Method and apparatus for providing secure access to a...

Electrical computers and digital processing systems: multicomput – Computer-to-computer session/connection establishing – Network resources access controlling

Reexamination Certificate

Rate now

  [ 0.00 ] – not rated yet Voters 0   Comments 0

Details

C711S164000

Reexamination Certificate

active

06449652

ABSTRACT:

FIELD OF THE INVENTION
The present invention is directed to a method and apparatus for providing secure access to a computer system resource such as a storage device.
DESCRIPTION OF THE RELATED ART
Many computer systems include one or more host computers and one or more storage systems that store data used by the host computers. An example of such a system is shown in
FIG. 1
, and includes a host computer
1
and a storage system
3
. The storage system typically includes a plurality of storage devices on which data are stored. In the exemplary system shown in
FIG. 1
, the storage system
3
includes a plurality of disk drives
5
a
-
5
b,
and a plurality of disk controllers
7
a
-
7
b
that respectively control access to the disk drives
5
a
and
5
b.
The storage system
3
further includes a plurality of storage bus directors
9
that control communication with the host computer
1
over communication buses
17
. The storage system
3
further includes a cache
11
to provide improved storage system performance. In particular, when the host computer
1
executes a read from the storage system
3
, the storage system
3
may service the read from the cache
11
(when the data are stored in the cache), rather than from one of the disk drives
5
a
-
5
b,
to execute the read more efficiently. Similarly, when the host computer
1
executes a write to the storage system
3
, the corresponding storage bus director
9
may execute the write to the cache
11
. Thereafter, the write can be destaged asynchronously, in a manner transparent to the host computer
1
, to the appropriate one of the disk drives
5
a
-
5
b.
Finally, the storage system
3
includes an internal bus
13
over which the storage bus directors
9
, disk controllers
7
a
-
7
b,
and the cache
11
communicate.
The host computer
1
includes a processor
16
and one or more host bus adapters
15
that each controls communication between the processor
16
and the storage system
3
via a corresponding one of the communication buses
17
. It should be appreciated that rather than a single processor
16
, the host computer
1
can include multiple processors. Each bus
17
can be any of a number of different types of communication links, with the host bus adapter
15
and the storage bus directors
9
being adapted to communicate using an appropriate protocol for the communication bus
17
coupled therebetween. For example, each of the communication buses
17
can be implemented as a SCSI bus, with the directors
9
and adapters
15
each being a SCSI driver. Alternatively, communication between the host computer
1
and the storage system
3
can be performed over a Fibre Channel fabric.
As shown in the exemplary system of
FIG. 1
, some computer systems employ multiple paths for communicating between the host computer
1
and the storage system
3
(e.g., each path includes a host bus adapter
15
, a bus
17
and a storage bus director
9
in FIG.
1
). In many such systems, each of the host bus adapters
15
has the ability to access each of the disk drives
5
a-b,
through the appropriate storage bus director
9
and disk controller
7
a-b.
It should be appreciated that providing such multi-path capabilities enhances system performance, in that multiple communication operations between the host computer
1
and the storage system
3
can be performed simultaneously.
FIG. 2
is a schematic representation of a number of mapping layers that may exist in a known computer system such as the one shown in FIG.
1
. The mapping layers include an application layer
21
which includes application programs executing on the processor
16
of the host computer
1
. As used herein, “application program” is not limited to any particular implementation, and includes any kind of program or process executable by one or more computer processors, whether implemented in hardware, software, firmware, or combinations of them. The application layer
21
will generally refer to storage locations used thereby with a label or identifier such as a file name, and will have no knowledge about where the corresponding file is physically stored on the storage system
3
(FIG.
1
). Below the application layer
21
is a file system and/or a logical volume manager (LVM)
23
that maps the label or identifier specified by the application layer
21
to a logical volume that the host computer
1
perceives to correspond directly to a physical device address (e.g., the address of one of the disk drives
5
a-b
) within the storage system
3
. Below the file system/LVM layer
23
is a multi-path mapping layer
25
that maps the logical volume address specified by the file system/LVM layer
23
, through a particular one of the multiple system paths, to the logical volume address to be presented to the storage system
3
. Thus, the multi-path mapping layer
25
not only specifies a particular logical volume address, but also specifies a particular one of the multiple system paths to access the specified logical volume.
If the storage system
3
were not an intelligent storage system, the logical volume address specified by the multi-pathing layer
25
would identify a particular raw physical device (e.g., one of disk drives
5
a-b
) within the storage system
3
. However, for an intelligent storage system such as that shown in
FIG. 1
, the storage system itself may include a further mapping layer
27
, such that the logical volume address passed from the host computer
1
may not correspond directly to an actual physical device (e.g., a disk drive
5
a-b
) on the storage system
3
. Rather, a logical volume specified by the host computer
1
can be spread across multiple physical storage devices (e.g., disk drives
5
a-b
), or multiple logical volumes accessed by the host computer
1
can be stored on a single physical storage device.
Some operating systems require that users have appropriate access privileges to access and modify files in various ways. For example, Unix operating systems such as Sun Solaris and IBM AIX associate with each file a filename, an owner (i.e., an identifier of the user or application who created the file), and access privileges information which identifies the operations that different users are allowed to perform on the file. The access privileges information specifies, for example, whether a user is allowed to read, write, or execute the file, or any combination thereof. The access privileges information includes access privileges information for the owner of the file, for specified groups of users, and for all other users (referred to as “world” access privileges). For example, the access privileges information for a file may indicate that the owner of the file may read, write, and execute the file, that a specified group of users may read and write the file, and that the world (i.e., all other users) may only read the file. Many operating systems allow a user with system administrator privileges (e.g., a user with the login name “root” in Unix) to perform any operation on any file.
Each request sent to the file system/LVM mapping layer
23
to access a file maintained by the mapping layer contains information identifying the file to be accessed, the identity of the application program making the request (which may, for example, be derived from the identity of the user who executed the application program), and the action desired to be performed on the file. In the case of a request to open a file maintained by a file system within mapping layer
23
, the file system compares the information contained in the request to the access privileges information associated with the file to determine whether to grant the request. If, for example, the owner of a file requests to open the file for writing and the file's access privileges information indicates that the owner of the file has write access to the file, then the file system opens the file for writing. If, however, a user who only has “world” access privileges to a file requests to open the file for writing and the “world” access privileges information for the fil

LandOfFree

Say what you really think

Search LandOfFree.com for the USA inventors and patents. Rate them and share your experience with other people.

Rating

Method and apparatus for providing secure access to a... does not yet have a rating. At this time, there are no reviews or comments for this patent.

If you have personal experience with Method and apparatus for providing secure access to a..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and apparatus for providing secure access to a... will most certainly appreciate the feedback.

Rate now

     

Profile ID: LFUS-PAI-O-2848708

  Search
All data on this website is collected from public sources. Our data reflects the most accurate information available at the time of publication.