Method and apparatus for providing secure access to a computer system resource

US 6,449,652 B1
Filed: 01/04/1999
Issued: 09/10/2002
Est. Priority Date: 01/04/1999
Status: Expired due to Term

First Claim

Patent Images

1. In a computer system including a host computer and a storage system that is coupled to the host computer and that stores data accessed by the host computer, the computer system including a plurality of logical volumes of data that are visible to the host computer and the storage system and are perceived by the host computer as comprising a plurality of raw storage devices, the host computer including a file system/LVM mapping layer, a method of managing access to one of the plurality of raw storage devices, the method comprising a step of:

(A) granting a request, from a requester having less than system administrator access privileges, to perform an action on the one of the plurality of raw storage devices, wherein the request bypasses the file system/LVM mapping layer.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Method and apparatus for managing access to one of a plurality of raw storage devices in a computer system including a host computer and a storage system that is coupled to the host computer and that stores data accessed by the host computer. The computer system includes a plurality of logical volumes of data that are visible to the host computer and the storage system and are perceived by the host computer as comprising the plurality of raw storage devices. In accordance with one aspect of the invention, a request to perform an action on the one of the plurality of raw storage devices can be granted, even when the requester has less than system administrator access privileges. In accordance with another aspect of the invention, the one of the plurality of raw storage devices may have associated access privileges information. The access privileges information associated with the one of the plurality of raw storage devices may be compared with information descriptive of the requester, and the request may be granted when the access privileges information associated with the one of the plurality of raw storage devices indicates that the requester is privileged to perform the action on the one of the plurality of raw storage devices.

127 Citations

66 Claims

1. In a computer system including a host computer and a storage system that is coupled to the host computer and that stores data accessed by the host computer, the computer system including a plurality of logical volumes of data that are visible to the host computer and the storage system and are perceived by the host computer as comprising a plurality of raw storage devices, the host computer including a file system/LVM mapping layer, a method of managing access to one of the plurality of raw storage devices, the method comprising a step of:
- (A) granting a request, from a requester having less than system administrator access privileges, to perform an action on the one of the plurality of raw storage devices, wherein the request bypasses the file system/LVM mapping layer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the one of the plurality of raw storage devices has associated access privileges information, and wherein the step (A) includes steps of:
3. The method of claim 2, wherein the step of verifying includes a step of comparing the access privileges information associated with the one of the plurality of raw storage devices to information descriptive of the action to be performed on the one of the plurality of raw storage devices.
4. The method of claim 3, wherein the requester is a user of the computer system, such that the step (A) includes a step of granting the request from the user.
5. The method of claim 3, wherein the requester is an application program executing on the host computer, such that the step (A) includes a step of granting the request from the application program.
6. The method of claim 1, wherein the requester is a user of the computer system, such that the step (A) includes a step of granting the request from the user.
7. The method of claim 1, wherein the requester is an application program executing on the host computer, such that the step (A) includes a step of granting the request from the application program.
8. The method of claim 7, wherein the step (A) includes a step of granting the request from the application program in a manner that is transparent to the application program.
9. The method of claim 1, further including a step of:
- (B) denying a request from the requester to perform a different action on the one of the plurality of raw storage devices.
10. The method of claim 1, wherein the storage system is an intelligent storage system that has a mapping layer that maps the plurality of logical volumes to physical storage devices within the storage system, so that the raw physical devices need not correspond in a 1:
- 1 manner with the physical storage devices within the storage system.

11. A computer readable medium encoded with a program for execution on a host computer in a computer system including the host computer and a storage system that is coupled to the host computer and that stores data accessed by the host computer, the computer system further including a plurality of logical volumes of data that are visible to the host computer and the storage system and are perceived by the host computer as comprising a plurality of raw storage devices, the host computer including a file system/LVM mapping layer, the program, when executed on the host computer, performs a method of managing access to one of the plurality of raw storage devices, the method comprising a step of:
- (A) granting a request, from a requester having less than system administrator access privileges, to perform an action on the one of the plurality of raw storage devices, wherein the request bypasses the file system/LVM mapping layer.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The computer readable medium of claim 11, wherein the one of the plurality of raw storage devices has associated access privileges information, and wherein the step (A) includes steps of:
13. The computer readable medium of claim 12, wherein the step of verifying includes a step of comparing the access privileges information associated with the one of the plurality of raw storage devices to information descriptive of the action to be performed on the one of the plurality of raw storage devices.
14. The computer readable medium of claim 13, wherein the requester is a user of the computer system, such that the step (A) includes a step of granting the request from the user.
15. The computer readable medium of claim 13, wherein the requester is an application program executing on the host computer, such that the step (A) includes a step of granting the request from the application program.
16. The computer readable medium of claim 11, wherein the requester is a user of the computer system, such that the step (A) includes a step of granting the request from the user.
17. The computer readable medium of claim 11, wherein the requester is an application program executing on the host computer, such that the step (A) includes a step of granting the request from the application program.
18. The computer readable medium of claim 17, wherein the step (A) includes a step of granting the request from the application program in a manner that is transparent to the application program.
19. The computer readable medium of claim 11, further including a step of:
- (B) denying a request from the requester to perform a different action on the one of the plurality of raw storage devices.
20. The computer readable medium of claim 11, wherein the storage system is an intelligent storage system that has a mapping layer that maps the plurality of logical volumes to physical storage devices within the storage system, so that the raw physical devices need not correspond in a 1:
- 1 manner with the physical storage devices within the storage system.

21. A host computer for use in a computer system including the host computer and a storage system that is coupled to the host computer and that stores data accessed by the host computer, the computer system further including a plurality of logical volumes of data that are visible to the host computer and the storage system and are perceived by the host computer as comprising a plurality of raw storage devices, the host computer comprising:
- a file system/LVM mapping layer;
  
  a processor; and
  
  a memory programmed with an application program that has less than system administrator access privileges, the application program, when executed on the processor, having privileges to access at least one of the plurality of raw storage devices with an access request that bypasses the file system/LVM mapping layer.
- View Dependent Claims (22, 23)
- - 22. The host computer of claim 21, wherein the application program has limited privileges to access the at least one of the plurality of raw storage devices, such that the application program can read but cannot write the at least one of the plurality of raw storage devices.
  - 23. The host computer of claim 21, wherein the application program has privileges to access less than all of the plurality of raw storage devices.

24. A host computer for use in a computer system including the host computer and a storage system that is coupled to the host computer and that stores data accessed by the host computer, the computer system further including a plurality of logical volumes of data that are visible to the host computer and the storage system and are perceived by the host computer as comprising a plurality of raw storage devices, the host computer comprising:
- a file system/LVM mapping layer; and
  
  at least one controller to manage access to the plurality of raw storage devices, wherein the at least one controller is adapted to grant a request, from a requester having less than system administrator access, to perform an action on one of the plurality of raw storage devices, wherein the request bypasses the file system/LVM mapping layer.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31)
- - 25. The host computer of claim 24, wherein the one of the plurality of raw storage devices has associated access privileges information, and wherein the at least one controller is adapted to verify that the requester is privileged to perform the action on the one of the plurality of raw storage devices by comparing the access privileges information associated with the one of the plurality of raw storage devices with information descriptive of the requester.
  - 26. The host computer of claim 25, wherein the at least one controller is adapted to compare the access privileges information associated with the one of the plurality of raw storage devices to information descriptive of the action to be performed on the one of the plurality of raw storage devices.
  - 27. The host computer of claim 24, wherein the at least one controller is adapted to grant requests for access to the plurality of raw storage devices from users of the computer system having less than system administrator privileges.
  - 28. The host computer of claim 24, wherein the at least one controller is adapted to grant requests for access to the plurality of raw storage devices from application programs executing on the host computer with less than system administrator privileges.
  - 29. The host computer of claim 24, wherein the at least one controller is adapted to grant a request for access to the plurality of raw storage devices from an application program, having less than system administrator privileges, executing on the host computer in a manner that is transparent to the application program.
  - 30. The host computer of claim 24, wherein the at least one controller is adapted to provide a requester with limited access to one of the plurality of raw storage devices, such that the at least one controller may provide a particular requester will access to perform some type of actions but not others on the one of the plurality of raw storage devices.
  - 31. The host computer of claim 24, wherein the storage system is an intelligent storage system that has a mapping layer that maps the plurality of logical volumes to physical storage devices within the storage system, so that the raw physical devices need not correspond in a 1:
    - 1 manner with the physical storage devices within the storage system.

32. In a computer system including a host computer and a storage system that is coupled to the host computer and that stores data accessed by the host computer, the computer system including a plurality of logical volumes of data that are visible to the host computer and the storage system and are perceived by the host computer as comprising a plurality of raw storage devices, the host computer comprising a file system/LVM mapping layer, a method of responding to a request from a requester to perform an action on one of the plurality of raw storage devices, wherein the request bypasses the file system/LVM mapping layer, and wherein the one of the plurality of raw storage devices has associated access privileges information, the method comprising steps of:
- (A) determining whether the requester is privileged to perform the action on the one of the plurality of raw storage devices by comparing the access privileges information associated with the one of the plurality of raw storage devices with information descriptive of the requester;
  
  (B) granting the request to perform the action on the one of the plurality of raw storage devices when it is determined in the step (A) that the requester is privileged to perform the action; and
  
  (C) denying the request to perform the action on the one of the plurality of raw storage devices when it is determined in the step (A) that the requester is not privileged to perform the action.
- View Dependent Claims (33, 34, 35)
- - 33. The method of claim 32, wherein the step (A) includes a step of comparing the access privileges information associated with the one of the plurality of raw storage devices to information descriptive of the action to be performed on the one of the plurality of raw storage devices.
  - 34. The method of claim 32, wherein the requester is a user of the computer system.
  - 35. The method of claim 32, wherein the requester is an application program executing on the host computer.

36. A computer readable medium encoded with a program for execution on a host computer in a computer system including the host computer and a storage system that is coupled to the host computer and that stores data accessed by the host computer, the computer system including a plurality of logical volumes of data that are visible to the host computer and the storage system and are perceived by the host computer as comprising a plurality of raw storage devices, the host computer comprising a file system/LVM mapping layer, the program, when executed on the host computer, performing a method of responding to a request from a requester to perform an action on one of the plurality of raw storage devices, wherein the request bypasses the file system/LVM mapping layer, and wherein the one of the plurality of raw storage devices has associated access privileges information, the method comprising steps of:
- (A) determining whether the requester is privileged to perform the action on the one of the plurality of raw storage devices by comparing the access privileges information associated with the one of the plurality of raw storage devices with information descriptive of the requester;
  
  (B) granting the request to perform the action on the one of the plurality of raw storage devices when it is determined in the step (A) that the requester is privileged to perform the action; and
  
  (C) denying the request to perform the action on the one of the plurality of raw storage devices when it is determined in the step (A) that the requester is not privileged to perform the action.
- View Dependent Claims (37, 38, 39)
- - 37. The computer readable medium of claim 36, wherein the step (A) includes a step of comparing the access privileges information associated with the one of the plurality of raw storage devices to information descriptive of the action to be performed on the one of the plurality of raw storage devices.
  - 38. The computer readable medium of claim 36, wherein the requester is a user of the computer system.
  - 39. The computer readable medium of claim 36, wherein the requester is an application program executing on the host computer.

40. A host computer for use in a computer system including the host computer and a storage system that is coupled to the host computer and that stores data accessed by the host computer, the computer system including a plurality of logical volumes of data that are visible to the host computer and the storage system and are perceived by the host computer as comprising a plurality of raw storage devices, wherein at least one of the plurality of raw storage devices has associated access privileges information, the host computer comprising:
- a file system/LVM mapping layer; and
  
  at least one controller to respond to requests from requesters to perform actions on one of the plurality of raw storage devices, wherein the requests bypass the file system/LVM mapping layer, wherein the at least one controller is, for each one of the requests, adapted;
  
  to determine whether the requester is privileged to perform the action on the one of the plurality of raw storage devices by comparing the access privileges information associated with the one of the plurality of raw storage devices with information descriptive of the requester;
  
  to grant the request to perform the action on the one of the plurality of raw storage devices when it is determined that the requester is privileged to perform the action; and
  
  to deny the request to perform the action on the one of the plurality of raw storage devices when it is determined that the requester is not privileged to perform the action.
- View Dependent Claims (41, 42, 43)
- - 41. The host computer of claim 40, wherein the at least one controller is, for each request, adapted to compare the access privileges information associated with the one of the plurality of raw storage devices to information descriptive of the action to be performed on the one of the plurality of raw storage devices.
  - 42. The host computer of claim 40, wherein the at least one controller is adapted to respond to requests for access to the plurality of raw storage devices from users of the computer system.
  - 43. The host computer of claim 40, wherein the at least one controller is adapted to respond to requests for access to the plurality of raw storage devices from application programs executing on the host computer.

44. In a computer system including a host computer and a storage system that is coupled to the host computer and that stores data accessed by the host computer, the computer system including a plurality of logical volumes of data that are visible to the host computer and the storage system and are perceived by the host computer as comprising a plurality of raw storage devices, the host computer having an access facility that grants access to the plurality of raw storage devices and requires a minimum privilege level for a requester to be granted access to one of the plurality of raw storage devices, a method of managing access to the plurality of raw storage devices, the method comprising steps of:
- (A) intercepting requests to access one of the plurality of raw storage devices from requesters that do not satisfy the minimum privilege level required by the access facility to grant access to one of the plurality of raw storage devices; and
  
  (B) modifying at least some of the requests intercepted in the step (A) to indicate that the requester satisfies the minimum privilege level to be granted access to one of the plurality of raw storage devices.
- View Dependent Claims (45, 46, 47, 48, 49, 50, 51)
- - 45. The method of claim 44, wherein the minimum privilege level for a requester to be granted access one of the plurality of raw storage devices is system administrator privileges;
46. The method of claim 44, wherein at least some of the plurality of raw storage devices have associated access privileges information that establishes a privilege level less than the minimum privilege level imposed by the access facility, wherein each request for access to one of the plurality of raw storage devices includes a requester, a target raw storage device and a requested action for performance on the target raw storage device, and wherein the step (B) includes, for each request intercepted in the step (A), steps of:
- determining whether the requester is privileged to perform the requested action on the target raw storage device by comparing the access privileges information associated with the target raw storage device with information descriptive of the requester; and
  
  modifying the request when the access privileges information associated with the target raw storage device indicates that the requester is privileged to perform the requested action on the target raw storage device.
47. The method of claim 46, wherein, for each request intercepted in the step (A), the step (B) includes a step of passing along the request without modifying the access privileges associated therewith when it is determined that the requester is not privileged to perform the requested action on the target raw storage device.
48. The method of claim 46, wherein the step of determining includes a step of comparing the access privileges information associated with the target raw storage device to information descriptive of the requested action to be performed on the target raw storage device.
49. The method of claim 44, wherein the step (A) includes a step of intercepting requests from a user of the host computer.
50. The method of claim 44, wherein the step (A) includes a step of intercepting requests from application programs executing on the host computer.
51. The method of claim 50, wherein the step (A) and the step (B) are performed in a manner that is transparent to the application program.

52. A computer readable medium encoded with a program for execution on a host computer in a computer system including the host computer and a storage system that is coupled to the host computer and that stores data accessed by the host computer, the computer system including a plurality of logical volumes of data that are visible to the host computer and the storage system and are perceived by the host computer as comprising a plurality of raw storage devices, the host computer having an access facility that grants access to the plurality of raw storage devices and requires a minimum privilege level for a requester to be granted access to one of the plurality of raw storage devices, the program, when executed on the host computer, performs a method of managing access to the plurality of raw storage devices, the method comprising steps of:
- (A) intercepting requests to access one of the plurality of raw storage devices from requesters that do not satisfy the minimum privilege level required by the access facility to grant access to one of the plurality of raw storage devices; and
  
  (B) modifying at least some of the requests intercepted in the step (A) to indicate that the requester satisfies the minimum privilege level to be granted access to one of the plurality of raw storage devices.
- View Dependent Claims (53, 54, 55, 56, 57, 58, 59)
- - 53. The computer readable medium of claim 52, wherein the minimum privilege level for a requester to be granted access one of the plurality of raw storage devices is system administrator privileges;
54. The computer readable medium of claim 52, wherein at least some of the plurality of raw storage devices have associated access privileges information that establishes a privilege level less than the minimum privilege level imposed by the access facility, wherein each request for access to one of the plurality of raw storage devices includes a requester, a target raw storage device and a requested action for performance on the target raw storage device, and wherein the step (B) includes, for each request intercepted in the step (A), steps of:
- determining whether the requester is privileged to perform the requested action on the target raw storage device by comparing the access privileges information associated with the target raw storage device with information descriptive of the requester; and
  
  modifying the request when the access privileges information associated with the target raw storage device indicates that the requester is privileged to perform the requested action on the target raw storage device.
55. The computer readable medium of claim 54, wherein, for each request intercepted in the step (A), the step (B) includes a step of passing along the request without modifying the access privileges associated therewith when it is determined that the requester is not privileged to perform the requested action on the target raw storage device.
56. The computer readable medium of claim 54, wherein the step of determining includes a step of comparing the access privileges information associated with the target raw storage device to information descriptive of the requested action to be performed on the target raw storage device.
57. The computer readable medium of claim 52, wherein the step (A) includes a step of intercepting requests from a user of the host computer.
58. The computer readable medium of claim 52, wherein the step (A) includes a step of intercepting requests from application programs executing on the host computer.
59. The computer readable medium of claim 58, wherein the step (A) and the step (B) are performed in a manner that is transparent to the application program.

60. A host computer for use in a computer system including the host computer and a storage system that is coupled to the host computer and that stores data accessed by the host computer, the computer system including a plurality of logical volumes of data that are visible to the host computer and the storage system and are perceived by the host computer as comprising a plurality of raw storage devices, the host computer comprising:
- an access facility that grants access to the plurality of raw storage devices and requires a minimum privilege level for a requester to be granted access to one of the plurality of raw storage devices; and
  
  at least one controller that;
  
  intercepts requests to access one of the plurality of raw storage devices from requesters that do not satisfy the minimum privilege level required by the access facility to grant access to one of the plurality of raw storage devices; and
  
  modifies at least some of the intercepted requests to indicate that the requester satisfies the minimum privilege level to be granted access to one of the plurality of raw storage devices.
- View Dependent Claims (61, 62, 63, 64, 65, 66)
- - 61. The host computer of claim 60, wherein the minimum privilege level for a requester to be granted access one of the plurality of raw storage devices is system administrator privileges.
  - 62. The host computer of claim 60, wherein at least some of the plurality of raw storage devices have associated access privileges information that establishes a privilege level less than the minimum privilege level imposed by the access facility, wherein each request for access to one of the plurality of raw storage devices includes a requester, a target raw storage device and a requested action for performance on the target raw storage device, and wherein for each intercepted request, the controller:
63. The host computer of claim 62, wherein, for each intercepted request, the at least one controller passes along the request without modifying the access privileges associated therewith when it is determined that the requester is not privileged to perform the requested action on the target raw storage device.
64. The host computer of claim 62, wherein the at least one controller compares the access privileges information associated with the target raw storage device to information descriptive of the requested action to be performed on the target raw storage device.
65. The host computer of claim 60, wherein the at least one controller intercepts requests from a user of the host computer.
66. The host computer of claim 60, wherein the at least one controller intercepts requests from application programs executing on the host computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Hackett, Christopher J., Blumenau, Steven M., DʼErrico, Matthew J.
Primary Examiner(s)
WINDER, PATRICE L

Application Number

US09/224,789
Time in Patent Office

1,345 Days
Field of Search

707/9, 707/10, 707/103, 709/226, 709/229, 713/200, 713/201, 711/112, 711/163, 711/170, 711/164, 711/167, 345/340
US Class Current

709/229
CPC Class Codes

G06F 9/5016 the resource being the memory

Method and apparatus for providing secure access to a computer system resource

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

127 Citations

66 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for providing secure access to a computer system resource

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

127 Citations

66 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links