Scalable and secure high-level storage access for cloud computing platforms

US 8,352,941 B1
Filed: 06/29/2009
Issued: 01/08/2013
Est. Priority Date: 06/29/2009
Status: Active Grant

First Claim

Patent Images

1. A method of providing storage access for cloud computing platforms, comprising:

receiving a storage object operation by an untrusted component contained in a client virtual machine;

passing said storage object operation through a hypervisor on which said client virtual machine is executing to a trusted component;

processing said storage object operation by said trusted component, said processing including obtaining an identifier of said client virtual machine and determining a customer-specific set of backend storage resources associated with said client virtual machine based on said identifier of said client virtual machine, wherein a backend storage system containing said customer-specific set of backend storage resources natively supports multi-tenancy through the use of tenant identifiers and said customer-specific backend storage resources are associated with one of said tenant identifiers, and wherein said hypervisor provides said identifier of said client virtual machine and ensures that said identifier of said client virtual machine cannot be forged;

passing said storage object operation from said trusted component to said backend storage system; and

performing said storage object operation on said customer-specific set of backend storage resources.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An untrusted component exposing a high level storage object interface within an untrusted client virtual machine accepts application level storage object operations. Responsive to a storage object operation, the untrusted component passes a message through the underlying hypervisor to an associated trusted component. The trusted component processes the message by authenticating the client virtual machine and locating an internal mapping between the client virtual machine and an associated customer-specific set of backend storage resources to which the requested storage object operation is to be applied. The trusted component uses a trust relationship with the backend storage system to securely communicate the storage object operation to the backend storage system, and passes the operation results through the hypervisor back to the untrusted component in the source client virtual machine from which the storage object request originated.

227 Citations

35 Claims

1. A method of providing storage access for cloud computing platforms, comprising:
- receiving a storage object operation by an untrusted component contained in a client virtual machine;
  
  passing said storage object operation through a hypervisor on which said client virtual machine is executing to a trusted component;
  
  processing said storage object operation by said trusted component, said processing including obtaining an identifier of said client virtual machine and determining a customer-specific set of backend storage resources associated with said client virtual machine based on said identifier of said client virtual machine, wherein a backend storage system containing said customer-specific set of backend storage resources natively supports multi-tenancy through the use of tenant identifiers and said customer-specific backend storage resources are associated with one of said tenant identifiers, and wherein said hypervisor provides said identifier of said client virtual machine and ensures that said identifier of said client virtual machine cannot be forged;
  
  passing said storage object operation from said trusted component to said backend storage system; and
  
  performing said storage object operation on said customer-specific set of backend storage resources.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein said trusted component is contained within an access point virtual machine also executing on said hypervisor.
  - 3. The method of claim 1, wherein said trusted component is contained within said hypervisor.
  - 4. The method of claim 1, further comprising:
    - wherein said determining said customer-specific set of backend storage resources associated with said client virtual machine based on said identifier of said client virtual machine includes determining said tenant identifier associated with said customer-specific set of backend storage resources; and
      
      wherein said performing said storage object operation on said customer-specific set of backend storage resources includes passing said tenant identifier from said trusted component to said backend storage system.
  - 5. The method of claim 1, further comprising:
    - wherein said passing said storage object operation to said backend storage system includes said trusted component directing said storage object operation to said customer-specific set of backend storage resources.
  - 6. The method of claim 5, further comprising:
    - wherein said customer-specific set of backend storage resources comprises a collection of storage objects; and
      
      wherein said directing said storage object operation to said customer-specific set of backend storage resources includes directing said storage object operation to said collection of storage objects.
  - 7. The method of claim 6, wherein said collection of storage objects comprises an instance of a file system.
  - 8. The method of claim 6, wherein said collection of storage objects comprises an instance of a database.
  - 9. The method of claim 1, further comprising:
    - passing a result of said storage object operation from said backend storage system to said trusted component; and
      
      passing said result of said storage object operation from said trusted component through said hypervisor to said client virtual machine.
  - 10. The method of claim 1, further comprising:
    - generating, by said untrusted component contained in said client virtual machine, a storage object command interface for receiving application level storage object operations; and
      
      wherein said storage object operation is one of said application level storage object operations received through said storage object command interface.
  - 11. The method of claim 10, wherein said application level storage object operations comprise file system operations.
  - 12. The method of claim 10, wherein said application level storage object operations comprise database system operations.
  - 13. The method of claim 1, wherein said customer-specific set of backend storage resources associated with said client virtual machine comprises storage resources in said backend storage system accessible only to storage operations from virtual machines providing a service to an associated storage service customer.
  - 14. The method of claim 1, further comprising:
    - wherein said storage object operation includes credentials of a user associated with said storage object operation; and
      
      wherein said backend storage system checks said credentials of said user to determine whether said user is authorized to perform said storage object operation.
  - 15. The method of claim 1, further comprising:
    - wherein said processing said storage object operation by said trusted component further includes determining storage access rights associated with said client virtual machine based on said identifier of said client virtual machine;
      
      determining whether said storage access rights associated with said client virtual machine permit said client virtual machine to perform said storage object operation; and
      
      preventing said storage object operation from being performed responsive to determining that said storage access rights associated with said client virtual machine do not permit said client virtual machine to perform said storage object operation.
  - 16. The method of claim 1, further comprising:
    - wherein said processing said storage object operation by said trusted component further includes determining at least one traffic shaping parameter associated with said client virtual machine based on said identifier of said client virtual machine; and
      
      controlling communication of said storage object operation to said backend storage system so that said at least one traffic shaping parameter is not exceeded.
  - 17. The method of claim 1, further comprising:
    - wherein said trusted component is one of a plurality of trusted components that form a caching layer that facilitates performance of application level storage object operations and moderates load on said backend storage system and a networking infrastructure connecting said trusted components and said backend storage system.

18. A system comprising:
- at least one processor and a non-transitory computer readable storage medium, said non-transitory computer readable storage medium having program code stored thereon including program code for providing storage access for cloud computing platforms, said program code for providing storage access for cloud computing platforms comprising;
  
  program code for receiving a storage object operation by an untrusted component contained in a client virtual machine,program code for passing said storage object operation through a hypervisor on which said client virtual machine is executing to a trusted component,program code for processing said storage object operation by said trusted component, said processing including obtaining an identifier of said client virtual machine and determining a customer-specific set of backend storage resources associated with said client virtual machine based on said identifier of said client virtual machine, wherein a backend storage system containing said customer-specific set of backend storage resources natively supports multi-tenancy through the use of tenant identifiers and said customer-specific backend storage resources are associated with one of said tenant identifiers, and wherein said hypervisor provides said identifier of said client virtual machine and ensures that said identifier of said client virtual machine cannot be forged,program code for passing said storage object operation from said trusted component to said backend storage system, andprogram code for performing said storage object operation on said customer-specific set of backend storage resources.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 19. The system of claim 18, wherein said trusted component is contained within an access point virtual machine also executing on said hypervisor.
  - 20. The system of claim 18, wherein said trusted component is contained within said hypervisor.
  - 21. The system of claim 18, further comprising:
    - wherein said program code for determining said customer-specific set of backend storage resources associated with said client virtual machine based on said identifier of said client virtual machine includes program code for determining said tenant identifier associated with said customer-specific set of backend storage resources; and
      
      wherein said program code for performing said storage object operation on said customer-specific set of backend storage resources includes program code for passing said tenant identifier from said trusted component to said backend storage system.
  - 22. The system of claim 18, further comprising:
    - wherein said program code for passing said storage object operation to said backend storage system includes program code in said trusted component for directing said storage object operation to said customer-specific set of backend storage resources.
  - 23. The system of claim 22, further comprising:
    - wherein said customer-specific set of backend storage resources comprises a collection of storage objects; and
      
      wherein said program code for directing said storage object operation to said customer-specific set of backend storage resources includes program code for directing said storage object operation to said collection of storage objects.
  - 24. The system of claim 23, wherein said collection of storage objects comprises an instance of a file system.
  - 25. The system of claim 23, wherein said collection of storage objects comprises an instance of a database.
  - 26. The system of claim 18, said program code for providing storage access for cloud computing platforms further comprising:
    - program code for passing a result of said storage object operation from said backend storage system to said trusted component; and
      
      program code for passing said result of said storage object operation from said trusted component through said hypervisor to said client virtual machine.
  - 27. The system of claim 18, said program code for providing storage access for cloud computing platforms further comprising:
    - program code for generating, by said untrusted component contained in said client virtual machine, a storage object command interface for receiving application level storage object operations; and
      
      wherein said storage object operation is one of said application level storage object operations received through said storage object command interface.
  - 28. The system of claim 27, wherein said application level storage object operations comprise file system operations.
  - 29. The system of claim 27, wherein said application level storage object operations comprise database system operations.
  - 30. The system of claim 18, wherein said customer-specific set of backend storage resources associated with said client virtual machine comprises storage resources in said backend storage system accessible only to storage operations from virtual machines providing a service to an associated storage service customer.
  - 31. The system of claim 18, further comprising:
    - wherein said storage object operation includes credentials of a user associated with said storage object operation; and
      
      wherein said backend storage system checks said credentials of said user to determine whether said user is authorized to perform said storage object operation.
  - 32. The system of claim 18, further comprising:
    - wherein said program code for processing said storage object operation by said trusted component further includes program code for determining storage access rights associated with said client virtual machine based on said identifier of said client virtual machine; and
      
      wherein said program code for providing storage access for cloud computing platforms further comprisesprogram code for determining whether said storage access rights associated with said client virtual machine permit said client virtual machine to perform said storage object operation, andprogram code for preventing said storage object operation from being performed responsive to determining that said storage access rights associated with said client virtual machine do not permit said client virtual machine to perform said storage object operation.
  - 33. The system of claim 18, further comprising:
    - wherein said program code for processing said storage object operation by said trusted component further includes program code for determining at least one traffic shaping parameter associated with said client virtual machine based on said identifier of said client virtual machine; and
      
      wherein said program code for providing storage access for cloud computing platforms further comprises program code for controlling communication of said storage object operation to said backend storage system so that said at least one traffic shaping parameter is not exceeded.
  - 34. The system of claim 18, further comprising:
    - wherein said trusted component is one of a plurality of trusted components that form a caching layer that facilitates performance of application level storage object operations and moderates load on said backend storage system and a networking infrastructure connecting said trusted components and said backend storage system.

35. A computer program product comprising:
- a non-transitory computer readable storage medium, said non-transitory computer readable storage medium having program code stored thereon including program code for providing storage access for cloud computing platforms, said program code for providing storage access for cloud computing platforms comprising;
  
  program code for receiving a storage object operation by an untrusted component contained in a client virtual machine,program code for passing said storage object operation through a hypervisor on which said client virtual machine is executing to a trusted component,program code for processing said storage object operation by said trusted component, said processing including obtaining an identifier of said client virtual machine and determining a customer-specific set of backend storage resources associated with said client virtual machine based on said identifier of said client virtual machine, wherein a backend storage system containing said customer-specific set of backend storage resources natively supports multi-tenancy through the use of tenant identifiers and said customer-specific backend storage resources are associated with one of said tenant identifiers, and wherein said hypervisor provides said identifier of said client virtual machine and ensures that said identifier of said client virtual machine cannot be forged,program code for passing said storage object operation from said trusted component to said backend storage system, andprogram code for performing said storage object operation on said customer-specific set of backend storage resources.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Protopopov, Boris, Leschner, Jurgen
Primary Examiner(s)
Puente, Emerson
Assistant Examiner(s)
KIM, DONG U

Application Number

US12/493,295
Time in Patent Office

1,289 Days
Field of Search

None
US Class Current

718/1
CPC Class Codes

G06F 2009/45579   I/O management, e.g. provid...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/102   Entity profiles

H04L 9/3247   involving digital signatures

Scalable and secure high-level storage access for cloud computing platforms

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

227 Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

Scalable and secure high-level storage access for cloud computing platforms

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

227 Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links