Method and apparatus for managing access to storage devices in a storage system with access control

US 20010020254A1
Filed: 12/29/2000
Published: 09/06/2001
Est. Priority Date: 06/30/1998
Status: Active Grant

First Claim

Patent Images

1. A method for managing access to a shared resource by a plurality of devices that are coupled to the shared resource via a network, the method including acts of:

(a) in response to a non-media access request by a first of the plurality of devices to a logical device at the shared resource for which the first device has no data access privileges, determining whether the first device is authorized to have non-media access to the logical device; and

(b) authorizing the non-media access request when it is determined in the act (a) that the first device is authorized to have non-media access to the logical device.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A storage system is provided that includes a plurality of storage devices and a data structure, accessible to the storage system, that includes a plurality of records corresponding to a plurality of network devices that are coupled to the storage system. Each record includes configuration data that identifies each of the plurality of storage devices to which data access by a respective one of the plurality of network devices is authorized. Each record may further include visibility data that identifies whether certain types of non-data access, such as requests for general information relating to a respective storage device, by a respective one of the plurality of network devices is permitted, even though data access to the respective storage device by the respective one of the plurality of network devices is not authorized.

263 Citations

66 Claims

1. A method for managing access to a shared resource by a plurality of devices that are coupled to the shared resource via a network, the method including acts of:
- (a) in response to a non-media access request by a first of the plurality of devices to a logical device at the shared resource for which the first device has no data access privileges, determining whether the first device is authorized to have non-media access to the logical device; and
  
  (b) authorizing the non-media access request when it is determined in the act (a) that the first device is authorized to have non-media access to the logical device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, further including an act of:
    - (c) denying the non-media access request when it is determined in the act (a) that the first device is not authorized to have non-media access to the logical device.
  - 3. The method of claim 2, wherein the act (c) includes an act of:
    - ignoring the non-media access request.
  - 4. The method of claim 2, wherein the act (b) includes an act of:
    - forwarding the non-media access request to a physical device corresponding to the logical device.
  - 5. The method of claim 1, wherein the non-media access request is an availability request to determine an availability of the logical device, and wherein the act (b) includes an act of:
    - forwarding the availability request to a physical device corresponding to the logical device.
  - 6. The method of claim 1, further including acts of:
    - (c) in response to a data access request by the first device to the logical device, determining whether the first device has data access privileges to the logical device; and
      
      (d) authorizing the data access request when it is determined in the act (c) that the first device has data access privileges to the logical device.
  - 7. The method claim 6, further including an act of:
    - (e) denying the data access request when it is determined in the act (c) that the first device has no data access privileges to the logical device.
  - 8. The method of claim 1, wherein the acts (a) and (b) are performed by a filter that controls access to a plurality of logical devices at the shared resource, the method further including an act of:
    - (c) maintaining, in a data structure accessible to the filter, configuration information corresponding to the first device, the configuration information including;
      
      (1) first configuration information identifying each of the plurality of logical devices to which data access by the first device is authorized; and
      
      (2) whether non-media access is authorized to each of the plurality of logical devices for which the first configuration information identifies that no data access is authorized for the first device.
  - 9. The method of claim 8, wherein the act (a) includes an act of:
    - examining the configuration information corresponding to the first device to determine whether the first device is authorized to have non-media access to the logical device.
  - 10. The method of claim 1, wherein the acts (a) and (b) are performed by a filter that controls access to a plurality of logical devices at the shared resource, the method further including an act of:
    - (c) maintaining, in a data structure accessible to the filter, configuration information corresponding to the first device, the configuration information identifying;
      
      (1) each of the plurality of logical devices to which data access by the first device is authorized; and
      
      (2) each of the plurality of logical devices to which non-media access by the first device is authorized.
  - 11. The method of claim 1, further including an act of:
    - (c) determining whether an access request by the first device is one of a data access request and a non-media access request.
  - 12. The method of claim 1, wherein the shared resource is a storage system;
    - wherein the act (a) includes an act of, in response to the non media access request by the first device to a logical volume of data at the storage system for which the first device has no data access privileges, determining whether the first device is authorized to have non-media access to the logical volume; and
      
      wherein the act (b) includes an act of authorizing the non media access request when it is determined in the act (a) that the first device is authorized to have non-media access to the logical volume.
  - 13. The method of claim 12, wherein the acts (a) and (b) are performed by the storage system.
  - 14. The method of claim 12, wherein the acts (a) and (b) are performed outside of the storage system.

15. A method for managing access to a storage system by a plurality of devices that are coupled to the storage system via a network, the storage system including a plurality of logical volumes of data, the method including acts of:
- (a) maintaining, in a data structure that is accessible to a filter that controls access to each of the plurality of logical volumes, configuration information identifying each logical volume of the plurality of logical volumes to which data access by a first device of the plurality of devices is authorized;
  
  (b) in response to a non-media access request by the first device to a first logical volume for which the first device has no data access privileges, determining whether the first device is authorized to have non-media access to the first logical volume; and
  
  (c) authorizing the non-media access request when it is determined in the act (b) that the first device is authorized to have non-media access to the first logical volume.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 16. The method of claim 15, further including an act of:
    - (d) denying the non-media access request when it is determined in the act (b) that the first device is not authorized to have non-media access to the first logical volume.
  - 17. The method of claim 16, wherein the act (c) includes an act of:
    - forwarding the non-media access request to a physical device corresponding to the first logical volume.
  - 18. The method of claim 15, wherein the act (c) includes an act of:
    - forwarding the non-media access request to a physical device corresponding to the first logical volume.
  - 19. The method of claim 15, further including acts of:
    - (d) in response to a data access request by the first device to the first logical volume, determining whether the first device has data access privileges to the first logical volume; and
      
      (e) authorizing the data access request when it is determined in the act (d) that the first device has data access privileges to the first logical volume.
  - 20. The method claim 19, further including an act of:
    - (f) denying the data access request when it is determined in the act (d) that the first device has no data access privileges to the first logical volume.
  - 21. The method of claim 15, wherein the filter is in the storage system and wherein the acts (a), (b), and (c) are performed by the storage system.
  - 22. The method of claim 15, wherein the filter is outside of the storage system, and wherein the acts (a), (b), and (c) are performed outside of the storage system.
  - 23. The method of claim 15, further including an act of:
    - (d) determining whether an access request by the first device is one of a data access request and a non-media access request.
  - 24. The method of claim 15, wherein the non-media access request is an availability request to determine an availability of the first logical volume, and wherein the act (c) includes an act of:
    - forwarding the availability request to a physical storage device corresponding to the first logical volume.
  - 25. The method of claim 15, wherein the act (a) includes an act of:
    - maintaining, in the data structure that is accessible to the filter, configuration information that includes first configuration information identifying each logical volume of the plurality of logical volumes to which data access by the first device is authorized and second configuration information identifying whether non-media access is authorized to each of the plurality of logical volumes for which the first configuration information identifies that no data access is authorized for the first device.
  - 26. The method of claim 25, wherein the act (b) includes an act of:
    - examining the second configuration information to determine whether the first device is authorized to have non-media access to the first logical volume.
  - 27. The method of claim 15, wherein the act (a) includes an act of:
    - maintaining, in the data structure that is accessible to the filter, configuration information that identifies each logical volume of the plurality of logical volumes to which data access by the first device is authorized and each of the plurality of logical volumes to which non-media access by the first device is authorized.

28. An apparatus for use in a computer system including a plurality of devices, a shared resource, and a network that couples the plurality of devices to the shared resource, the apparatus comprising:
- an input to be coupled to the network; and
  
  at least one filter, coupled to the input, that is responsive to a non-media access request by a first of the plurality of devices to a logical device at the shared resource for which the first device has no data access privileges, to determine whether the first device is authorized to have non-media access to the logical device, and to authorize the non-media access request when it is determined that the first device is authorized to have non-media access to the logical device.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 58)
- - 29. The apparatus of claim 28, wherein when it is determined that the first device is not authorized to have non-media access to the logical device, the at least one filter denies the non-media access request.
  - 30. The apparatus of claim 29, wherein the shared resource includes a plurality of storage devices coupled to the at least one filter, and wherein when it is determined that the first device is authorized to have non-media access to the logical device, the at least one filter forwards the non-media access request to a storage device corresponding to the logical device.
  - 31. The apparatus of claim 28, wherein when it is determined that the first device is not authorized to have non-media access to the logical device, the at least one filter ignores the non-media access request.
  - 32. The apparatus of claim 28, wherein:
    - the shared resource includes a plurality of storage devices coupled to the at least one filter;
      
      the non-media access request is an availability request to determine an availability of the logical device; and
      
      when it is determined that the first device is authorized to have non-media access to the logical device, the at least one filter forwards the request to a storage device corresponding to the logical device.
  - 33. The apparatus of claim 28, wherein in response to a data access request by the first device to the logical device, the at least one filter determines whether the first device has data access privileges to the logical device;
    - wherein the at least one filter authorizes the data access request when it is determined that the first device has data access privileges to the logical device; and
      
      wherein the at least one filter denies the data access request when it is determined that the first device has no data access privileges to the logical device.
  - 34. The apparatus of claim 28, wherein the apparatus further comprises:
    - a data structure, accessible to the at least one filter, that stores configuration information corresponding to the first device that includes first configuration information identifying each of a plurality of logical devices at the shared resource to which data access by the first device is authorized, and second configuration information identifying whether non-media access is authorized to each of the plurality of logical devices for which the first configuration information identifies that no data access is authorized for the first device.
  - 35. The apparatus of claim 34, wherein the at least one filter examines the second configuration information corresponding to the first device to determine whether the first device is authorized to have non-media access to the logical device.
  - 36. The apparatus of claim 28, wherein the apparatus further comprises:
    - a data structure, accessible to the at least one filter, that stores configuration information corresponding to the first device that identifies each of a plurality of logical devices at the shared resource to which data access by the first device is authorized and each of the plurality of logical devices to which non-media access by the first device is authorized.
  - 37. The apparatus of claim 28, wherein in response to an access request by the first device to the logical device, the at least one filter examines the access request to determine whether the access request is one of a data access request and a non-media access request.
  - 38. The apparatus of claim 28, wherein the shared resource is a storage system;
    - wherein the logical device is a logical volume of data stored at the storage system; and
      
      wherein in response to the non media access request by the first device to the logical volume of data at the storage system for which the first device has no data access privileges, the at least one filter determines whether the first device is authorized to have non-media access to the logical volume, and authorizes the non media access request when it is determined that the first device is authorized to have non-media access to the logical volume.
  - 39. The apparatus of claim 38, in combination with the storage system, wherein the at least one filter and the input each is disposed within the storage system.
  - 40. The apparatus of claim 38, further comprising:
    - a data structure, accessible to the at least one filter, that stores configuration information corresponding to the first device that includes first configuration information identifying each of a plurality of logical volumes of data stored at the storage system to which data access by the first device is authorized, and second configuration information identifying whether non-media access is authorized to each of the plurality of logical volumes for which the first configuration information identifies that no data access is authorized for the first device.
  - 41. The apparatus of claim 40, in combination with the storage system, wherein the at least one filter, the input, and the data structure each is disposed within the storage system.
  - 42. The apparatus of claim 38, wherein the at least one filter and the input each is disposed outside of the storage system.
  - 58. The apparatus of claim 38, wherein the at least one filter, the data structure, and the input each is disposed outside of the storage system.

43. A computer readable medium, comprising:
- a data structure relating to access management by a plurality of network devices to data stored on a plurality of logical devices of a shared resource, the data structure including a plurality of records each corresponding to one of the plurality of network devices, a first record of the plurality of records corresponding to a first of the plurality of network devices and including configuration information identifying each logical device of the plurality of logical devices to which data access by the first network device is authorized, the first record further including visibility information identifying whether the first network device is authorized to have non-media access to a first logical device of the plurality of logical devices when the configuration information corresponding to the first network device identifies that no data access to the first logical device from the first network device is authorized.
- View Dependent Claims (44, 45, 46, 47)
- - 44. The computer readable medium of claim 43, wherein the first record further includes visibility information identifying whether the first network device is authorized to have non-media access to each logical device of the plurality of logical devices when the configuration information corresponding to the first network device identifies that no data access to at least one of the plurality of logical devices is authorized.
  - 45. The computer readable medium of claim 43, wherein each respective record of the plurality of records includes configuration information identifying each logical device of the plurality of logical devices to which data access by a respective network device is authorized, each respective record further including visibility information identifying whether the respective network device is authorized to have non-media access to each logical device of the plurality of logical devices.
  - 46. The computer readable medium of claim 43, wherein each respective record of the plurality of records includes configuration information identifying each logical device of the plurality of logical devices to which data access by a respective network device is authorized, each respective record further including visibility information identifying whether the respective network device is permitted to have non-media access to a respective logical device of the plurality of logical devices when the configuration information identifies that no data access to the respective logical device from the respective network device is authorized.
  - 47. The computer readable medium of claim 43, in combination with the shared resource, wherein the shared resource is storage system, and wherein the computer readable medium is a storage device of the storage system.

48. An apparatus for use in a computer system including a plurality of devices, a storage system, and a network that couples the plurality of devices to the storage system, the apparatus comprising:
- an input to be coupled to the network;
  
  a data structure that stores configuration information identifying each logical volume of data of a plurality of logical volumes of data stored on the storage system to which data access by a first device of the plurality of devices is authorized; and
  
  at least one filter, coupled to the input, that is responsive to a non-media access request by a first of the plurality of devices to a first logical volume of data of the plurality of logical volumes of data for which the first device has no data access privileges, to determine whether the first device is authorized to have non-media access to the first logical volume of data, and to authorize the non-media access request when it is determined that the first device is authorized to have non-media access to the first logical volume of data.
- View Dependent Claims (49, 50, 51, 52, 53, 54, 55, 56, 57, 59)
- - 49. The apparatus of claim 48, wherein when it is determined that the first device is not authorized to have non-media access to the first logical volume of data, the at least one filter denies the non-media access request.
  - 50. The apparatus of claim 49, wherein the storage system includes a plurality of storage devices coupled to the at least one filter, and wherein when it is determined that the first device is authorized to have non-media access to the first logical volume of data, the at least one filter forwards the non-media access request to a storage device corresponding to the first logical volume of data.
  - 51. The apparatus of claim 48, wherein when it is determined that the first device is not authorized to have non-media access to the first logical volume of data, the at least one filter ignores the non-media access request.
  - 52. The apparatus of claim 48, wherein in response to a data access request by the first device to the first logical volume of data, the at least one filter determines, based upon the configuration information stored in the data structure, whether the first device has data access privileges to the first logical volume of data;
    - wherein the at least one filter authorizes the data access request when it is determined that the first device has data access privileges to the first logical volume of data; and
      
      wherein the at least one filter denies the data access request when it is determined that the first device has no data access privileges to the first logical volume of data.
  - 53. The apparatus of claim 48, wherein the configuration information stored in the data structure further identifies whether non-media access by the first device is authorized for each of the plurality of logical volumes of data stored on the storage system.
  - 54. The apparatus of claim 48, wherein the configuration information stored in the data structure is first configuration information, the data structure further including second configuration information that identifies whether non-media access is authorized to each of the plurality of logical volumes of data for which the first configuration identifies that no data access is authorized for the first device.
  - 55. The apparatus of claim 54, wherein the at least one filter examines the second configuration information to determine whether the first device is authorized to have non-media access to the logical device.
  - 56. The apparatus of claim 48, wherein in response to an access request by the first device to the first logical volume of data, the at least one filter examines the access request to determine whether the access request is one of a data access request and a non-media access request.
  - 57. The apparatus of claim 48, in combination with the storage system, wherein the at least one filter, the input, and the data structure each is disposed within the storage system.
  - 59. The apparatus of claim 48, in combination with the storage system, wherein the at least one filter and the input each is disposed within the storage system, and wherein the data structure is disposed outside of the storage system.

60. A storage system, comprising:
- a plurality of storage devices that store a plurality of logical volumes of data;
  
  a data structure to store configuration information identifying whether a first network device of a plurality of network devices that are coupled to the storage system is authorized to access data on a first logical volume of the plurality of logical volumes; and
  
  a filter, responsive to the configuration information stored in the data structure, to selectively forward non-media access requests from the first network device to the first logical volume when the configuration information identifies that no data access to the first logical volume from the first network device is authorized.
- View Dependent Claims (61, 62, 63, 64, 65, 66)
- - 61. The storage system of claim 60, wherein the filter selectively forwards the non-media access request from the first network device to at least one of the plurality of storage devices that corresponds to the first logical volume when the configuration information identifies that no data access to the first logical volume from the first network device is authorized.
  - 62. The storage system of claim 60, wherein the configuration information further identifies whether the first network device is authorized to have non-media access to the first logical volume when no data access to the first logical volume from the first network device is authorized.
  - 63. The storage system of claim 62, wherein the filter forwards non-media access requests from the first network device to the first logical volume when the configuration information identifies that non-media access by the first network device to the first logical volume is authorized, and denies the non-media access request from the first network device to the first logical volume when the configuration information identifies that non-media access by the first network device to the first logical volume is not authorized and that no data access to the first logical volume from the first network device is authorized.
  - 64. The storage system of claim 63, wherein the filter, in response to an access request from the first network device to the first logical volume for which the configuration information identifies that no data access is authorized, examines the access request to determine whether the access request is one of a data access request and a non-media access request.
  - 65. The storage system of claim 60, wherein the filter, responsive to the configuration information stored in the data structure, forwards access requests from the first network device to at least one of the plurality of storage device corresponding to the first logical volume when the configuration information identifies that data access to the first logical volume from the first network device is authorized.
  - 66. The storage system of claim 60, wherein the data structure includes a plurality of records each corresponding to a respective one of the plurality of network device, each of the plurality of records including first configuration information identifying each of the plurality of logical volumes to which data access by the respective one of the plurality of network devices is authorized, and second configuration information identifying whether non-media access to each of the plurality of logical volumes by the respective one of the plurality of network devices is authorized for which the first configuration information identifies that no data access by the respective one of the plurality of network device is authorized.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Fitzgerald, John T., Blumenau, Steven M., Madden, John F. Jr.

Granted Patent

US 7,165,152 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/229
CPC Class Codes

G06F 21/606   by securing the transmissio...

G06F 21/6218   to a system of files or obj...

G06F 21/78   to assure secure storage of...

G06F 21/85   interconnection devices, e....

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2107   File encryption

G06F 2221/2129   Authenticate client device ...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2147   Locking files

G06F 9/468   Specific access rights for ...

H04L 63/10   for controlling access to d...

Method and apparatus for managing access to storage devices in a storage system with access control

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

263 Citations

66 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for managing access to storage devices in a storage system with access control

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

263 Citations

66 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links