Methods and apparatus for providing security for a data storage system
First Claim
Patent Images
1. A data storage system for accessing a set of data, comprising:
- a data access manager for establishing a plurality of tokens for accessing the set of data;
a network connection in communication with the data access manager; and
a data storage assembly in communication with the network connection, the data storage assembly comprising (i) a set of storage locations that stores the set of data, and (ii) a control circuit configured to;
receive from a host in communication with the data access manager over the network connection (i) a device oriented, block based command to access the set of data and (ii) a first access token of the plurality of tokens that provides access to the set of data stored in the set of storage locations in the data storage system;
generate an authorization signal that controls access to the set of data based on the first access token and a second access token of the plurality of tokens, the second access token associated with the set of storage locations, by performing a comparison of the first access token to the second access token associated with the set of storage locations,if the comparison indicates that the first access token and the second access token are identical, produce an access approval signal that provides access to the set of storage locations; and
if the comparison indicates that the first access token and the second access token are not identical, produce an access failure signal that indicates a denial of access to the set of storage locations; and
produce a response signal that provides a response to the device oriented, block based command over the network connection to the host based on the authorization signal.wherein, when receiving, the control circuit is configured to receive from the host in communication with the data access manager over the network connection the first access token of the plurality of tokens that provides access to the set of data stored within a range of disk addresses in the set of storage locations of the data storage assembly, the range of disk addresses distinct from file names associated with the set of data; and
when generating, generate an authorization signal that controls access to the set of data based on the first access token and a second access token of the plurality of tokens, the second access token associated with the range of disk addresses in the set of storage locations.
9 Assignments
0 Petitions
Accused Products
Abstract
The invention is directed to techniques for providing security in data storage systems that provide access to data by other systems, such as host computer systems. A data access manager generates access tokens that it assigns to storage locations that store data in one or more data storage assemblies in the data storage system. A host that makes a request to access specific storage locations having data must obtain an access token associated with those storage locations from the data access manager, and provide the access token with the request to the data storage system. The data storage system then authenticates the request based on the access token.
-
Citations
27 Claims
-
1. A data storage system for accessing a set of data, comprising:
-
a data access manager for establishing a plurality of tokens for accessing the set of data; a network connection in communication with the data access manager; and a data storage assembly in communication with the network connection, the data storage assembly comprising (i) a set of storage locations that stores the set of data, and (ii) a control circuit configured to; receive from a host in communication with the data access manager over the network connection (i) a device oriented, block based command to access the set of data and (ii) a first access token of the plurality of tokens that provides access to the set of data stored in the set of storage locations in the data storage system; generate an authorization signal that controls access to the set of data based on the first access token and a second access token of the plurality of tokens, the second access token associated with the set of storage locations, by performing a comparison of the first access token to the second access token associated with the set of storage locations, if the comparison indicates that the first access token and the second access token are identical, produce an access approval signal that provides access to the set of storage locations; and if the comparison indicates that the first access token and the second access token are not identical, produce an access failure signal that indicates a denial of access to the set of storage locations; and produce a response signal that provides a response to the device oriented, block based command over the network connection to the host based on the authorization signal. wherein, when receiving, the control circuit is configured to receive from the host in communication with the data access manager over the network connection the first access token of the plurality of tokens that provides access to the set of data stored within a range of disk addresses in the set of storage locations of the data storage assembly, the range of disk addresses distinct from file names associated with the set of data; and when generating, generate an authorization signal that controls access to the set of data based on the first access token and a second access token of the plurality of tokens, the second access token associated with the range of disk addresses in the set of storage locations. - View Dependent Claims (2, 3, 4, 5, 18, 21, 23, 24)
-
-
6. In a data storage system having a set of storage locations, a method for accessing a set of data stored in the set of storage locations, comprising the steps of:
-
receiving from a host (i) a device oriented, block based command to access the set of data stored in the set of storage locations and (ii) a first access token that provides access to the set of data stored in the set of storage locations; generating an authorization signal that controls access to the set of data based on the first access token and a second access token associated with the set of storage locations, by comparing the first access token to the second access token associated with the set of storage locations, if the comparing step indicates that the first access token and the second access token are identical, producing an access approval signal that provides access to the set of storage locations; and if the comparing step indicates that the first access token and the second access token are not identical, producing an access failure signal that indicates a denial of access to the set of storage locations; and producing a response signal that provides a response to the device oriented, block based command to the host based on the authorization signal, wherein, when receiving, receiving from the host the first access token that provides access to the set of data stored within a range of disk addresses in the set of storage locations of the data storage assembly, the range of disk addresses distinct from file names associated with the set of data; and when generating, generate an authorization signal that controls access to the set of data based on the first access token and the second access token, the second access token associated with the range of disk addresses in the set of storage locations. - View Dependent Claims (7, 8, 9, 10, 25)
-
-
11. A computer program product that includes a computer readable medium having instructions stored thereon for accessing a set of data, such that the instructions, when carried out by a data storage system having a set of storage locations storing the set of data, cause the data storage system to perform the steps of:
-
receiving from a host (i) a device oriented, block based command to access the set of data stored in the set of storage locations and (ii) a first access token that provides access to the set of data stored in the set of storage locations; generating an authorization signal that controls access to the set of data based on the first access token and a second access token associated with the set of storage locations, by comparing the first access token to the second access token associated with the set of storage locations, if the comparing step indicates that the first access token and the second access token are identical, producing an access approval signal that provides access to the set of storage locations; and if the comparing step indicates that the first access token and the second access token are not identical, producing an access failure signal that indicates a denial of access to the set of storage locations; and produce a response signal that provides a response to the device oriented, block based command to the host based on the authorization signal, wherein, when receiving, receiving from the host the first access token that provides access to the set of data stored within a range of disk addresses in the set of storage locations of the data storage assembly, the range of disk addresses distinct from file names associated with the set of data; and when generating, generating an authorization signal that controls access to the set of data based on the first access token and the second access token, the second access token associated with the range of disk addresses in the set of storage locations. - View Dependent Claims (26)
-
-
12. A data storage assembly for accessing a set of data, comprising:
-
a set of storage locations that stores the set of data; and a control circuit in communication with the set of storage locations, the control circuit configured to; receive from a host in communication with the control circuit over a network connection (i) a device oriented, block based command to access the set of data and (ii) a first access token that provides access to the set of data stored in the set of storage locations; generate an authorization signal that controls access to the set of data based on the first access token and a second access token associated with the set of storage locations, by comparing the first access token to the second access token associated with the set of storage locations, if the comparison indicates that the first access token and the second access token are identical, produce an access approval signal that provides access to the set of storage locations; and if the comparison indicates that the first access token and the second access token are not identical, produce an access failure signal that indicates a denial of access to the set of storage locations; and produce a response signal that provides a response to the device oriented, block based command over the network connection to the host based on the authorization signal, wherein, when receiving, the control circuit is configured to receive from the host in communication with a data access manager over the network connection the first access token that provides access to the set of data stored within a range of disk addresses in the set of storage locations of the data storage assembly, the range of disk addresses distinct from file names associated with the set of data; and when generating, generate an authorization signal that controls access to the set of data based on the first access token and the second access token, the second access token associated with the range of disk addresses in the set of storage locations. - View Dependent Claims (13)
-
-
14. In a data storage assembly having a set of storage locations, a method for accessing a set of data stored in the set of storage locations, comprising the steps of:
-
receiving from a host (i) a device oriented, block based command to access the set of data stored in the set of storage locations and (ii) a first access token that provides access to the set of data stored in the set of storage locations; generating an authorization signal that controls access to the set of data based on the first access token and a second access token associated with the set of storage locations, by comparing the first access token to the second access token associated with the set of storage locations, if the comparing step indicates that the first access token and the second access token are identical, producing an access approval signal that provides access to the set of storage locations; and if the comparing step indicates that the first access token and the second access token are not identical, producing an access failure signal that indicates a denial of access to the set of storage locations; and producing a response signal that provides a response to the device oriented, block based command to the host based on the authorization signal, wherein, when receiving, receiving from the host the first access token of the plurality of tokens that provides access to the set of data stored within a range of disk addresses in the set of storage locations of the data storage assembly, the range of disk addresses distinct from file names associated with the set of data; and when generating, generate an authorization signal that controls access to the set of data based on the first access token and the second access token, the second access token associated with the range of disk addresses in the set of storage locations. - View Dependent Claims (15)
-
-
16. A computer program product that includes a computer readable medium having instructions stored thereon for accessing a set of data, such that the instructions, when carried out by a data storage assembly having a set of storage locations that store the set of data, cause the data storage assembly to perform the steps of:
-
receiving from a host (i) a device oriented, block based command to access the set of data stored in the set of storage locations and (ii) a first access token that provides access to the set of data stored in the set of storage locations; generating an authorization signal that controls access to the set of data based on the first access token and a second access token associated with the set of storage locations, by comparing the first access token to the second access token associated with the set of storage locations, if the comparing step indicates that the first access token and the second access token are identical, producing an access approval signal that provides access to the set of storage locations; and if the comparing step indicates that the first access token and the second access token are not identical, producing an access failure signal that indicates a denial of access to the set of storage locations; and producing a response signal that provides a response to the device oriented, block based command to the host based on the authorization signal, wherein, when receiving, receiving from the host the first access token of the plurality of tokens that provides access to the set of data stored within a range of disk addresses in the set of storage locations of the data storage assembly, the range of disk addresses distinct from file names associated with the set of data; and when generating, generate an authorization signal that controls access to the set of data based on the first access token and the second access token, the second access token associated with the range of disk addresses in the set of storage locations.
-
-
17. A data access system for providing access to a set of data, comprising:
-
a host comprising (i) a memory having a host application, (ii) an input/output controller, and (iii) a processor in communication with the memory and the input/output controller, wherein the processor operates in accordance with instructions of the host application stored in the memory to request access to the set of data; a network connection in communication with the host; and a data storage assembly in communication with the network connection, the data storage assembly comprising (i) a set of storage locations that stores the set of data, and (ii) a control circuit, wherein; the processor of the host operates in accordance with the host application to provide to the data storage assembly through the input/output controller of the host and the network connection (i) a device oriented, block based command to access the set of data and (ii) a first access token of a plurality of tokens that provides access to the set of data stored in the set of storage locations in the data storage assembly; the control circuit of the data storage assembly is configured to receive over the network connection (i) the device oriented, block based command to access the set of data and (ii) the first access token provided by the host; the control circuit is configured to generate, in response to receiving the device oriented, block based command and the first access token, an authorization signal that controls access to the set of data based on the first access token and a second access token of the plurality of tokens, the second access token associated with the set of storage locations, by comparing the first access token to the second access token associated with the set of storage locations, if the comparing step indicates that the first access token and the second access token are identical, producing an access approval signal that provides access to the set of storage locations; and if the comparing step indicates that the first access token and the second access token are not identical, producing an access failure signal that indicates a denial of access to the set of storage locations; and the control circuit is configured to produce a response signal that provides a response to the device oriented, block based command over the network connection to the host based on the authorization signal, wherein, when receiving, the control circuit is configured to receive from the host over the network connection the first access token of the plurality of tokens that provides access to the set of data stored within a range of disk addresses in the set of storage locations of the data storage assembly, the range of disk addresses distinct from file names associated with the set of data; and when generating, generate an authorization signal that controls access to the set of data based on the first access token and the second access token of the plurality of tokens, the second access token associated with the range of disk addresses in the set of storage locations.
-
-
19. In a data access system having a host and a data storage assembly having a set of storage locations, a method for providing access to a set of data stored in the set of storage locations, comprising the steps of:
-
providing to the data storage assembly from the host (i) a device oriented, block based command to access the set of data and (ii) a first access token of a plurality of tokens that provides access to the set of data stored in the set of storage locations in the data storage assembly; generating, in response to receiving the device oriented, block based command and the first access token, an authorization signal that controls access to the set of data based on the first access token and a second access token of the plurality of tokens, the second access token associated with the set of storage locations, by comparing the first access token to the second access token associated with the set of storage locations, if the comparing step indicates that the first access token and the second access token are identical, producing an access approval signal that provides access to the set of storage locations; and if the comparing step indicates that the first access token and the second access token are not identical, producing an access failure signal that indicates a denial of access to the set of storage locations; and producing a response signal that provides a response to the device oriented, block based command from the data storage assembly to the host based on the authorization signal, wherein, when receiving, receiving from the host the first access token of the plurality of tokens that provides access to the set of data stored within a range of disk addresses in the set of storage locations of the data storage assembly, the range of disk addresses distinct from file names associated with the set of data; and when generating, generate an authorization signal that controls access to the set of data based on the first access token and the second access token of the plurality of tokens, the second access token associated with the range of disk addresses in the set of storage locations. - View Dependent Claims (20)
-
-
22. A data storage system for accessing a set of data, comprising:
-
a data access manager for establishing a plurality of tokens for accessing the set of data; a network connection in communication with the data access manager; and a data storage assembly in communication with the network connection, the data storage assembly comprising (i) a set of storage locations that stores the set of data, and (ii) a control circuit configured to; receive from a host in communication with the data access manager over the network connection (i) a device oriented, block based command to access the set of data and (ii) a first access token of the plurality of tokens that provides access to the set of storage locations within a range of disk addresses in the set of storage locations in the data storage system, the range of disk addresses distinct from file names associated with the set of data; generate an authorization signal that controls access to the set of storage locations based on the first access token and a second access token of the plurality of tokens, the second access token associated with the range of disk addresses in the set of storage locations; and produce a response signal that provides a response to the device oriented, block based command over the network connection to the host based on the authorization signal, wherein, when receiving, the control circuit is configured to receive from the host in communication with the data access manager over the network connection the first access token of the plurality of tokens that provides access to the set of data stored within a range of disk addresses in the set of storage locations of the data storage assembly, the range of disk addresses distinct from file names associated with the set of data; and when generating, generate an authorization signal that controls access to the set of data based on the first access token and the second access token of the plurality of tokens, the second access token associated with the range of disk addresses in the set of storage locations.
-
-
27. A data storage system for accessing a set of data, comprising:
-
a data access manager for establishing a plurality of tokens for accessing the set of data; a network connection in communication with the data access manager; and a data storage assembly in communication with the network connection, the data storage assembly comprising (i) a set of storage locations having a range of disk addresses that stores the set of data, and (ii) a control circuit configured to; receive from the host in communication with the data access manager over the network connection (i) a device oriented, block based command to access the set of data, the device oriented, block based command comprising one or more ranges of disk addresses of the set of storage locations and (ii) a first access token of the plurality of tokens that provides access to the set of data stored in the range of disk addresses; generate an authorization signal that controls access to the set of data based on the first access token and a second access token of the plurality of tokens, the second access token associated with the set of storage locations, by performing a comparison of the first access token to the second access token associated with the set of storage locations; if the comparison indicates that the first access token and the second access token are identical, produce an access approval signal that provides access to the set of storage locations; and if the comparison indicates that the first access token and the second access token are not identical, produce an access failure signal that indicates a denial of access to the set of storage locations; and produce a response signal that provides a response to the device oriented, block based command over the network connection to the host based on the authorization signal; wherein the device oriented, block based command comprises a SCSI command and the control circuit is configured to receive the SCSI command via non-channel communications using a transport protocol, wherein, when receiving, the control circuit is configured to receive from the host in communication with the data access manager over the network connection the first access token of the plurality of tokens that provides access to the set of data stored within a range of disk addresses in the set of storage locations of the data storage assembly, the range of disk addresses distinct from file names associated with the set of data; and when generating, generate an authorization signal that controls access to the set of data based on the first access token and the second access token of the plurality of tokens, the second access token associated with the range of disk addresses in the set of storage locations.
-
Specification