Scalable and secure high-level storage access for cloud computing platforms
First Claim
1. A method of providing storage access for cloud computing platforms, comprising:
- receiving a storage object operation by an untrusted component contained in a client virtual machine;
passing said storage object operation through a hypervisor on which said client virtual machine is executing to a trusted component;
processing said storage object operation by said trusted component, said processing including obtaining an identifier of said client virtual machine and determining a customer-specific set of backend storage resources associated with said client virtual machine based on said identifier of said client virtual machine, wherein a backend storage system containing said customer-specific set of backend storage resources natively supports multi-tenancy through the use of tenant identifiers and said customer-specific backend storage resources are associated with one of said tenant identifiers, and wherein said hypervisor provides said identifier of said client virtual machine and ensures that said identifier of said client virtual machine cannot be forged;
passing said storage object operation from said trusted component to said backend storage system; and
performing said storage object operation on said customer-specific set of backend storage resources.
9 Assignments
0 Petitions
Accused Products
Abstract
An untrusted component exposing a high level storage object interface within an untrusted client virtual machine accepts application level storage object operations. Responsive to a storage object operation, the untrusted component passes a message through the underlying hypervisor to an associated trusted component. The trusted component processes the message by authenticating the client virtual machine and locating an internal mapping between the client virtual machine and an associated customer-specific set of backend storage resources to which the requested storage object operation is to be applied. The trusted component uses a trust relationship with the backend storage system to securely communicate the storage object operation to the backend storage system, and passes the operation results through the hypervisor back to the untrusted component in the source client virtual machine from which the storage object request originated.
227 Citations
35 Claims
-
1. A method of providing storage access for cloud computing platforms, comprising:
-
receiving a storage object operation by an untrusted component contained in a client virtual machine; passing said storage object operation through a hypervisor on which said client virtual machine is executing to a trusted component; processing said storage object operation by said trusted component, said processing including obtaining an identifier of said client virtual machine and determining a customer-specific set of backend storage resources associated with said client virtual machine based on said identifier of said client virtual machine, wherein a backend storage system containing said customer-specific set of backend storage resources natively supports multi-tenancy through the use of tenant identifiers and said customer-specific backend storage resources are associated with one of said tenant identifiers, and wherein said hypervisor provides said identifier of said client virtual machine and ensures that said identifier of said client virtual machine cannot be forged; passing said storage object operation from said trusted component to said backend storage system; and performing said storage object operation on said customer-specific set of backend storage resources. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A system comprising:
at least one processor and a non-transitory computer readable storage medium, said non-transitory computer readable storage medium having program code stored thereon including program code for providing storage access for cloud computing platforms, said program code for providing storage access for cloud computing platforms comprising; program code for receiving a storage object operation by an untrusted component contained in a client virtual machine, program code for passing said storage object operation through a hypervisor on which said client virtual machine is executing to a trusted component, program code for processing said storage object operation by said trusted component, said processing including obtaining an identifier of said client virtual machine and determining a customer-specific set of backend storage resources associated with said client virtual machine based on said identifier of said client virtual machine, wherein a backend storage system containing said customer-specific set of backend storage resources natively supports multi-tenancy through the use of tenant identifiers and said customer-specific backend storage resources are associated with one of said tenant identifiers, and wherein said hypervisor provides said identifier of said client virtual machine and ensures that said identifier of said client virtual machine cannot be forged, program code for passing said storage object operation from said trusted component to said backend storage system, and program code for performing said storage object operation on said customer-specific set of backend storage resources. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
-
35. A computer program product comprising:
a non-transitory computer readable storage medium, said non-transitory computer readable storage medium having program code stored thereon including program code for providing storage access for cloud computing platforms, said program code for providing storage access for cloud computing platforms comprising; program code for receiving a storage object operation by an untrusted component contained in a client virtual machine, program code for passing said storage object operation through a hypervisor on which said client virtual machine is executing to a trusted component, program code for processing said storage object operation by said trusted component, said processing including obtaining an identifier of said client virtual machine and determining a customer-specific set of backend storage resources associated with said client virtual machine based on said identifier of said client virtual machine, wherein a backend storage system containing said customer-specific set of backend storage resources natively supports multi-tenancy through the use of tenant identifiers and said customer-specific backend storage resources are associated with one of said tenant identifiers, and wherein said hypervisor provides said identifier of said client virtual machine and ensures that said identifier of said client virtual machine cannot be forged, program code for passing said storage object operation from said trusted component to said backend storage system, and program code for performing said storage object operation on said customer-specific set of backend storage resources.
Specification