Method and apparatus for managing access to storage devices in a storage system with access control

US 7,165,152 B2
Filed: 12/29/2000
Issued: 01/16/2007
Est. Priority Date: 06/30/1998
Status: Expired due to Term

First Claim

Patent Images

1. A method for managing access to a storage system by a plurality of devices that are coupled to the storage system via a network, the method including acts of:

(a) in response to a non-media access request by a first of the plurality of devices to a logical device at the storage system for which the first device has no data access privileges, determining, based, at least in part, on an identity of the first device, whether the first device is authorized to have non-media access to the logical device;

(b) authorizing the non-media access request when it is determined in the act (a) that the first device is authorized to have non-media access to the logical device;

wherein the act (a) includes an act of, in response to the non-media access request by the first device to a logical volume of data at the storage system for which the first device has no data access privileges, determining whether the first device is authorized to have non-media access to the logical volume;

wherein the act (b) includes an act of authorizing the non-media access request when it is determined in the act (a) that the first device is authorized to have non-media access to the logical volume; and

wherein the acts (a) and (b) are performed outside of the storage system.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A storage system is provided that includes a plurality of storage devices and a data structure, accessible to the storage system, that includes a plurality of records corresponding to a plurality of network devices that are coupled to the storage system. Each record includes configuration data that identifies each of the plurality of storage devices to which data access by a respective one of the plurality of network devices is authorized. Each record may further include visibility data that identifies whether certain types of non-data access, such as requests for general information relating to a respective storage device, by a respective one of the plurality of network devices is permitted, even though data access to the respective storage device by the respective one of the plurality of network devices is not authorized.

98 Citations

View as Search Results

52 Claims

1. A method for managing access to a storage system by a plurality of devices that are coupled to the storage system via a network, the method including acts of:
- (a) in response to a non-media access request by a first of the plurality of devices to a logical device at the storage system for which the first device has no data access privileges, determining, based, at least in part, on an identity of the first device, whether the first device is authorized to have non-media access to the logical device;
  
  (b) authorizing the non-media access request when it is determined in the act (a) that the first device is authorized to have non-media access to the logical device;
  
  wherein the act (a) includes an act of, in response to the non-media access request by the first device to a logical volume of data at the storage system for which the first device has no data access privileges, determining whether the first device is authorized to have non-media access to the logical volume;
  
  wherein the act (b) includes an act of authorizing the non-media access request when it is determined in the act (a) that the first device is authorized to have non-media access to the logical volume; and
  
  wherein the acts (a) and (b) are performed outside of the storage system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further including an act of:
    - (c) denying the non-media access request when it is determined in the act (a) that the first device is not authorized to have non-media access to the logical device.
  - 3. The method of claim 2, wherein the act (c) includes an act of:
    - ignoring the non-media access request.
  - 4. The method of claim 2, wherein the act (b) includes an act of:
    - forwarding the non-media access request to a physical device corresponding to the logical device.
  - 5. The method of claim 1, wherein the non-media access request is an availability request to determine an availability of the logical device, and wherein the act (b) includes an act of:
    - forwarding the availability request to a physical device corresponding to the logical device.
  - 6. The method of claim 1, further including acts of:
    - (c) in response to a data access request by the first device to the logical device, determining whether the first device has data access privileges to the logical device; and
      
      (d) authorizing the data access request when it is determined in the act (c) that the first device has data access privileges to the logical device.
  - 7. The method claim 6, further including an act of:
    - (e) denying the data access request when it is determined in the act (c) that the first device has no data access privileges to the logical device.
  - 8. The method of claim 1, wherein the acts (a) and (b) are performed by a filter that controls access to a plurality of logical devices at the storage system, the method further including an act of:
    - (c) maintaining, in a data structure accessible to the filter, configuration information corresponding to the first device, the configuration information including;
      
      (1) first configuration information identifying each of the plurality of logical devices to which data access by the first device is authorized; and
      
      (2) whether non-media access is authorized to each of the plurality of logical devices for which the first configuration information identifies that no data access is authorized for the first device.
  - 9. The method of claim 8, wherein the act (a) includes an act of:
    - examining the configuration information corresponding to the first device to determine whether the first device is authorized to have non-media access to the logical device.
  - 10. The method of claim 1, wherein the acts (a) and (b) are performed by a filter that controls access to a plurality of logical devices at the storage system, the method further including an act of:
    - (c) maintaining, in a data structure accessible to the filter, configuration information corresponding to the first device, the configuration information identifying;
      
      (1) each of the plurality of logical devices to which data access by the first device is authorized; and
      
      (2) each of the plurality of logical devices to which non-media access by the first device is authorized.
  - 11. The method of claim 1, further including an act of:
    - (c) determining whether an access request by the first device is one of a data access request and a non-media access request.

12. A method for managing access to a storage system by a plurality of devices that are coupled to the storage system via a network, the storage system including a plurality of logical volumes of data, the method including acts of:
- (a) maintaining, in a data structure that is accessible to a filter that controls access to each of the plurality of logical volumes, configuration information identifying each logical volume of the plurality of logical volumes to which data access by a first device of the plurality of devices is authorized;
  
  (b) in response to a non-media access request by the first device to a first logical volume for which the first device has no data access privileges, determining, based, at least in part, on an identity of the first device, whether the first device is authorized to have non-media access to the first logical volume; and
  
  (c) authorizing the non-media access request when it is determined in the act (b) that the first device is authorized to have non-media access to the first logical volume;
  
  wherein the filter is outside of the storage system, and wherein the acts (a), (b), and (c) are performed outside of the storage system.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The method of claim 12, further including an act of:
    - (d) denying the non-media access request when it is determined in the act (b) that the first device is not authorized to have non-media access to the first logical volume.
  - 14. The method of claim 13, wherein the act (c) includes an act of:
    - forwarding the non-media access request to a physical device corresponding to the first logical volume.
  - 15. The method of claim 12, wherein the act (c) includes an act of:
    - forwarding the non-media access request to a physical device corresponding to the first logical volume.
  - 16. The method of claim 12, further including acts of:
    - (d) in response to a data access request by the first device to the first logical volume, determining whether the first device has data access privileges to the first logical volume; and
      
      (e) authorizing the data access request when it is determined in the act (d) that the first device has data access privileges to the first logical volume.
  - 17. The method claim 16, further including an act of:
    - (f) denying the data access request when it is determined in the act (d) that the first device has no data access privileges to the first logical volume.
  - 18. The method of claim 12, further including an act of:
    - (d) determining whether an access request by the first device is one of a data access request and a non-media access request.
  - 19. The method of claim 12, wherein the non-media access request is an availability request to determine an availability of the first logical volume, and wherein the act (c) includes an act of:
    - forwarding the availability request to a physical storage device corresponding to the first logical volume.
  - 20. The method of claim 12, wherein the act (a) includes an act of:
    - maintaining, in the data structure that is accessible to the filter, configuration information that includes first configuration information identifying each logical volume of the plurality of logical volumes to which data access by the first device is authorized and second configuration information identifying whether non-media access is authorized to each of the plurality of logical volumes for which the first configuration information identifies that no data access is authorized for the first device.
  - 21. The method of claim 20, wherein the act (b) includes an act of:
    - examining the second configuration information to determine whether the first device is authorized to have non-media access to the first logical volume.
  - 22. The method of claim 12, wherein the act (a) includes an act of:
    - maintaining, in the data structure that is accessible to the filter, configuration information that identifies each logical volume of the plurality of logical volumes to which data access by the first device is authorized and each of the plurality of logical volumes to which non-media access by the first device is authorized.

23. An apparatus for use in a computer system including a plurality of devices, a storage system, and a network that couples the plurality of devices to the storage system, the apparatus comprising:
- an input to be coupled to the network; and
  
  at least one filter, coupled to the input, that is responsive to a non-media access request by a first of the plurality of devices to a logical device at the storage system for which the first device has no data access privileges, to determine, based, at least in part, on an identity of the first device, whether the first device is authorized to have non-media access to the logical device, and to authorize the non-media access request when it is determined that the first device is authorized to have non-media access to the logical device'"'"'wherein the logical device is a logical volume of data stored at the storage system; and
  
  wherein in response to the non media access request by the first device to the logical volume of data at the storage system for which the first device has no data access privileges, the at least one filter determines whether the first device is authorized to have non-media access to the logical volume, and authorizes the non media access request when it is determined that the first device is authorized to have non-media access to the logical volume; and
  
  wherein the at least one filter and the input each is disposed outside of the storage system.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 24. The apparatus of claim 23, wherein when it is determined that the first device is not authorized to have non-media access to the logical device, the at least one filter denies the non-media access request.
  - 25. The apparatus of claim 24, wherein the storage system includes a plurality of storage devices coupled to the at least one filter, and wherein when it is determined that the first device is authorized to have non-media access to the logical device, the at least one filter forwards the non-media access request to a storage device corresponding to the logical device.
  - 26. The apparatus of claim 23, wherein when it is determined that the first device is not authorized to have non-media access to the logical device, the at least one filter ignores the non-media access request.
  - 27. The apparatus of claim 23, wherein:
    - the storage system includes a plurality of storage devices coupled to the at least one filter;
      
      the non-media access request is an availability request to determine an availability of the logical device; and
      
      when it is determined that the first device is authorized to have non-media access to the logical device, the at least one filter forwards the request to a storage device corresponding to the logical device.
  - 28. The apparatus of claim 23, wherein in response to a data access request by the first device to the logical device, the at least one filter determines whether the first device has data access privileges to the logical device;
    - wherein the at least one filter authorizes the data access request when it is determined that the first device has data access privileges to the logical device; and
      
      wherein the at least one filter denies the data access request when it is determined that the first device has no data access privileges to the logical device.
  - 29. The apparatus of claim 23, wherein the apparatus further comprises:
    - a data structure, accessible to the at least one filter, that stores configuration information corresponding to the first device that includes first configuration information identifying each of a plurality of logical devices at the storage system to which data access by the first device is authorized, and second configuration information identifying whether non-media access is authorized to each of the plurality of logical devices for which the first configuration information identifies that no data access is authorized for the first device.
  - 30. The apparatus of claim 29, wherein the at least one filter examines the second configuration information corresponding to the first device to determine whether the first device is authorized to have non-media access to the logical device.
  - 31. The apparatus of claim 23, wherein the apparatus further comprises:
    - a data structure, accessible to the at least one filter, that stores configuration information corresponding to the first device that identifies each of a plurality of logical devices at the storage system to which data access by the first device is authorized and each of the plurality of logical devices to which non-media access by the first device is authorized.
  - 32. The apparatus of claim 23, wherein in response to an access request by the first device to the logical device, the at least one filter examines the access request to determine whether the access request is one of a data access request and a non-media access request.
  - 33. The apparatus of claim 23, in combination with the storage system, wherein the at least one filter and the input each is disposed within the storage system.
  - 34. The apparatus of claim 23, further comprising:
    - a data structure, accessible to the at least one filter, that stores configuration information corresponding to the first device that includes first configuration information identifying each of a plurality of logical volumes of data stored at the storage system to which data access by the first device is authorized, and second configuration information identifying whether non-media access is authorized to each of the plurality of logical volumes for which the first configuration information identifies that no data access is authorized for the first device.

35. An apparatus for use in a computer system including a plurality of devices, a storage system, and a network that couples the plurality of devices to the storage system, the apparatus comprising:
- an input to be coupled to the network;
  
  a data structure that stores configuration information identifying each logical volume of data of a plurality of logical volumes of data stored on the storage system to which data access by a first device of the plurality of devices is authorized; and
  
  at least one filter, coupled to the input, that is responsive to a non-media access request by the first device to a first logical volume of data of the plurality of logical volumes of data for which the first device has no data access privileges, to determine, based, at least in part, on an identity of the first device, whether the first device is authorized to have non-media access to the first logical volume of data, and to authorize the non-media access request when it is determined that the first device is authorized to have non-media access to the first logical volume of data;
  
  wherein the at least one filter, the data structure, and the input each is disposed outside of the storage system.
- View Dependent Claims (36, 37, 38, 39, 40, 41, 42, 43)
- - 36. The apparatus of claim 35, wherein when it is determined that the first device is not authorized to have non-media access to the first logical volume of data, the at least one filter denies the non-media access request.
  - 37. The apparatus of claim 36, wherein the storage system includes a plurality of storage devices coupled to the at least one filter, and wherein when it is determined that the first device is authorized to have non-media access to the first logical volume of data, the at least one filter forwards the non-media access request to a storage device corresponding to the first logical volume of data.
  - 38. The apparatus of claim 35, wherein when it is determined that the first device is not authorized to have non-media access to the first logical volume of data, the at least one filter ignores the non-media access request.
  - 39. The apparatus of claim 35, wherein in response to a data access request by the first device to the first logical volume of data, the at least one filter determines, based upon the configuration information stored in the data structure, whether the first device has data access privileges to the first logical volume of data;
    - wherein the at least one filter authorizes the data access request when it is determined that the first device has data access privileges to the first logical volume of data; and
      
      wherein the at least one filter denies the data access request when it is determined that the first device has no data access privileges to the first logical volume of data.
  - 40. The apparatus of claim 35, wherein the configuration information stored in the data structure further identifies whether non-media access by the first device is authorized for each of the plurality of logical volumes of data stored on the storage system.
  - 41. The apparatus of claim 35, wherein the configuration information stored in the data structure is first configuration information, the data structure further including second configuration information that identifies whether non-media access is authorized to each of the plurality of logical volumes of data for which the first configuration identifies that no data access is authorized for the first device.
  - 42. The apparatus of claim 41, wherein the at least one filter examines the second configuration information to determine whether the first device is authorized to have non-media access to the logical device.
  - 43. The apparatus of claim 35, wherein in response to an access request by the first device to the first logical volume of data, the at least one filter examines the access request to determine whether the access request is one of a data access request and a non-media access request.

44. An apparatus for use in a computer system including a plurality of devices, a storage system, and a network that couples the plurality of devices to the storage system, the apparatus comprising:
- an input to be coupled to the network;
  
  a data structure that stores configuration information identifying each logical volume of data of a plurality of logical volumes of data stored on the storage system to which data access by a first device of the plurality of devices is authorized; and
  
  at least one filter, coupled to the input, that is responsive to a non-media access request by the first device to a first logical volume of data of the plurality of logical volumes of data for which the first device has no data access privileges, to determine, based, at least in part, on an identity of the first device, whether the first device is authorized to have non-media access to the first logical volume of data, and to authorize the non-media access request when it is determined that the first device is authorized to have non-media access to the first logical volume of data;
  
  wherein the at least one filter and the input each is disposed within the storage system, and wherein the data structure is disposed outside of the storage system.
- View Dependent Claims (45, 46, 47, 48, 49, 50, 51, 52)
- - 45. The apparatus of claim 44, wherein when it is determined that the first device is not authorized to have non-media access to the first logical volume of data, the at least one filter denies the non-media access request.
  - 46. The apparatus of claim 45, wherein the storage system includes a plurality of storage devices coupled to the at least one filter, and wherein when it is determined that the first device is authorized to have non-media access to the first logical volume of data, the at least one filter forwards the non-media access request to a storage device corresponding to the first logical volume of data.
  - 47. The apparatus of claim 44, wherein when it is determined that the first device is not authorized to have non-media access to the first logical volume of data, the at least one filter ignores the non-media access request.
  - 48. The apparatus of claim 44, wherein in response to a data access request by the first device to the first logical volume of data, the at least one filter determines, based upon the configuration information stored in the data structure, whether the first device has data access privileges to the first logical volume of data;
    - wherein the at least one filter authorizes the data access request when it is determined that the first device has data access privileges to the first logical volume of data; and
      
      wherein the at least one filter denies the data access request when it is determined that the first device has no data access privileges to the first logical volume of data.
  - 49. The apparatus of claim 44, wherein the configuration information stored in the data structure further identifies whether non-media access by the first device is authorized for each of the plurality of logical volumes of data stored on the storage system.
  - 50. The apparatus of claim 44, wherein the configuration information stored in the data structure is first configuration information, the data structure further including second configuration information that identifies whether non-media access is authorized to each of the plurality of logical volumes of data for which the first configuration identifies that no data access is authorized for the first device.
  - 51. The apparatus of claim 50, wherein the at least one filter examines the second configuration information to determine whether the first device is authorized to have non-media access to the logical device.
  - 52. The apparatus of claim 44, wherein in response to an access request by the first device to the first logical volume of data, the at least one filter examines the access request to determine whether the access request is one of a data access request and a non-media access request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Fitzgerald, John T., Blumenau, Steven M., Madden, John F. Jr.
Primary Examiner(s)
MCLEAN MAYO, KIMBERLY N

Application Number

US09/751,684
Publication Number

US 20010020254A1
Time in Patent Office

2,209 Days
Field of Search

711/152, 711/151, 711/153, 711/154, 711/147
US Class Current

711/152
CPC Class Codes

G06F 21/606   by securing the transmissio...

G06F 21/6218   to a system of files or obj...

G06F 21/78   to assure secure storage of...

G06F 21/85   interconnection devices, e....

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2107   File encryption

G06F 2221/2129   Authenticate client device ...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2147   Locking files

G06F 9/468   Specific access rights for ...

H04L 63/10   for controlling access to d...

Method and apparatus for managing access to storage devices in a storage system with access control

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

98 Citations

52 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for managing access to storage devices in a storage system with access control

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

98 Citations

52 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links