The present invention is directed to a method and apparatus for providing secure access to a computer system resource such as a storage device.
Many computer systems include one or more host computers and one or more storage systems that store data used by the host computers. An example of such a system is shown in FIG. 1, and includes a host computer 1 and a storage system 3. The storage system typically includes a plurality of storage devices on which data are stored. In the exemplary system shown in FIG. 1, the storage system 3 includes a plurality of disk drives 5a-5b, and a plurality of disk controllers 7a-7b that respectively control access to the disk drives 5a and 5b. The storage system 3 further includes a plurality of storage bus directors 9 that control communication with the host computer 1 over communication buses 17. The storage system 3 further includes a cache 11 to provide improved storage system performance. In particular, when the host computer 1 executes a read from the storage system 3, the storage system 3 may service the read from the cache 11 (when the data are stored in the cache), rather than from one of the disk drives 5a-5b, to execute the read more efficiently. Similarly, when the host computer 1 executes a write to the storage system 3, the corresponding storage bus director 9 may execute the write to the cache 11. Thereafter, the write can be destaged asynchronously, in a manner transparent to the host computer 1, to the appropriate one of the disk drives 5a-5b. Finally, the storage system 3 includes an internal bus 13 over which the storage bus directors 9, disk controllers 7a-7b, and the cache 11 communicate.
The host computer 1 includes a processor 16 and one or more host bus adapters 15 that each controls communication between the processor 16 and the storage system 3 via a corresponding one of the communication buses 17. It should be appreciated that rather than a single processor 16, the host computer 1 can include multiple processors. Each bus 17 can be any of a number of different types of communication links, with the host bus adapter 15 and the storage bus directors 9 being adapted to communicate using an appropriate protocol for the communication bus 17 coupled therebetween. For example, each of the communication buses 17 can be implemented as a SCSI bus, with the directors 9 and adapters 15 each being a SCSI driver. Alternatively, communication between the host computer 1 and the storage system 3 can be performed over a Fibre Channel fabric.
As shown in the exemplary system of FIG. 1, some computer systems employ multiple paths for communicating between the host computer 1 and the storage system 3 (e.g., each path includes a host bus adapter 15, a bus 17 and a storage bus director 9 in FIG. 1). In many such systems, each of the host bus adapters 15 has the ability to access each of the disk drives 5a-b, through the appropriate storage bus director 9 and disk controller 7a-b. It should be appreciated that providing such multi-path capabilities enhances system performance, in that multiple communication operations between the host computer 1 and the storage system 3 can be performed simultaneously.
FIG. 2 is a schematic representation of a number of mapping layers that may exist in a known computer system such as the one shown in FIG. 1. The mapping layers include an application layer 21 which includes application programs executing on the processor 16 of the host computer 1. As used herein, xe2x80x9capplication programxe2x80x9d is not limited to any particular implementation, and includes any kind of program or process executable by one or more computer processors, whether implemented in hardware, software, firmware, or combinations of them. The application layer 21 will generally refer to storage locations used thereby with a label or identifier such as a file name, and will have no knowledge about where the corresponding file is physically stored on the storage system 3 (FIG. 1). Below the application layer 21 is a file system and/or a logical volume manager (LVM) 23 that maps the label or identifier specified by the application layer 21 to a logical volume that the host computer 1 perceives to correspond directly to a physical device address (e.g., the address of one of the disk drives 5a-b) within the storage system 3. Below the file system/LVM layer 23 is a multi-path mapping layer 25 that maps the logical volume address specified by the file system/LVM layer 23, through a particular one of the multiple system paths, to the logical volume address to be presented to the storage system 3. Thus, the multi-path mapping layer 25 not only specifies a particular logical volume address, but also specifies a particular one of the multiple system paths to access the specified logical volume.
If the storage system 3 were not an intelligent storage system, the logical volume address specified by the multi-pathing layer 25 would identify a particular raw physical device (e.g., one of disk drives 5a-b) within the storage system 3. However, for an intelligent storage system such as that shown in FIG. 1, the storage system itself may include a further mapping layer 27, such that the logical volume address passed from the host computer 1 may not correspond directly to an actual physical device (e.g., a disk drive 5a-b) on the storage system 3. Rather, a logical volume specified by the host computer 1 can be spread across multiple physical storage devices (e.g., disk drives 5a-b), or multiple logical volumes accessed by the host computer 1 can be stored on a single physical storage device.
Some operating systems require that users have appropriate access privileges to access and modify files in various ways. For example, Unix operating systems such as Sun Solaris and IBM AIX associate with each file a filename, an owner (i.e., an identifier of the user or application who created the file), and access privileges information which identifies the operations that different users are allowed to perform on the file. The access privileges information specifies, for example, whether a user is allowed to read, write, or execute the file, or any combination thereof. The access privileges information includes access privileges information for the owner of the file, for specified groups of users, and for all other users (referred to as xe2x80x9cworldxe2x80x9d access privileges). For example, the access privileges information for a file may indicate that the owner of the file may read, write, and execute the file, that a specified group of users may read and write the file, and that the world (i.e., all other users) may only read the file. Many operating systems allow a user with system administrator privileges (e.g., a user with the login name xe2x80x9crootxe2x80x9d in Unix) to perform any operation on any file.
Each request sent to the file system/LVM mapping layer 23 to access a file maintained by the mapping layer contains information identifying the file to be accessed, the identity of the application program making the request (which may, for example, be derived from the identity of the user who executed the application program), and the action desired to be performed on the file. In the case of a request to open a file maintained by a file system within mapping layer 23, the file system compares the information contained in the request to the access privileges information associated with the file to determine whether to grant the request. If, for example, the owner of a file requests to open the file for writing and the file""s access privileges information indicates that the owner of the file has write access to the file, then the file system opens the file for writing. If, however, a user who only has xe2x80x9cworldxe2x80x9d access privileges to a file requests to open the file for writing and the xe2x80x9cworldxe2x80x9d access privileges information for the file indicates that such a user may only read from the file, the user""s request to open the file for writing is denied.
In most computer systems, a logical volume can be accessed as a xe2x80x9crawxe2x80x9d storage device without using the file system/LVM mapping layer 23 to access raw data stored on the logical volume. Some operating systems associate access privileges information, such as that described above, with raw storage devices. A request to xe2x80x9copenxe2x80x9d a raw storage device (i.e., to open a logical channel through which to send data to or receive data from the raw storage device without using the file system/LVM mapping layer 23) for reading or writing contains information identifying the raw storage device to be opened, the identity of the user making the request, and the purpose for which the raw storage device is to be opened (e.g., reading or writing). Some operating systems, however, such as Sun Solaris and IBM AIX, only grant requests from users having system administrator privileges to open raw storage devices, regardless of the user""s access privileges and the access privileges information associated with the raw storage device. Requests from users other than users having system administrator privileges are automatically rejected. Similarly, other operating systems, such as Windows NT, do not even maintain access privileges information for raw storage devices and only allow users having system administrator privileges to access raw storage devices. As a result, for almost all operating systems, an application must have system administrator privileges to directly access raw storage devices.
Some application programs have been developed, for execution on a host computer, which read data from and write data to raw devices directly, without passing through the file system/LVM mapping layer 23. Due to the nature of most operating systems, however, it typically is necessary to grant system administrator user privileges to such applications to enable them to have direct access to raw devices. It is undesirable to grant such privileges to application programs because doing so provides the application programs with the ability to perform any operation on all raw devices in the system, without any access restrictions.
It is an object of the present invention to provide a method and apparatus for providing an application program with direct but limited access to raw devices.
One illustrative embodiment of the invention is directed to a method of managing access to one of a plurality of raw storage devices in a computer system including a host computer and a storage system that is coupled to the host computer and that stores data accessed by the host computer, the computer system including a plurality of logical volumes of data that are visible to the host computer and the storage system and are perceived by the host computer as comprising the plurality of raw storage devices. The method comprises a step of: (A) granting a request, from a requester having less than system administrator access privileges, to perform an action on the one of the plurality of raw storage devices.
Another illustrative embodiment of the invention is directed to a computer readable medium encoded with a program for execution on a host computer in a computer system including the host computer and a storage system that is coupled to the host computer and that stores data accessed by the host computer. The computer system further includes a plurality of logical volumes of data that are visible to the host computer and the storage system and are perceived by the host computer as comprising a plurality of raw storage devices. The program, when executed on the host computer, performs a method of managing access to one of the plurality of raw storage devices, the method comprising a step of: (A) granting a request, from a requester having less than system administrator access privileges, to perform an action on the one of the plurality of raw storage devices.
A further illustrative embodiment of the invention is directed to a host computer for use in a computer system including the host computer and a storage system that is coupled to the host computer and that stores data accessed by the host computer. The computer system further includes a plurality of logical volumes of data that are visible to the host computer and the storage system and are perceived by the host computer as comprising a plurality of raw storage devices. The host computer comprises: a processor, and a memory programmed with an application program that has less than system administrator access privileges, the application program, when executed on the processor, having privileges to access at least one of the plurality of raw storage devices.
Another illustrative embodiment of the invention is directed to a host computer for use in a computer system including the host computer and a storage system that is coupled to the host computer and that stores data accessed by the host computer. The computer system further includes a plurality of logical volumes of data that are visible to the host computer and the storage system and are perceived by the host computer as comprising a plurality of raw storage devices. The host computer comprises at least one controller to manage access to the plurality of raw storage devices, wherein the at least one controller is adapted to grant a request, from a requester having less than system administrator access privileges, to perform an action on one of the plurality of raw storage devices.
Another illustrative embodiment of the invention is directed to a method of responding to a request from a requester to perform an action on one of a plurality of raw storage devices, wherein the one of the plurality of raw storage devices has associated access privileges information, in a computer system including a host computer and a storage system that is coupled to the host computer and that stores data accessed by the host computer. The computer system includes a plurality of logical volumes of data that are visible to the host computer and the storage system and are perceived by the host computer as comprising a plurality of raw storage devices. The method comprises steps of: (A) determining whether the requester is privileged to perform the action on the one of the plurality of raw storage devices by comparing the access privileges information associated with the one of the plurality of raw storage devices with information descriptive of the requester; (B) granting the request to perform the action on the one of the plurality of raw storage devices when it is determined in the step (A) that the requester is privileged to perform the action; and (C) denying the request to perform the action on the one of the plurality of raw storage devices when it is determined in the step (A) that the requester is not privileged to perform the action.
A further illustrative embodiment of the invention is directed to a computer readable medium encoded with a program for execution on a host computer in a computer system including the host computer and a storage system that is coupled to the host computer and that stores data accessed by the host computer. The computer system includes a plurality of logical volumes of data that are visible to the host computer and the storage system and are perceived by the host computer as comprising a plurality of raw storage devices. The program, when executed on the host computer, performs a method of responding to a request from a requester to perform an action on one of the plurality of raw storage devices, wherein the one of the plurality of raw storage devices has associated access privileges information, the method comprising steps of: (A) determining whether the requester is privileged to perform the action on the one of the plurality of raw storage devices by comparing the access privileges information associated with the one of the plurality of raw storage devices with information descriptive of the requester; (B) granting the request to perform the action on the one of the plurality of raw storage devices when it is determined in the step (A) that the requester is privileged to perform the action; and (C) denying the request to perform the action on the one of the plurality of raw storage devices when it is determined in the step (A) that the requester is not privileged to perform the action.
Another illustrative embodiment of the invention is directed to a host computer for use in a computer system including the host computer and a storage system that is coupled to the host computer and that stores data accessed by the host computer. The computer system includes a plurality of logical volumes of data that are visible to the host computer and the storage system and are perceived by the host computer as comprising a plurality of raw storage devices, wherein at least one of the plurality of raw storage devices has associated access privileges information. The host computer comprises: at least one controller to respond to requests from requesters to perform actions on one of the plurality of raw storage devices, wherein the at least one controller is, for each one of the requests, adapted: to determine whether the requester is privileged to perform the action on the one of the plurality of raw storage devices by comparing the access privileges information associated with the one of the plurality of raw storage devices with information descriptive of the requester; to grant the request to perform the action on the one of the plurality of raw storage devices when it is determined that the requester is privileged to perform the action; and to deny the request to perform the action on the one of the plurality of raw storage devices when it is determined that the requester is not privileged to perform the action.
Another illustrative embodiment of the invention is directed to a method of managing access to a plurality of raw storage devices in a computer system including a host computer and a storage system that is coupled to the host computer and that stores data accessed by the host computer. The computer system includes a plurality of logical volumes of data that are visible to the host computer and the storage system and are perceived by the host computer as comprising a plurality of raw storage devices, the host computer having an access facility that grants access to the plurality of raw storage devices and requires a minimum privilege level for a requester to be granted access to one of the plurality of raw storage devices. The method comprises steps of: (A) intercepting requests to access one of the plurality of raw storage devices from requesters that do not satisfy the minimum privilege level required by the access facility to grant access to one of the plurality of raw storage devices; and (B) modifying at least some of the requests intercepted in the step (A) to indicate that the requester satisfies the minimum privilege level to be granted access to one of the plurality of raw storage devices.
Another illustrative embodiment of the invention is directed to a computer readable medium encoded with a program for execution on a host computer in a computer system including the host computer and a storage system that is coupled to the host computer and that stores data accessed by the host computer. The computer system includes a plurality of logical volumes of data that are visible to the host computer and the storage system and are perceived by the host computer as comprising a plurality of raw storage devices, the host computer having an access facility that grants access to the plurality of raw storage devices and requires a minimum privilege level for a requester to be granted access to one of the plurality of raw storage devices. The program, when executed on the host computer, performs a method of managing access to the plurality of raw storage devices, the method comprising steps of: (A) intercepting requests to access one of the plurality of raw storage devices from requesters that do not satisfy the minimum privilege level required by the access facility to grant access to one of the plurality of raw storage devices; and (B) modifying at least some of the requests intercepted in the step (A) to indicate that the requester satisfies the minimum privilege level to be granted access to one of the plurality of raw storage devices.
Another illustrative embodiment of the invention is directed to a host computer for use in a computer system including the host computer and a storage system that is coupled to the host computer and that stores data accessed by the host computer. The computer system includes a plurality of logical volumes of data that are visible to the host computer and the storage system and are perceived by the host computer as comprising a plurality of raw storage devices. The host computer comprises: an access facility that grants access to the plurality of raw storage devices and requires a minimum privilege level for a requester to be granted access to one of the plurality of raw storage devices; and at least one controller that: intercepts requests to access one of the plurality of raw storage devices from requesters that do not satisfy the minimum privilege level required by the access facility to grant access to one of the plurality of raw storage devices; and modifies at least some of the intercepted requests to indicate that the requester satisfies the minimum privilege level to be granted access to one of the plurality of raw storage devices.