Secure sharing of storage area networks in a cloud

US 10,326,840 B2
Filed: 06/05/2015
Issued: 06/18/2019
Est. Priority Date: 06/05/2015
Status: Active Grant

First Claim

Patent Images

1. A computer program product to implement secured access to a shared storage area network (SAN), the computer program product comprising:

a computer-readable storage medium having computer-readable program code embodied therewith, the computer-readable program code executable by one or more computer processors to perform an operation comprising;

allocating a plurality of storage disk units of the shared SAN to a plurality of clients of a SAN provider, including allocating one or more of the plurality of storage disk units to a first client of the plurality of clients, whereafter the first client is permitted to cause input/output (I/O) operations to be performed on the one or more allocated storage disk units, wherein the shared SAN comprises a SAN shared between the plurality of clients;

receiving a first management request from the first client to perform a first disk management operation on a first of the plurality of storage disk units of the shared SAN, wherein the first management request is received by a proxy service operatively connected to a management interface of the SAN provider, wherein the management interface provides administrative access to the plurality of storage disk units;

upon authenticating the first client to access the proxy service without authenticating the first client to access the management interface, determining, by the proxy service, whether the first storage disk unit is currently allocated to the first client, based on evaluating a configuration of the first client; and

upon determining that the first storage disk unit is not currently allocated to the first client, generating an indication that the first management request is denied, wherein the indication is output to the first client, wherein the first disk management operation is not performed on the first storage disk unit, thereby preventing, via the proxy service, unauthorized disk access in the shared SAN;

wherein the proxy service is configured to, upon determining that the first storage disk unit is currently allocated to the first client, cause the first disk management operation to be performed on the first storage disk unit, including;

accessing the management interface using SAN provider credentials; and

executing a command via the management interface to perform the first disk management operation on the first storage disk unit.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques disclosed herein describe performing client-requested disk management operations to storage disk units of a storage area network (SAN). A proxy service receives a request from a client of a SAN provider to perform a disk management operation on one or more storage disk units of the SAN provider. The proxy service evaluates a configuration of storage disk units allocated to the client to determine whether the request is valid. If valid, the proxy service performs the requested action to the specified storage disk units on behalf of the client.

15 Citations

19 Claims

1. A computer program product to implement secured access to a shared storage area network (SAN), the computer program product comprising:
- a computer-readable storage medium having computer-readable program code embodied therewith, the computer-readable program code executable by one or more computer processors to perform an operation comprising;
  
  allocating a plurality of storage disk units of the shared SAN to a plurality of clients of a SAN provider, including allocating one or more of the plurality of storage disk units to a first client of the plurality of clients, whereafter the first client is permitted to cause input/output (I/O) operations to be performed on the one or more allocated storage disk units, wherein the shared SAN comprises a SAN shared between the plurality of clients;
  
  receiving a first management request from the first client to perform a first disk management operation on a first of the plurality of storage disk units of the shared SAN, wherein the first management request is received by a proxy service operatively connected to a management interface of the SAN provider, wherein the management interface provides administrative access to the plurality of storage disk units;
  
  upon authenticating the first client to access the proxy service without authenticating the first client to access the management interface, determining, by the proxy service, whether the first storage disk unit is currently allocated to the first client, based on evaluating a configuration of the first client; and
  
  upon determining that the first storage disk unit is not currently allocated to the first client, generating an indication that the first management request is denied, wherein the indication is output to the first client, wherein the first disk management operation is not performed on the first storage disk unit, thereby preventing, via the proxy service, unauthorized disk access in the shared SAN;
  
  wherein the proxy service is configured to, upon determining that the first storage disk unit is currently allocated to the first client, cause the first disk management operation to be performed on the first storage disk unit, including;
  
  accessing the management interface using SAN provider credentials; and
  
  executing a command via the management interface to perform the first disk management operation on the first storage disk unit.
- View Dependent Claims (2, 3, 4, 9, 10, 18)
- - 2. The computer program product of claim 1, wherein whether the first storage disk unit is currently allocated to the first client is determined in order to determine whether the first management request is valid, wherein determining whether the first management request is valid further comprises:
    - determining, based on the configuration, whether the first client has privileges for the first disk management operation to be performed on the first storage disk unit.
  - 3. The computer program product of claim 1, wherein the operation further comprises:
    - receiving a second management request from the first client to perform a second disk management operation on a second of the plurality of storage disk units of the shared SAN; and
      
      upon determining that the second management request is valid, causing the second disk management operation to be performed on the second storage disk unit.
  - 4. The computer program product of claim 3, wherein determining the second management request is valid comprises:
    - determining, based on the configuration, that the second storage disk unit is currently allocated to the first client.
  - 9. The computer program product of claim 1, wherein the first client performs I/O operations via an I/O communications path and performs management operations via a management communications path separate from the I/O communications path.
  - 10. The computer program product of claim 9, wherein the first management request is received from the first client without interfering with the I/O communications path.
  - 18. The computer program product of claim 1, wherein the first management request is sent by the first client to the proxy service based on a proxy entry maintained by the first client.

5. A system to implement secured access to a shared storage area network (SAN), the system comprising:
- one or more computer processors; and
  
  a memory storing a program which, when executed on the one or more computer processors, performs an operation comprising;
  
  allocating a plurality of storage disk units of the shared SAN to a plurality of clients of a SAN provider, including allocating one or more of the plurality of storage disk units to a first client of the plurality of clients, whereafter the first client is permitted to cause input/output (I/O) operations to be performed on the one or more allocated storage disk units, wherein the shared SAN comprises a SAN shared between the plurality of clients;
  
  receiving a first management request from the first client of the SAN provider to perform a first disk management operation on a first of the plurality of storage disk units of the shared SAN, wherein the first management request is received by a proxy service operatively connected to a management interface of the SAN provider, wherein the management interface provides administrative access to the plurality of storage disk units;
  
  upon authenticating the first client to access the proxy service without authenticating the first client to access the management interface, determining, by the proxy service, whether the first storage disk unit is currently allocated to the first client, based on evaluating a configuration of the first client; and
  
  upon determining that the first storage disk unit is not currently allocated to the first client, generating an indication that the first management request is denied, wherein the indication is output to the first client, wherein the first disk management operation is not performed on the first storage disk unit, thereby preventing, via the proxy service, unauthorized disk access in the shared SAN;
  
  wherein the proxy service is configured to, upon determining that the first storage disk unit is currently allocated to the first client, cause the first disk management operation to be performed on the first storage disk unit, including;
  
  accessing the management interface using SAN provider credentials; and
  
  executing a command via the management interface to perform the first disk management operation on the first storage disk unit.
- View Dependent Claims (6, 7, 8, 11, 12, 13, 14, 15, 16, 17, 19)
- - 6. The system of claim 5, wherein whether the first storage disk unit is currently allocated to the first client is determined in order to determine whether the first management request is valid, wherein determining whether the first management request is valid comprises:
    - determining, based on the configuration, whether the first client has privileges for the first disk management operation to be performed on the first storage disk unit.
  - 7. The system of claim 5, wherein the operation further comprises:
    - receiving a second management request from the first client to perform a second disk management operation on a second of the plurality of storage disk units of the shared SAN; and
      
      upon determining that the second management request is valid, causing the second disk management operation to be performed on the second storage disk unit.
  - 8. The system of claim 7, wherein determining the second management request is valid comprises:
    - determining, based on the configuration, that the second storage disk unit is currently allocated to the first client.
  - 11. The system of claim 5, wherein the first client performs I/O operations via an I/O communications path and performs management operations via a management communications path separate from the I/O communications path.
  - 12. The system of claim 5, wherein the management interface provides administrative access to the plurality of storage disk units regardless of allocation;
    - wherein the proxy service is configured to, after causing the first disk management operation to be performed on the first storage disk unit, generate an indication that the first disk management operation is performed on the first storage disk unit, wherein the indication is output to the first client.
  - 13. The system of claim 12, wherein the configuration of the first client is specified in a client entry maintained by the proxy service, wherein the client entry includes a client identifier, a SAN disk range, and a SAN identifier;
    - wherein the first management request is sent by the first client to the proxy service based on a proxy entry maintained by the first client, wherein the proxy entry includes a client identifier, a network address of the proxy service, a proxy service user name, and a proxy service user password;
      
      wherein the proxy service accesses the management interface based on a host entry maintained by the proxy service, wherein the host entry includes a SAN identifier, a SAN user name, and a SAN user password.
  - 14. The system of claim 13, wherein whether the first storage disk unit is currently allocated to the first client is determined in order to determine whether the first management request is valid, wherein determining whether the first management request is valid further comprises:
    - determining, based on the configuration, whether the first client has privileges for the first disk management operation to be performed on the first storage disk unit;
      
      wherein the operation further comprises;
      
      receiving a second management request from the first client to perform a second disk management operation on a second of the plurality of storage disk units of the shared SAN; and
      
      upon determining that the second management request is valid, causing, the second disk management operation to be performed on the second storage disk unit.
  - 15. The system of claim 14, wherein determining the second management request is valid comprises:
    - determining, based on the configuration, that the second storage disk unit is currently allocated to the first client; and
      
      determining, based on the configuration, that the first client is authorized to perform the second disk management operation.
  - 16. The system of claim 15,wherein the first client is authenticated by the proxy service prior to evaluating the configuration associated with the first client.
  - 17. The system of claim 16, wherein the first disk management operation is performed without interference with any I/O path between the first client and the first storage disk unit;
    - wherein the first client performs I/O operations via an I/O communications path and performs management operations via a management communications path separate from the I/O communications path;
      
      wherein receiving the first management request from the first client and performing the first disk management operation are completed without interfering with the I/O communications path.
  - 19. The system of claim 5, wherein the proxy service accesses the management interface based on a host entry maintained by the proxy service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Miller, Robert, Nordland, Brian A., Thayib, Kiswanto
Primary Examiner(s)
Jakovac, Ryan J

Application Number

US14/732,607
Publication Number

US 20160359974A1
Time in Patent Office

1,474 Days
Field of Search
US Class Current
CPC Class Codes

G06F 3/0604   Improving or facilitating a...

G06F 3/0622   in relation to access

G06F 3/0631   by allocating resources to ...

G06F 3/0632   by initialisation or re-ini...

G06F 3/067   Distributed or networked st...

H04L 67/1097   for distributed storage of ...

H04L 67/564   Enhancement of application ...

Secure sharing of storage area networks in a cloud

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

15 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Secure sharing of storage area networks in a cloud

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links