Access control to block storage devices for a shared disk based file system
First Claim
Patent Images
1. In a data processing network including a client, a metadata server, and a block storage device, the metadata server managing metadata of a shared-disk file system, and the block storage device storing file data of the shared-disk file system, a method of securing read or write access of the client to the block storage device, said method comprising:
- the client sending a request to the metadata server for access to at least a portion of a file in the shared-disk file system, and the metadata server granting access of the client to said at least a portion of the file by returning to the client information specifying a token for validating read or write access to file data of said at least a portion of the file;
the client sending a read or write command for read or write access to storage of the block storage device, the read or write command including the token and specifying a logical block address; and
the block storage device receiving the read or write command from the client and evaluating the token to determine whether or not the token permits the client to read from or write to the storage at the specified logical block address, and the block storage device permitting the client to read from or write to the storage at the specified logical block address upon determining that the token permits the client to read from or write to the storage at the specified logical block address;
which further includes the metadata server forming a virtual block address for a range of contiguous logical block addresses, the virtual block address including the token, and the metadata server sending the virtual block address to the client upon granting the client access to said at least a portion of the file, and wherein the client inserts the virtual block address into at least a portion of an address field of the read-write command; and
which further includes the metadata server sending the token and a logical block address for said range of contiguous logical block addresses to the block storage device, and the block storage device storing the received token in a memory in association with the logical block address for said range of contiguous logical block addresses, and the block storage device using the virtual block address in the read or write command received from the client to perform a look-up in the memory in order to perform the evaluation of the token to determine whether or not the token permits the client to read from or write to the storage at the specified logical block address when a token is found in the memory in association with the logical block address for said range of contiguous logical block addresses and the token found in the memory in association with the logical block address for said range of contiguous logical block addresses is the same as the token in the virtual address.
9 Assignments
0 Petitions
Accused Products
Abstract
For enhanced access control, a client includes a token in each read or write command sent to a block storage device. The block storage device evaluates the token to determine whether or not read or write access is permitted at a specified logical block address. For example, the token is included in the logical block address field of a SCSI read or write command. The client may compute the token as a function of the logical block address of a data block to be accessed, or a metadata server may include the token in each block address of each extent reported to the client in response to a metadata request. For enhanced security, the token also is a function of a client identifier, a logical unit number, and access rights of the client to a particular extent of file system data blocks.
483 Citations
3 Claims
-
1. In a data processing network including a client, a metadata server, and a block storage device, the metadata server managing metadata of a shared-disk file system, and the block storage device storing file data of the shared-disk file system, a method of securing read or write access of the client to the block storage device, said method comprising:
-
the client sending a request to the metadata server for access to at least a portion of a file in the shared-disk file system, and the metadata server granting access of the client to said at least a portion of the file by returning to the client information specifying a token for validating read or write access to file data of said at least a portion of the file; the client sending a read or write command for read or write access to storage of the block storage device, the read or write command including the token and specifying a logical block address; and the block storage device receiving the read or write command from the client and evaluating the token to determine whether or not the token permits the client to read from or write to the storage at the specified logical block address, and the block storage device permitting the client to read from or write to the storage at the specified logical block address upon determining that the token permits the client to read from or write to the storage at the specified logical block address; which further includes the metadata server forming a virtual block address for a range of contiguous logical block addresses, the virtual block address including the token, and the metadata server sending the virtual block address to the client upon granting the client access to said at least a portion of the file, and wherein the client inserts the virtual block address into at least a portion of an address field of the read-write command; and which further includes the metadata server sending the token and a logical block address for said range of contiguous logical block addresses to the block storage device, and the block storage device storing the received token in a memory in association with the logical block address for said range of contiguous logical block addresses, and the block storage device using the virtual block address in the read or write command received from the client to perform a look-up in the memory in order to perform the evaluation of the token to determine whether or not the token permits the client to read from or write to the storage at the specified logical block address when a token is found in the memory in association with the logical block address for said range of contiguous logical block addresses and the token found in the memory in association with the logical block address for said range of contiguous logical block addresses is the same as the token in the virtual address. - View Dependent Claims (2)
-
-
3. A system comprising:
-
a client; a metadata server managing metadata of a shared-disk file system; and a block storage device storing file data of the shared-disk file system; wherein the client is programmed to send a request to the metadata server for access to at least a portion of a file in the shared-disk file system, and the metadata server is programmed to grant access of the client to said at least a portion of the file by returning to the client information specifying a token for validating read or write access to file data of said at least a portion of the file; and the metadata server is programmed to form a virtual block address for a range of contiguous logical block addresses, the virtual block address including the token, and to send the virtual block address to the client upon granting the client access to said at least a portion of the file, and the client is programmed to insert the virtual block address into an address field of a Small Computer System Interface (SCSI) read or write command and to send the Small Computer System Interface (SCSI) read or write command to the block storage device; and the metadata server is programmed to send the token and a logical block address for said range of contiguous logical block addresses to the block storage device, and the block storage device includes; data storage storing the file data of the shared-disk file system; a network adapter coupled to the data storage for transfer of data between the client and the data storage; and at least one data processor coupled to the data storage and the network adapter for control of transfer of data between the network adapter and the data storage; wherein said at least one data processor is programmed to receive the Small Computer System Interface (SCSI) read or write command from the client, and to evaluate the virtual block address in the block address field of the Small Computer System Interface (SCSI) read or write command from the client to determine whether or not the virtual block address in the block address field is a valid virtual block address, and upon determining that the virtual block address in the block address field is not a valid virtual block address, to deny the client read or write access to the data storage, and otherwise, upon determining that the virtual block address in the block address field is a valid virtual block address, to produce a logical block address from the valid virtual block address and to permit the client to read from or write to the data storage at the logical block address produced from the valid virtual block address; and wherein the block storage device further includes a cache memory storing tokens from the metadata server in association with logical block addresses from the metadata server, and wherein said at least one data processor is further programmed to evaluate the virtual block address in the block address field by obtaining a token from a first group of bits in the block address field, obtaining a logical block address from a second group of bits in the block address field, accessing the cache memory to determine whether the cache memory contains the token in association with the logical block address from the second group of bits in the block address field to determine that the block address in the block address field is not a valid virtual block address when the token is not found in the cache memory in association with the logical block address from the second group of bits in the block address field, and otherwise to determine that the block address in the block address field is a valid virtual block address when the token is found in the cache memory in association with the logical block address from the second group of bits in the block address field.
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeEmc IP Holding Company LLC (Dell Technologies Inc.)
-
Original AssigneeEMC Corporation (Dell Technologies Inc.)
-
InventorsBrashers, Per, Faibish, Sorin, Glasgow, Jason, Jiang, Xiaoye, Wurzl, Mario
-
Primary Examiner(s)Le, Thu-Nguyet
-
Application NumberUS12/242,618Time in Patent Office1,183 DaysField of Search707/704, 707/783, 707/705, 707/781, 709/229US Class Current707/705CPC Class CodesG06F 16/137 Hash-based content-based in...G06F 16/1774 Locking methods, e.g. locki...
