Storage virtualization or just “virtualization” is defined as the process of taking many different physical storage networks and devices, and making them appear as one “virtual” entity for purposes of management and administration. The view of the storage device structure may not correspond to the actual physical storage system (hence, “virtual”). Virtualization using intelligent multi-protocol switches separates host commands into Slow Path and Fast Path. Slow Path commands consist of all Non-READ/Non-WRITE Small Computer System Interface (“SCSI”) commands in an input-output (IO) stream, viz. INQUIRY, READ CAPACITY, TEST UNIT READY, etc.; whereas all READ/WRITE SCSI commands qualify as Fast Path commands. All Slow Path commands can be faulted back to the Storage Application and appropriate response can be generated. Fast Path commands on the other hand directly go the back-end.
Storage Applications may rely on “volumes” of data. These are “logical volumes” or “logical objects”. In order for many Storage Applications to work in tandem (e.g. Mirroring a Snapshot), volumes must be organized as a hierarchical graph structure where each Storage Application “owns” a layer in the graph. Since each Storage Application should be able to work independently of each other, every Storage Applications can apply individual permissions on the volumes it owns.
In Switch based virtualization, the permissions applied on various volume levels, need to be applied at the switch ports where IOs can either be faulted or let through based on the permissions. Switch vendors provide an application programming interface (API) to allow storage applications to set permissions, whereby Storage Applications put volume permissions to control the behavior of Fast Path commands. The permissions determine whether Fast Path IO will get faulted back to the Storage Application, will be held at the switch port or will be allowed. Examples of Storage Applications can be Clones, Data Mobility, Snapshot, etc.
Storage area network (SAN) with controlled access to the hosts connected to the network is well known in the art. “Host computers” can be any type of computers, for application processing, operating systems and data management applications. The host computers may be connected over a network. This network may include switching nodes, although any other form of network may be used. There are number of granted patents in the field that discloses methods for storage virtualization, access control, handling of overlapping requests and mapping of permission for different hosts in the control memory block. Some of these prior art patents in the field are briefly described below.
U.S. Pat. No. 6,993,589 discloses a method and apparatus for providing secure access to a computer system resource. The computer system includes a plurality of logical volumes of data that are visible to a host computer and a storage system. In accordance with one aspect of the invention, a request, from a requester having less than system administrator access privileges, to perform an action directly on the one of the plurality of raw storage devices is granted, so that a logical channel is provided for the direct access without the said logical channel being mapped by a file system/LVM mapping layer contained in the host computer. According to another aspect, a plurality of volumes of storage are visible to the application layer, and access privileges less than the root access privileges are assigned to the at least one application program to access the plurality of volumes of storage.
Another approach for managing access to a plurality of storage resources in a computer system has been described in U.S. Pat. No. 6,993,581. In one aspect, requests to access one of the plurality of storage resources from the application layer are intercepted, and at least one of the interests is modified in a manner that will impact the access facility in determining whether the requestor satisfies the privilege level to be granted access to the one of the plurality of storage resources.
Yet another approach has been taken in the US 2004 0098424 A1, wherein metadata that relates logical block addresses of data used by a file system with the physical block addresses at which the data is stored is maintained in nodes that are arranged into a hierarchical volume map tree that extends from a root node to a plurality of leaf nodes. A method and apparatus is described for efficiently copying distributed data files. A copy of the volume map tree root node is maintained in a covolume and the modifications to that volume map tree copy is maintained as a new covolume by creating a new delta.
U.S. Pat. No. 6,535,891 discloses a technique for identifying accesses to a repository of logical objects stored on a storage system based upon information identifying accesses to physical storage locations. The repository is mapped from application space to physical space to create mapping information identifying which units of storage in physical space store the repository, and the mapping information is made visible to the application space. An incremental operation is executed on the repository of logical objects. A further aspect is directed to a storage system that identifies to the host accesses to a repository of logical objects based upon accesses to corresponding units of storage in physical space.
Further, a technique for host volume mapping for shared storage volumes in a multi-host computing environment has been disclosed in WIPO Publication No. WO 01/20470 A1. The method for controlling access to a shared storage device includes the steps of associating a locally unique identifier with each of the plurality of computers, defining a data structure in a memory identifying which particular ones of the computers based on the locally unique identifier may be granted access to the device; and querying the data structure to determine if a requesting one of the computers should be granted access to the device.
Furthermore, U.S. Pat. No. 6,842,843 discloses a digital data storage subsystem including arrangement for increasing cache memory addressability. A memory access request receiver module of a memory manager is configured to receive an access request requesting an access operation in connection with the memory, the access request including an address. A memory access operation control module of a memory manager is configured to perform an access operation in connection with the memory using an absolute address generated by an address translation module. The address in an access request includes a segment identifier and an offset, the address translation module being configured to process the segment identifier and offset to generate an absolute address identifying at least one storage location.
Another approach for storage mapping and partitioning among multiple host processors has been described in U.S. Pat. No. 6,799,255. A storage controller for controlling access to data storage has a memory and at least one data port for a data network including host processors. When the storage controller receives a data access request from a host processor, it decodes a host identifier from the data access request, and searches the memory for a host identifier matching the host identifier decoded from the request. Upon finding a match, the respective specification of the respective subset for the host processor is accessed to determine whether or not storage specified by the storage access request is contained in the respective subset. If so, then storage access can continue, and otherwise, storage access is denied.
However, current limitation in switch implementation is that they do not support hierarchical volume permissions, that is, the multi-protocol intelligent switches do not support permissions which are applied at various individual volume levels in a volume graph. On the contrary, they require the permissions to be applied only at the top level volume of the graph which is exposed to the host via the intelligent port. Therefore, the challenge is to create a mapping mechanism which can convert permissions at an individual volume level to be translated and applied at the top level. This kind of layered permissions is called a hierarchical permission map. Thus, in order to make hierarchical Storage Applications, e.g. data mobility or a cloned volume, there is a need for a mechanism to map hierarchical permissions to top level permissions, supported by the switches. The present invention aims to solve this technical problem for a storage area network (SAN).