Method for extending the fragment mapping protocol to prevent malicious access to virtualized storage

US 8,935,751 B1
Filed: 09/29/2006
Issued: 01/13/2015
Est. Priority Date: 09/29/2006
Status: Active Grant

First Claim

Patent Images

1. A file server for serving a file system, the file server comprising:

an interface configured to receive a query from a storage device to validate a request made by a client device to access a file from the storage device, the query including a user identifier and a file location associated with the file access request; and

a non-transitory computer usable medium having a computer readable program code, said computer readable program code including;

a reverse map configured to translate the file location into a file descriptor, the file descriptor being used to obtain meta-data corresponding to the file; and

a permission query handler, operative to determine, in response to the meta-data and access information associated with the file descriptor, whether the client device associated with the user identifier is authorized to access the file,the interface configured to send a determination indication to the data storage device in order to prompt the data storage device to allow the client device to access the file only if the client device is authorized to access the file.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Extensions to the Fragment Mapping Protocol are introduced which protect a disk array from malicious client access by exporting file system access information to the storage device. FMP requests received at the storage device can be authorized at a block granularity prior to completion, thereby limiting the exposure of the disk array to malicious clients. Client authorizations can be cached at the storage device to enable the permissions to be quickly extracted for subsequent client accesses to pre-authorized volumes.

Citations

17 Claims

1. A file server for serving a file system, the file server comprising:
- an interface configured to receive a query from a storage device to validate a request made by a client device to access a file from the storage device, the query including a user identifier and a file location associated with the file access request; and
  
  a non-transitory computer usable medium having a computer readable program code, said computer readable program code including;
  
  a reverse map configured to translate the file location into a file descriptor, the file descriptor being used to obtain meta-data corresponding to the file; and
  
  a permission query handler, operative to determine, in response to the meta-data and access information associated with the file descriptor, whether the client device associated with the user identifier is authorized to access the file,the interface configured to send a determination indication to the data storage device in order to prompt the data storage device to allow the client device to access the file only if the client device is authorized to access the file.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The file server of claim 1 wherein the query is implemented as a remote procedure call to a fragment mapping protocol.
  - 3. The file server of claim 1 wherein the interface is configured to send one or more client device permissions associated with the file to the storage device.
  - 4. The file server of claim 3, wherein the interface is configured to forward a command to the storage device revoking the one or more permissions associated with the file.
  - 5. The file server of claim 4 wherein the command is implemented as a remote procedure call to a fragment mapping protocol.

6. An apparatus comprising:
- a storage interface configured to communicate with a plurality of storage devices;
  
  a client interface configured to communicate with a plurality of clients seeking access to the plurality of storage devices, including to receive a request from a coupled client device to access an extent of data from the storage devices;
  
  a network interface configured to communicate with a file server which services a file system associated with files maintained on the storage devices; and
  
  a non-transitory computer usable medium having a computer readable program code, said computer readable program code including a permission query module, coupled to the client interface and the network interface for generating a query to the file server in response to receipt of the request from the coupled client device, the request including a client identifier and a location of the extent of data, the query including the client identifier and the location of the extent of data associated with the access request, the file server being configured to use the request to retrieve access information for the coupled client for the location of the extent of data and return the access information to the apparatus, the apparatus allowing the coupled client to access the extent of data only if the coupled client is authorized to access the extent of data.
- View Dependent Claims (7, 8)
- - 7. The apparatus of claim 6 wherein the query is implemented as a remote procedure call to a fragment mapping protocol.
  - 8. The apparatus of claim 6 further including a cache for storing the access information received from the file server.

9. A method for controlling access to a storage array comprising:
- receiving, at a storage device, a request from a client to initiate an access to an extent comprising one or more blocks on the storage device;
  
  generating, at the storage device, a query corresponding to the request, the query including a user identifier corresponding to the client and a storage location associated with the access request;
  
  forwarding, from the storage device to a server a query to a file servicing a file system associated with the request, the query to determine whether the client is authorized for the access;
  
  receiving the query at the server;
  
  determining, at the server, whether the client is authorized to access the one or more blocks by using the storage location, the user identifier and the file system;
  
  responding, from the server to the storage device, to the query with an indication of whether the client is authorized to access the extent; and
  
  selectively permitting, at the storage device, the client to access the extent based on the indication a response from the file server in response to the query.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The method of claim 9 wherein the query includes one or more of a Logical Unit Number (LUN) of a disk device to be accessed, a list of user interfaces used to access the LUN and a type of access.
  - 11. The method of claim 9 further including receiving the response from the server, the response including at least one of an access status and a plurality of permissions for different types of accesses by the client to the extent.
  - 12. The method of claim 11 further including storing the response of the server in a cache.
  - 13. The method of claim 12 further including checking the cache for access permissions in response to the client request before generating the query for the server.

14. A method of validating access rights to a storage device comprising:
- receiving, by a server from the storage device, a permission query associated with a request sent from a client to the storage device to access data from the storage device, the permission query identifying the client, a location of the data, and a type of access;
  
  reverse mapping the location of the data into a file descriptor associated with a file at the location of the data;
  
  retrieving access information for the file using the file descriptor;
  
  determining whether the client identified in the query has permission to perform the type of access identified in the query on the file; and
  
  responding, from the server to the storage device, to the permission query with an indication of whether the client has permission to perform the type of access identified in the query on the file.
- View Dependent Claims (15, 16, 17)
- - 15. The method of claim 14, wherein the indication is an indication of a success or failure of the access.
  - 16. The method of claim 14 wherein the indication is an indication of permissions available to the client for the file for different types of accesses.
  - 17. The method of claim 16 including revoking permissions available to the client for at least one of the different types of accesses.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Cardente, John, Fridella, Stephen, Gupta, Uday
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
PLECHA, THADDEUS J

Application Number

US11/537,073
Time in Patent Office

3,028 Days
Field of Search

726/5, 726/4
US Class Current

726/4
CPC Class Codes

G06F 16/10   File systems; File servers

G06F 16/183   Provision of network file s...

G06F 21/6218   to a system of files or obj...

G06F 21/78   to assure secure storage of...

G06F 3/0622   in relation to access

G06F 3/0637   Permissions

G06F 3/0689   Disk arrays, e.g. RAID, JBOD

H04L 63/10   for controlling access to d...

H04L 67/1097   for distributed storage of ...

Method for extending the fragment mapping protocol to prevent malicious access to virtualized storage

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Method for extending the fragment mapping protocol to prevent malicious access to virtualized storage

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links