: a replicator that receives modifications to such
selected information and changes such information in a start
object; and a propagator that searches for related objects and
modifies such objects in response to such modifications.
17. The computer system of claim 16 wherein the propagator modifies
the related objects based on changes to parent objects and the
current state of the related objects.
18. The computer system of claim 16 wherein the related objects are
searched using a breadth first search.
19. The computer system of claim 16 and further comprising a
propagation queue which receives and queues indications from the
replicator that indicate start objects for propagations of
modifications.
20. The computer system of claim 16 wherein the computer system is
coupled to other computer systems having replicated objects which
generate modifications to such objects.
21. The computer system of claim 16 and further comprising a
replicated tree structured directory database representative of the
objects and containing dynamically inherited attributes of the
objects.
22. The computer system of claim 21 and further comprising a
directory services agent which receives modifications from other
programs, both local and remote.
23. A machine readable medium having a data structure stored
thereon for use in propagating changes to a replicated tree
structured object directory database, the structure comprising a
plurality of rows having columns comprising: an incrementing
number; a start object id; and an order index identifying the row
with the next start object id;
24. The data structure of claim 23 and further comprising: a trim
flag; and a trim index.
25. The data structure of claim 24 wherein the trim index comprises
a compound index over the trim flag and the start object id.
26. A computer system having a plurality of objects wherein
selected information is inherited between objects, the system
comprising: a queue that receives indications of objects which have
had dynamically inherited attributes modified; a propagator that
receives such indications from the queue, searches for related
objects and modifies such objects in response to such
modifications.
27. The computer system of claim 26 and further comprising a list
of related objects found by the propagator.
28. The computer system of claim 27 wherein the list is generated
in a breadth first traversal of a replicated tree structured
directory database.
29. The computer system of claim 26 and further comprising a gate
for ensuring changes are not made to objects that would be
inconsistent with the modifications performed by the propagator.
Description
FIELD OF THE INVENTION
[0001] This invention relates generally to the field of information
processing, and in particular to the efficient propagation of
updated inherited information for objects.
COPYRIGHT NOTICE/PERMISSION
[0002] A portion of the disclosure of this patent document contains
material which is subject to copyright protection. The copyright
owner has no objection to the facsimile reproduction by anyone of
the patent document or the patent disclosure as it appears in the
Patent and Trademark Office patent file or records, but otherwise
reserves all copyright rights whatsoever. The following notice
applies to the software and data as described below and in the
drawing hereto: Copyright.COPYRGT. 1998, Microsoft Corporation, All
Rights Reserved.
BACKGROUND
[0003] Computer operating systems need a way to keep track of
information which is stored in or describes objects. A directory
service is a program that performs that function. It keeps a
database of information relating to each object which is stored in
a domain. The domain can be thought of as all the storage space
available for objects on one computer or multiple networked
computers. When the domain comprises multiple computers, there may
be copies of the directory service database on each of the
computers. When an object is changed, and the information in the
database needs to change to reflect that change in the object, a
replicator function is used to initiate the change in the object's
database information. The replicator also sends a message to other
computers in the network to make the same change to the directory
database.
[0004] In WindowsNT.RTM., the directory database contains
information which is intrinsic, or actually within an object as
well as information which is inherited from other objects, referred
to as parent objects. The actual inherited information is
duplicated in the database. It may be passed on to children of the
objects and grandchildren, and so on. When a change to information,
which may be inherited, is made, one way to update the information
would be to replicate the change in each object to which it applied
by sending messages to other systems on an object by object basis.
For large object hierarchies, a change in a high level object may
cause many such messages to be sent as the change propagates down
to lower level objects. This may result in a large amount of
network traffic, which could degrade the overall system
performance.
[0005] There is a need to efficiently and reliably change directory
information without generating a large amount of network traffic.
There is a need to ensure that such changes are made correctly even
when other objects are attempted to be modified during the
changes.
SUMMARY OF THE INVENTION
[0006] Inherited information changes are propagated in a directory
associated with objects independent of replication of such changes
to other copies of the directory. By propagating such changes in
each directory without generating a replication message for each
object so changed, network traffic is greatly reduced.
[0007] The inherited information comprises security descriptors in
one instance of the invention. The security descriptors are
represented in a directory database and comprise permissions for
accessing and modifying objects. The inherited information
comprises parent lists that identify parents of each object in
another instance of this invention. Each object in a hierarchy of
objects is represented by a row in the database. Alternatively, a
text file with one line per object, or files in a file system are
used to represent objects. When a security descriptor is modified
by a user, the directory service makes the change and a replicator
sends a message to other copies of the directory database, which in
one embodiment is represented in tree structure. Also, the
directory service sends an event notification to a security
descriptor propagator. The propagator traverses the directory tree
in a breadth first manner, and modifies the security descriptors of
all related objects. While breadth first provides some
efficiencies, other traversal methods, such as depth first may also
be used. Only when all the changes are committed, will the
propagator complete the updating operation.
[0008] A gate is used to control some types of access to the
directory so that only one type of operation may proceed at any
given time. A thread must enter the gate before starting a database
transaction that will add a new object, and before entering a
transaction that modifies inherited information on behalf of the
propagator. Threads leave the gate after closing the database
transaction. The gate ensures accuracy of the database in a dynamic
changing environment.
[0009] The propagation of changes is moved into the core of the
directory service, relieving calling applications from having to
replicate changes themselves, and avoiding large amounts of network
traffic which would result from such replication.
BRIEF DESCRIPTION OF THE DRAWINGS
[0010] FIG. 1 is a block diagram of a hardware and operating
environment of the present invention.
[0011] FIG. 2 is a block diagram of a database object directory
tree structure.
[0012] FIG. 3 is a block diagram showing functions which allow
modification and updating of the directory tree of FIG. 2.
[0013] FIG. 4 is a table showing a portion of the directory tree
relating to parent lists.
[0014] FIG. 5 is a block diagram of a gate used to exclude certain
threads from operating on the directory tree while other types of
threads are accessing the directory.
DETAILED DESCRIPTION
[0015] In the following detailed description of exemplary
embodiments of the invention, reference is made to the accompanying
drawings which form a part hereof, and in which is shown by way of
illustration specific exemplary embodiments in which the invention
may be practiced. These embodiments are described in sufficient
detail to enable those skilled in the art to practice the
invention, and it is to be understood that other embodiments may be
utilized and that logical, mechanical, electrical and other changes
may be made without departing from the spirit or scope of the
present invention. The following detailed description is,
therefore, not to be taken in a limiting sense, and the scope of
the present invention is defined only by the appended claims.
[0016] The detailed description is divided into multiple sections.
In the first section, the hardware and the operating environment in
conjunction with which embodiments of the invention may be
practiced are described. In the second section, a directory, and
services that modify and maintain the directory by propagation of
changes within the directory are shown and described. Next, a gate
is described which controls which threads may operate on the
directory at any given time, followed by a conclusion which
summarizes the invention and points out some of the potential
benefits and describes further alternative embodiments.
Hardware and Operating Environment
[0017] FIG. 1 provides a brief, general description of a suitable
computing environment in which the invention may be implemented.
The invention will hereinafter be described in the general context
of computer-executable program modules containing instructions
executed by a personal computer (PC). Program modules include
routines, programs, objects, components, data structures, etc. that
perform particular tasks or implement particular abstract data
types. Those skilled in the art will appreciate that the invention
may be practiced with other computer-system configurations,
including hand-held devices, multiprocessor systems,
microprocessor-based programmable consumer electronics, network
PCs, minicomputers, mainframe computers, and the like which have
multimedia capabilities. The invention may also be practiced in
distributed computing environments where tasks are performed by
remote processing devices linked through a communications network.
In a distributed computing environment, program modules may be
located in both local and remote memory storage devices.
[0018] FIG. 1 employs a general-purpose computing device in the
form of a conventional personal computer 20, which includes
processing unit 21, system memory 22, and system bus 23 that
couples the system memory and other system components to processing
unit 21. System bus 23 may be any of several types, including a
memory bus or memory controller, a peripheral bus, and a local bus,
and may use any of a variety of bus structures. System memory 22
includes read-only memory (ROM) 24 and random-access memory (RAM)
25. A basic input/output system (BIOS) 26, stored in ROM 24,
contains the basic routines that transfer information between
components of personal computer 20. BIOS 24 also contains start-up
routines for the system. Personal computer 20 further includes hard
disk drive 27 for reading from and writing to a hard disk (not
shown), magnetic disk drive 28 for reading from and writing to a
removable magnetic disk 29, and optical disk drive 30 for reading
from and writing to a removable optical disk 31 such as a CD-ROM or
other optical medium. Hard disk drive 27, magnetic disk drive 28,
and optical disk drive 30 are connected to system bus 23 by a
hard-disk drive interface 32, a magnetic-disk drive interface 33,
and an optical-drive interface 34, respectively. The drives and
their associated computer-readable media provide nonvolatile
storage of computer-readable instructions, data structures, program
modules and other data for personal computer 20. Although the
exemplary environment described herein employs a hard disk, a
removable magnetic disk 29 and a removable optical disk 31, those
skilled in the art will appreciate that other types of
computer-readable media which can store data accessible by a
computer may also be used in the exemplary operating environment.
Such media may include magnetic cassettes, flash-memory cards,
digital versatile disks, Bernoulli cartridges, RAMs, ROMs, and the
like.
[0019] Program modules may be stored on the hard disk, magnetic
disk 29, optical disk 31, ROM 24 and RAM 25. Program modules may
include operating system 35, one or more application programs 36,
other program modules 37, and program data 38. A user may enter
commands and information into personal computer 20 through input
devices such as a keyboard 40 and a pointing device 42. Other input
devices (not shown) may include a microphone, joystick, game pad,
satellite dish, scanner, or the like. These and other input devices
are often connected to the processing unit 21 through a serial-port
interface 46 coupled to system bus 23; but they may be connected
through other interfaces not shown in FIG. 1, such as a parallel
port, a game port, or a universal serial bus (USB). A monitor 47 or
other display device also connects to system bus 23 via an
interface such as a video adapter 48. A video camera or other video
source is represented at 60 as being coupled to video adapter 48
for providing video images for video conferencing and other
applications, which may be processed and further transmitted by
personal computer 20. In further embodiments, a separate video card
may be provided for accepting signals from multiple devices 60,
including satellite broadcast encoded images. In addition to the
monitor, personal computers typically include other peripheral
output devices (not shown) such as speakers and printers.
[0020] Personal computer 20 may operate in a networked environment
using logical connections to one or more remote computers such as
remote computer 49. Remote computer 49 may be another personal
computer, a server, a router, a network PC, a peer device, or other
common network node. It typically includes many or all of the
components described above in connection with personal computer 20;
however, only a storage device 50 is illustrated in FIG. 1. The
logical connections depicted in FIG. 1 include local-area network
(LAN) 51 and a wide-area network (WAN) 52. Such networking
environments are commonplace in offices, enterprise-wide computer
networks, intranets and the Internet.
[0021] When placed in a LAN networking environment, PC 20 connects
to local network 51 through a network interface or adapter 53. When
used in a WAN networking environment such as the Internet, PC 20
typically includes modem 54 or other means for establishing
communications over network 52. Modem 54 may be internal or
external to PC 20, and connects to system bus 23 via serial-port
interface 46. In a networked environment, program modules, such as
those comprising Microsoft.RTM. Word which are depicted as residing
within 20 or portions thereof may be stored in remote storage
device 50. Of course, the network connections shown are
illustrative, and other means of establishing a communications link
between the computers may be substituted.
[0022] Software may be designed using many different methods,
including object oriented programming methods. C++ and Java are two
examples of common object oriented computer programming languages
that provide functionality associated with object oriented
programming. Object oriented programming methods provide a means to
encapsulate data members (variables) and member functions (methods)
that operate on that data into a single entity called a class.
Object oriented programming methods also provide a means to create
new classes based on existing classes. These new classes may be
referred to as children of the classes from which they are created,
parent classes, and they may inherit the methods of their
parents.
[0023] An object is an instance of a class. The data members of an
object are attributes that are stored inside the computer memory,
and the methods are executable computer code that act upon this
data, along with potentially providing other services. The notion
of an object is exploited in the present invention in that certain
aspects of the invention are implemented as objects in one
embodiment.
[0024] An interface is a group of related functions that are
organized into a named unit. Each interface may be uniquely
identified by some identifier. Interfaces have no instantiation,
that is, an interface is a definition only without the executable
code needed to implement the methods which are specified by the
interface. An object may support an interface by providing
executable code for the methods specified by the interface. The
executable code supplied by the object must comply with the
definitions specified by the interface. The object may also provide
additional methods. Those skilled in the art will recognize that
interfaces are not limited to use in or by an object oriented
programming environment.
[0025] In FIG. 2, a block representation of a replicated tree
structured database is shown generally at 210. A directory tree is
a visual representation of the relationships between multiple
objects on a storage domain. The storage domain represents storage
on a single computer system, or multiple computer systems having
some form of shared storage. While a tree is described, other
structures may also be used as the relationships between objects
can take many different forms, such as an arbitrary acyclic graph.
Tree 210 has representations of nine objects which are abstract
collections of data. A top level object 212 is represented by a "1"
in a circle. The other eight objects are similarly represented by
corresponding integers. A second object 214 is a child of the first
object, as is a third object 216. The third object 216 has three
children, 218, 220 and 222. Object 222 also has three child objects
224, 226, and 228. As an example, there may be an object
representing a user. That object would have associated data
including (but not limited to): Given Name, Surname, Middle Name,
Title, Phone Number, Password, Salary, Office Location, Home
Address, and Shoe Size. The objects stored in a directory follow a
class hierarchy. Thus, an object of type User may have the data
Given Name, but an object of type Computer does not. Further, an
object of type Special User, where Special User is a subclass of
User, inherits the ability to store the data Given Name, and also
has the new ability to store the data Special Data. Inherited data
also includes information describing who can access the object, and
what level of access permission they are given. Such permissions
include the ability to only read the object, or to both read and
write or modify the object among many other possible
permissions.
[0026] The permissions, and other inherited information such as
parent lists and other information relating and identifying objects
are actually stored in a transactioned database 310 as seen in FIG.
3, and a portion of which is shown at 410 in FIG. 4. Other storage
mechanisms, such as a text file with one line per object, or files
in a file system are used to represent objects are used in
alternative embodiments. Database 310 contains a row of information
for each object which describes the inherited characteristics of
the object as well as other maintenance information about the
object such as ownership and an identifier. A directory service
agent 312 interfaces to the database and performs operations on the
data, including allowing modifications and updates as well as
performing searches on the data in the database 310. A set of
application programming interfaces (APIs) 314 provide an interface
into the services provided by the directory service agent 312 to
allow users, both human and other programs, to generate requests to
use the data in the database 310. One common request is to modify
the permissions to access an object as represented by an access
control list stored as a security descriptor in the database. Such
requests and the manner in which changes to a security descriptor
is performed is well known in the art. One common example would be
to add a printer object at some point in a network, or to give
permission to a new employee or group of users to access the
object.
[0027] Once such a request to modify the security descriptor, or
other inherited information such as a parent list, is performed by
the directory service agent 312, a replication of that request is
made by a replicator 316 in a known manner. The replication is
packaged up into a communication 318 and sent to other systems
which have a copy of the database 310 which must also be updated.
For information that is intrinsic to the object and not inherited,
this process of sending the message or replicating the change to
other copies of the database is all that is needed. However, a
change to inheritable information in an object may also mean that
children of the changed object need to be changed. The directory
service agent then writes an indication of which object has been
changed (basically a database row number or id) into a propagation
queue or list, which is read by a propagator module 322 which is
referred to as a daemon that hangs off the side of the directory
database. The propagator 322 reads the queue, and then finds all
the children affected by the change and modifies their inherited
information by reading each affected object and its parent to
determine how to change the inherited information. This method of
propagating changes as opposed to replicating each change to each
object via a message can significantly cut down on network traffic
depending on the complexity of the object tree and amount of
changes to inherited information which must be dynamically
propagated.
[0028] Two types of inherited information are reflected in a
portion of the database 310 shown at 410 in FIG. 4. A first column
412 contains an object identifier, shown for simplicity as an
integer corresponding to the integers in circles representing
objects in FIG. 2. Nine rows are shown, each row also having a
parent column 413 identifying the parent, a parent list column 414
identifying the full line of parents or heritage of each object,
and a security descriptor column 416 showing a simplified
representation of a security descriptor. The first object has only
itself in its parent list column 414 because it is a top level
object. The second and third objects both have the first object as
a parent (inherited from their parent's parent list) as well as
themselves. The fourth, fifth and sixth objects have both the first
and third objects as parents (inherited from their parent's parent
list) as well as themselves. The seventh, eighth and ninth objects
have the first, third and sixth objects as parents (inherited from
their parent's parent list) as well as themselves. The first object
has a security descriptor simply referred to as V2 for this
embodiment. Each of the other objects in the table ultimately
derives from object 1, and inherits its security descriptor.
[0029] When a request is issued through an API 314 to change the
security descriptor of the first object from V2 to V3, the
directory service agent 312 writes the change of the security
descriptor from V2 to V3 and verifies that the user requesting the
change is authorized to make the change, and that the change is a
valid change. The id of the object, "1" in this case is then
written to the propagator queue 320, which is a FIFO queue, with
some pruning to avoid duplication of effort as will be discussed
below. Each change to a dynamically inheritable attribute of an
object results in the id of the object changed being written to the
queue 320. Once the change is written, and the queue updated by the
directory service agent, the change to the security descriptor is
committed to the database and written to non-volatile storage such
as disk. Next, the propagator 322 is notified via an event such as
a win32 event or other form of communication that a change to a
dynamically inheritable attribute has been written and put in the
queue. While a queue is used in this embodiment, it will be
recognized that other forms of notification may be used, such as
the use of a direct work request indicating the object that has
been changed. Next, the replicator 316 is told of the change, which
results in a message being created which is representative of the
change to be made. The message is then sent to other systems having
copies of the database which must be synchronized with the current
copy.
[0030] At start up time, the queue of propagations to be done is
refreshed from saved information. A single propagation thread is
started. Note, that in one embodiment, propagations are serialized
such that one propagation will complete before the next is done to
simplify understanding of propagation interrelations and also to
avoid spawning many propagation threads. The thread waits on the
propagation queue, and upon receiving the event, propagator 322 in
each system having a copy of the database needed changing, wakes up
and reads the first entry in the queue 320. It then enters a gate
510 as shown in FIG. 5. Gate 510 is used to ensure that other
accesses to the database are not being made that might interfere
with, or be incorrectly processed as a result of the modifications
to be made. Gates are well known exclusion constructs and this one
will not be described in great detail other than to say that
threads generated by the propagator to update dynamically inherited
information are deemed to be "writers", and all others adding
objects "readers". Threads not doing these operations don't need to
enter the gate. Only one type of thread ("reader" or "writer") is
allowed in the gate at any one time, although many threads of one
type may be inside the gate at once. The number of such threads in
the gate is indicated at 512, and the type of thread, whether a
reader or a writer is indicated at 514. If at least one of either
type is in the gate, the other type must wait until all are done
and out of the gate before entering.
[0031] When the propagation is initiated, the propagator finds the
identity of the first object from the queue. Then, the propagator
thread enters the gate. It reads the security descriptor from the
object and from its parent and calculates the new security
descriptor, and then writes it to the object. The write is done in
such a manner that it does not trigger a directory replication
event. This transaction is then committed, and the propagator
thread then leaves the gate. At this point, only the security
descriptor for the first object has been changed. However, since
the first object may be the parent of many other objects, their
security descriptors must also be changed. To do this, the
propagator generates a list of children of the first object using a
breadth first traversal of the tree. In this case, it will look for
"1s" in the database parent column, and identify the second and
third objects as children of the first object and add them to the
list of children yet to be processed. The propagator does not need
to enter the gate to generate this list. The use of the gate by add
threads guarantees that every child will either be found by the
propagator, or that new children not noticed by the propagator will
be added AFTER the data on the parent has been fixed by the
propagator and will therefore have correct inherited information.
The propagator will then reenter the gate and recalculate the
security descriptor of the second object by reading the second
object and its parent, the first object. It will write the new
security descriptor and exit the gate. It will then look for
children of the second object. Finding none if will remove the
second object from the list of children and move on to the third
object. It makes the change by reentering the gate, reading the
third object and its parent to recalculate the security descriptor
and then leaving the gate. This time, it does find children of the
third object, namely the fourth, fifth and sixth objects and adds
them to the list of children. Proceeding with the search and change
and addition and removal of objects to the list of children, it
finally changes the ninth object, ensures it is stored to disk, and
then removes the id of the first object from the queue once the
list of children is empty.
[0032] Each database on each system is so updated by its own
propagator. The queue may have update indications placed on it in
at least two ways. The first is as described above, via an API call
from a user such as a person or another program. Another way for
the change to be queued arises from the receipt of a message such
as message 318 indicative of a change to be applied to the
database. The directory service agent receives such messages and
updates the queue with the id of the object to which the change
should be applied. The propagator, as stated above, operates
independent of the replicator portion of the directory service
agent, and makes changes to all affected objects without the
generation of further network traffic.
[0033] There are a few optimizations performed by the propagator to
enhance performance of the propagation of a change or changes to
the database. The first involves comparing the previous security
descriptor of a child with the new calculated security descriptor.
If there is no change, there is no need to find the children of
such child; since the data was already correct on the child object,
then the objects which inherit from this child object will also
have correct data. Eliminating the search and attempted updates can
save significant time. If this is the first traversal after a power
up, and the propagation queue was not empty after power up, the
propagator must continue to identify children and add them to the
list, even if no changes are detected. This is because a
propagation is being restarted that was probably interrupted by a
power cycle. The top of the tree may have already been done, but
the bottom of the tree may not have been done. If the traversal is
stopped too early, the change would not be properly propagated to
the lowest level children. Similarly, the security descriptor of
direct children of the start object is always verified. This is
because the security descriptor of the start object has already
been modified by the directory service or the replicator, and so
the newly calculated security descriptor would not be different
unless there had been a rename or reparent operation, or if another
propagation had been queued for the start object's parent.
[0034] Another optimization is the use of the breadth first
traversal. Any tree traversal could be used, but if a breadth first
traversal is used, then all children of an object are processed as
a group. Thus the parent object need be read only once, and its
security descriptor may be held in memory while its children are
processed, at which time it is no longer needed. Then, the security
descriptor of the parent of the next group of peers is read.
[0035] The propagation of changes has been described with respect
to a tree directory structure. It shoud be noted that other
representations of the relationships between objects such as
arbitrary acyclic graphs may also have changes which need to be
propagated. In some embodiments, the propagation may involve
propagating changes where they need to go, depending on the
relationships between the objects rather than a propagation down a
tree structure.
[0036] A further example of changes to dynamically inherited
information comprises a move or reparenting operation. Parent lists
will then need to be modified to properly reflect heritage, and
also security descriptors may need to be modified if a new parent
has different security permissions. In FIG. 2, if the sixth object
222 were to be reparented through the use of an API 314 so that its
parent became the fifth object, the parenting information 414 would
no longer be correct. Instead of "6,3,1," it should be "6,5,3,1".
Further, the seventh, eighth and ninth objects would also have
changed parent lists. The same process is followed to propagate the
change by queueing the id of the object that changed in the
propagator queue 320. The propagator again performs the traversal
of the directory tree, changing parent lists as it goes.
[0037] A table is used to implement the queue 320 in one
embodiment. A unique incrementing number is used in one column to
enable the table to function as a queue. As stated above, the queue
also holds the id of the node or object on which to start the
propagation. A flag is used to describe whether the item in the
queue may be trimmed from the queue if another propagation subsumes
it. The Null value is used if the item may not be trimmed,
otherwise it is non-null. In general, if the directory service
agent causes the propagation itself, it is marked as trimmable. If
it is caused by an action taken on behalf of a client, then it is
not marked as trimmable. A client id is also associated with a
client that made the change that caused the propagation. Two
indicies are also used. The first is an order index that is used to
find the next element in the queue. A trim index is a compound
index over begin-node and the trimmable flag and is used to track
all trimmable nodes.
[0038] As an optimization, after each node in the tree has been
modified, the trim index of the propagation table is read. If the
current node is in that index, it is removed from the table, as the
propagation is being done, and there are no clients interested in
progress information. This allows trimming of most if not all the
propagation events caused by an initial replication of large
portions of a tree.
[0039] The propagation thread keeps track of several items, such as
the number of objects touched during the propagation and a unique
ID for the propagation. This information may be used to give
clients details about the state of the security descriptor
propagation underway.
Conclusion
[0040] Dynamically inherited information in a database is performed
by the use of a propagator which finds related objects and
recalculates the appropriate information to update. In a networked
system where multiple copies of the database need to be updated, a
change to such information in an object is communicated with
respect to that one object regardless of the number of objects in
each database which will need to be changed as a result of the
change. The propagator is described as using a breadth first tree
traversal. This type of search works well because the process to
update the inherited information needs to read the parent of the
child as well as the child. The breadth first tree search ensures
that needed data is more likely to be in memory and immediately
available to make the update. Other searches may work better on
different directory structures. A propagation queue is described as
one form of list for keeping track of propagations to perform. A
stack may also be used instead of a queue. LIFO methods of adding
and removing data from the list would work as well as FIFO. In
either case, when the list of pending propagations is completely
emptied, the resulting trees hold the same information. This
application is intended to cover any adaptations or variations of
the present invention. It is manifestly intended that this
invention be limited only by the claims and equivalents
thereof.
* * * * *