1. Technical Field
This application generally relates to data storage systems, and more particularly to techniques used with providing access to data storage systems and managing secure data access.
2. Description of Related Art
Computer systems may include different resources used by one or more host processors. Resources and host processors in a computer system may be interconnected by one or more communication connections. These resources may include, for example, data storage devices such as those included in the data storage systems manufactured by EMC Corporation. These data storage systems may be coupled to one or more servers or host processors and provide storage services to each host processor. Multiple data storage systems from one or more different vendors may be connected and may provide common data storage for one or more host processors in a computer system.
A host processor may perform a variety of data processing tasks and operations using the data storage system. For example, a host processor may perform basic system I/O operations in connection with data requests, such as data read and write operations.
Host processor systems may store and retrieve data using a storage device containing a plurality of host interface units, disk drives, and disk interface units. The host systems access the storage device through a plurality of channels provided therewith. Host systems provide data and access control information through the channels to the storage device and the storage device provides data to the host systems also through the channels. The host systems do not address the disk drives of the storage device directly, but rather, access what appears to the host systems as a plurality of logical disk units. The logical disk units may or may not correspond to the actual disk drives. Allowing multiple host systems to access the single storage device unit allows the host systems to share data in the device. In order to facilitate sharing of the data on the device, additional software on the data storage systems may also be used.
Data storage systems and servers may be configured in a network arrangement referred to as a Storage Area Network (SAN). Each of the servers may have access to different physical devices, and/or logical portions thereof, included in the SAN. Software residing on the data storage systems may be used in connection with enforcing data storage system access rules as may be specified for each of the different servers. The software residing on the data storage systems may use different techniques in identifying the particular hosts and associated connectivity to the data storage systems.
One technique uses a software generated host identifier (host id). At various times, such as when a host boots up, an agent or other software on the host may push the software generated host id through one or more paths to the data storage systems in the SAN. An agent may be, for example, a daemon process or service. The data storage system associates the particular paths through which the same host id is pushed as being paths from the same host. When storage access to a particular device in the SAN is defined for a given host, access is allowed to the particular device when a request is received from one of those paths associated with the given host.
There may be instances when a same software-generated host id is used in connection with two different hosts or servers. For example, a system image of a first host may be “cloned” or copied for use on a second host. If the software-generated host id is copied to the second host with the system image, the same host id may be also propagated. Accordingly, the same host id is now associated with two different hosts with the additional new paths coming from the second host. This poses a security access issues since the second host may be provided with the same data storage access as the first host.
As an alternative, the host id may be derived from a property that is unique to the hardware of each host. Although this latter alternative overcomes the problems associated with the former technique, additional drawbacks are introduced. For example, the hardware from which the host id is formed may be removed from a host. If the hardware is moved from one host to another, the new host may assume the identity of the former host and data storage access previously granted to the original host may be granted to the new host when it should not be granted. Additionally, when the hardware of an existing host is replaced, the existing host may be improperly denied storage access.