A “virtual machine” or a “VM” refers to a specific software-based implementation of a machine in a virtualization environment, in which the hardware resources of a real computer (e.g., CPU, memory, etc.) are virtualized or transformed into the underlying support for the fully functional virtual machine that can run its own operating system and applications on the underlying physical resources just like a real computer.
Virtualization works by inserting a thin layer of software directly on the computer hardware or on a host operating system. This layer of software contains a virtual machine monitor or “hypervisor” that allocates hardware resources dynamically and transparently. Multiple operating systems run concurrently on a single physical computer and share hardware resources with each other. By encapsulating an entire machine, including CPU, memory, operating system, and network devices, a virtual machine is completely compatible with most standard operating systems, applications, and device drivers. Most modern implementations allow several operating systems and applications to safely run at the same time on a single computer, with each having access to the resources it needs when it needs them.
Virtualization allows one to run multiple virtual machines on a single physical machine, with each virtual machine sharing the resources of that one physical computer across multiple environments. Different virtual machines can run different operating systems and multiple applications on the same physical computer.
One reason for the broad adoption of virtualization in modern business and computing environments is because of the resource utilization advantages provided by virtual machines. Without virtualization, if a physical machine is limited to a single dedicated operating system, then during periods of inactivity by the dedicated operating system the physical machine is not utilized to perform useful work. This is wasteful and inefficient if there are users on other physical machines which are currently waiting for computing resources. To address this problem, virtualization allows multiple VMs to share the underlying physical resources so that during periods of inactivity by one VM, other VMs can take advantage of the resource availability to process workloads. This can produce great efficiencies for the utilization of physical devices, and can result in reduced redundancies and better resource cost management.
Many organizations implement virtualization in hosted environments, where a service provider owns and makes available the underlying infrastructure, hardware, and systems on which the customers may run one or more virtual machines. In this type of environment, there can be multiple levels of administration and administrators. For example, the service provider acts as the administrator for the underlying infrastructure, while the customer may handle administration for the virtual machines created for that customer.
The issue that often arises is that the administrator at one level of the system may need to access certain types of administrative functionality that is only available to administrators at another level of the hierarchy. For example, consider the need by many administrators to perform backup and restore functionality for various items and types of content in the system. To restore a file or file directory (e.g., because of an error, failure, or accidental deletion), the administrator of a VM running windows or unix may need to access directory backups that have been saved to disk at the hardware storage level. However, the administrator of the backups at the hardware storage level (e.g., the service provider) may be a different entity from the administrator of the VM (e.g., the customer admin).
Current solutions to this problem are generally unsatisfactory and prone to security problems. For example, one possible solution is to require the administrator of the VM to send a request to the administrator of the underlying infrastructure to perform the required restoration of the accidentally-deleted file. There are many problems with this approach, including for example, that it requires an additional delay to be incurred before the task is complete, there may be multiple levels of administrators in the chain to identify the correct person to handle the task, it relies upon the availability of the additional administrator, and errors may be introduced due to possible misunderstandings in the communications between the different levels of administrators.
Another possible solution to this problem is to provide an administrator console to perform the desired administrative functionality, where the admin console is accessible using a user ID and password provided to the customer administrator. The danger of this approach is that since it relies upon a user ID and password, any third party (even unauthorized parties) that gains access to that ID/password information is now capable to accessing the admin console. This can create very significant problems for the security and integrity of the overall system.
Therefore, there is a need for an improved approach to implement access to administrative functionality in a virtualization environment.