Method for out of user space I/O with server authentication

US 7,500,071 B2
Filed: 08/31/2005
Issued: 03/03/2009
Est. Priority Date: 08/31/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A method, in a data processing system, for performing input/output (I/O) operations with a remotely located storage system, comprising:

receiving an I/O request from an application instance, wherein the I/O request includes a key value for identifying an entry in a translation protection table data structure, and wherein the I/O request targets a portion of a storage device in the remotely located storage system upon which an I/O operation is to be performed;

retrieving an entry from a translation protection table based on the key value, wherein the entry includes an identifier of the storage device and a logical unit number corresponding to the portion of the storage device targeted by the I/O request;

generating a storage command based on the identifier of the storage device and the logical unit number retrieved with the entry from the translation protection table;

placing the storage command in a storage command queue for transmission to the remotely located storage system;

receiving, from the application instance, a request to open the portion of the storage device wherein the request includes an authentication key;

sending a command, having the authentication key, to the remotely located storage system to open the portion of the storage device;

returning results of the command to open the portion of the storage device to the application instance;

receiving, from the application instance, a request to allocate a logical unit of the storage device to the portion of the storage device for input/output operations of the application instance;

sending an allocate command, generated based on the received request to allocate the logical unit, to the remotely located storage system; and

receiving a response from the remotely located storage system identifying an authentication key for use in opening the logical unit of the portion of the storage device for I/O operations, wherein the remotely located storage system performs authentication on the command to open the portion of the storage device based on the authentication key, and wherein the authentication key is an authentication key generated and provided by the remotely located storage system to the application instance and is stored in a storage device of the data processing system that is only accessible by the application instance.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method that enables user space middleware or applications to pass I/O storage requests directly to a network attached storage device via a storage server that performs authentication is provided. A mechanism is provided for using a translation protection table (TPT) data structure, which may include a file name protection table (FNPT) and file extension protection table (FEPT), or logical volume protection table (LVPT), to control user space and out of user space Input/Output (I/O) operations. The storage server performs authentication of an application instance'"'"'s request to open an operating system logical volume and, upon being authenticated, permits the application instance to submit I/O storage requests via the TPT to the opened OS logical volume. I/O storage requests are translated into storage commands using the TPT and the storage commands are encapsulated for transmission via one or more networks to the storage server.

Citations

15 Claims

1. A method, in a data processing system, for performing input/output (I/O) operations with a remotely located storage system, comprising:
- receiving an I/O request from an application instance, wherein the I/O request includes a key value for identifying an entry in a translation protection table data structure, and wherein the I/O request targets a portion of a storage device in the remotely located storage system upon which an I/O operation is to be performed;
  
  retrieving an entry from a translation protection table based on the key value, wherein the entry includes an identifier of the storage device and a logical unit number corresponding to the portion of the storage device targeted by the I/O request;
  
  generating a storage command based on the identifier of the storage device and the logical unit number retrieved with the entry from the translation protection table;
  
  placing the storage command in a storage command queue for transmission to the remotely located storage system;
  
  receiving, from the application instance, a request to open the portion of the storage device wherein the request includes an authentication key;
  
  sending a command, having the authentication key, to the remotely located storage system to open the portion of the storage device;
  
  returning results of the command to open the portion of the storage device to the application instance;
  
  receiving, from the application instance, a request to allocate a logical unit of the storage device to the portion of the storage device for input/output operations of the application instance;
  
  sending an allocate command, generated based on the received request to allocate the logical unit, to the remotely located storage system; and
  
  receiving a response from the remotely located storage system identifying an authentication key for use in opening the logical unit of the portion of the storage device for I/O operations, wherein the remotely located storage system performs authentication on the command to open the portion of the storage device based on the authentication key, and wherein the authentication key is an authentication key generated and provided by the remotely located storage system to the application instance and is stored in a storage device of the data processing system that is only accessible by the application instance.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the translation protection table is part of an application library of a system image of the data processing system and contains an entry for each portion of each storage device, of the remotely located storage system, allocated to application instances running on the data processing system in association with the system image.
  - 3. The method of claim 1, wherein each entry in the translation protection table includes a protection domain for a corresponding application instance and the authentication key for the corresponding application instance, and wherein only the corresponding application instance is able to access the authentication key in the entry due to the authentication key being associated with the protection domain via the entry in the translation protection table.
  - 4. The method of claim 1, wherein the portion of the storage device is a logical volume comprising one or more logical unit numbers (LUNs) of the storage device.
  - 5. The method of claim 1, wherein the portion of the storage device is a file comprising one or more logical unit numbers (LUNs) of the storage device.
  - 6. The method of claim 1, further comprising:
    - storing, in the translation protection table data structure, an identifier of the authentication key in association with an identifier of the portion of the storage device.
  - 7. The method of claim 6, further comprising:
    - retrieving, from the entry retrieved from the translation protection table, the authentication key;
      
      generating an open command to open the portion of the storage device, wherein the open command includes the authentication key; and
      
      transmitting the open command to the remotely located storage system to thereby open the logical unit of the portion of the storage device for I/O operations during a current session between the application instance and the remotely located storage system, wherein the remotely located storage system opens the logical unit of the portion of the storage device for I/O operations only when the remotely located storage system verifies that the application instance is permitted to access the logical unit of the portion of the storage device based on the authentication key in the open command.
  - 8. The method of claim 1, further comprising:
    - receiving a request to create an entry in the translation protection table data structure for the portion of the storage device;
      
      creating an entry in the translation protection table data structure for the portion of the storage device; and
      
      returning a translation protection table key that corresponds to the created entry.
  - 9. The method of claim 8, wherein the entry includes a storage device identifier number, a logical unit number, an offset, and a length.
  - 10. The method of claim 9, wherein the entry further includes at least one of a protection domain, access control information, or an authentication key.
  - 11. The method of claim 1, further comprising:
    - receiving a request to query an entry in the translation protection table data structure for the portion of the storage device;
      
      identifying the entry in the translation protection table data structure for the portion of the storage device; and
      
      returning attributes of the entry in the translation protection table data structure.

12. A method, in a data processing system, for performing input/output (I/O) operations with a remotely located storage system, comprising:
- receiving an I/O request from an application instance, wherein the I/O request includes a key value for identifying an entry in a translation protection table data structure, and wherein the I/O request targets a portion of a storage device in the remotely located storage system upon which an I/O operation is to be performed;
  
  retrieving an entry from a translation protection table based on the key value, wherein the entry includes an identifier of the storage device and a logical unit number corresponding to the portion of the storage device targeted by the I/O request;
  
  generating a storage command based on the identifier of the storage device and the logical unit number retrieved with the entry from the translation protection table;
  
  placing the storage command in a storage command queue for transmission to the remotely located storage system;
  
  receiving, from the application instance, a request to open the portion of the storage device wherein the request includes an authentication key;
  
  sending a command, having the authentication key, to the remotely located storage system to open the portion of the storage device;
  
  returning results of the command to open the portion of the storage device to the application instance;
  
  receiving a request to modify an entry in the translation protection table data structure for the portion of the storage device;
  
  modifying the entry in the translation protection table data structure;
  
  returning attributes of the modified entry in the translation protection table; and
  
  determining if there are any active transactions on the entry in the translation protection table data structure, wherein the data processing system modifies the entry in the translation protection table data structure only if there are no active transactions on the entry, wherein the remotely located storage system performs authentication on the command to open the portion of the storage device based on the authentication key, and wherein the authentication key is an authentication key generated and provided by the remotely located storage system to the application instance and is stored in a storage device of the data processing system that is only accessible by the application instance.
- View Dependent Claims (13)
- - 13. The method of claim 12, further comprising:
    - initiating a timer if there is an active transaction on the entry in the translation protection table data structure;
      
      determining if the timer times out prior to a quiescent point being reached; and
      
      generating an error if the timer times out prior to the quiescent point being reached.

14. A method, in a data processing system, for performing input/output (I/O) operations with a remotely located storage system, comprising:
- receiving an I/O request from an application instance, wherein the I/O request includes a key value for identifying an entry in a translation protection table data structure, and wherein the I/O request targets a portion of a storage device in the remotely located storage system upon which an I/O operation is to be performed;
  
  retrieving an entry from a translation protection table based on the key value, wherein the entry includes an identifier of the storage device and a logical unit number corresponding to the portion of the storage device targeted by the I/O request;
  
  generating a storage command based on the identifier of the storage device and the logica1 unit number retrieved with the entry from the translation protection table;
  
  placing the storage command in a storage command queue for transmission to the remotely located storage system;
  
  receiving, from the application instance, a request to open the portion of the storage device wherein the request includes an authentication key;
  
  sending a command, having the authentication key, to the remotely located storage system to open the portion of the storage device;
  
  returning results of the command to open the portion of the storage device to the application instance;
  
  receiving a request to delete an entry in the translation protection table data structure for the portion of the storage device;
  
  marking the entry in the translation protection table data structure as being invalid; and
  
  determining if there are any active transactions on the entry in the translation protection table data structure, wherein the data processing system marks the entry in the translation protection table data structure as being invalid only if there are no active transactions on the entry, wherein the remotely located storage system performs authentication on the command to open the portion of the storage device based on the authentication key, and wherein the authentication key is an authentication key generated and provided by the remotely located storage system to the application instance and is stored in a storage device of the data processing system that is only accessible by the application instance.
- View Dependent Claims (15)
- - 15. The method of claim 14, further comprising:
    - initiating a timer if there is an active transaction on the entry in the translation protection table data structure;
      
      determining if the timer times out prior to a quiescent point being reached; and
      
      generating an error if the timer times out prior to the quiescent point being reached.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lenovo International Limited (Lenovo Group Ltd.)
Original Assignee
International Business Machines Corporation
Inventors
Recio, Renato J., Vega, Madeline, Boyd, William Todd, Mena, Agustin III, Hufferd, John Lewis
Primary Examiner(s)
Ellis; Kevin L
Assistant Examiner(s)
BRADLEY, MATTHEW A

Application Number

US11/216,879
Publication Number

US 20070050591A1
Time in Patent Office

1,280 Days
Field of Search

711/163
US Class Current

711/163
CPC Class Codes

G06F 21/78   to assure secure storage of...

G06F 3/0622   in relation to access

G06F 3/0637   Permissions

G06F 3/0659   Command handling arrangemen...

G06F 3/067   Distributed or networked st...

G06F 9/461   Saving or restoring of prog...

G06F 9/468   Specific access rights for ...

G06F 9/485   Task life-cycle, e.g. stopp...

Method for out of user space I/O with server authentication

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Method for out of user space I/O with server authentication

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links