Field of the Invention:
The present invention relates to storage devices. More specifically, the present invention relates to systems for regulating access to tape devices.
Description of the Related Art:
Data integrity is a key consideration in any data processing system. Most data processing environments have requirements to prevent data integrity problems due to unauthorized access to data. Certain programs exist which allow a system to input access criteria for datasets and access authority for users. The system then uses this information to manage data access. For tape devices, this protection mechanism is typically limited to management of access to the entire tape, referred to as a "volume".
Tape devices have, however, traditionally supported the storing of multiple datasets on the same volume. Even in the case of a single dataset, there is the additional consideration that there may be residual data left on the medium from some prior usage which is beyond the end of the last written dataset. Access to such residual information is referred to as "object reuse" in some arenas. Both of these conditions represent potential security exposures if the accesses to the medium are not managed to the scope of the data on the medium to which the user is authorized. This would typically be a single dataset.
In certain environments, tape applications are allowed to issue input/output (I/O) commands (e.g., channel programs), typically without much supervision by the control program. In other environments, the control program is responsible for performing label and file formatting while the application is responsible for reading or writing the data portion of the file. Although some devices provide a protection assist mechanism to reject certain commands which are reserved for use by the control program, this protection is not used to control commands which access the medium. With the introduction of commands which allow random position to different blocks or partitions on the medium, an application has the ability to position outside of the single file which it has been given access to by the control program and associated security software. There are also critical applications which utilize these functions within the limit of a single file with significant performance improvement so that it is not possible to simply remove the ability to issue these commands from the applications.
One currently used solution to prevent object reuse is to store only one file on the volume and to erase the rest of the volume following the dataset. This solution has the following problems.
First, only a single file can be stored on the volume. Multiple files would be exposed to the application accessing data in more than one file. As volume capacities increase, storage of multiple files to utilize capacity becomes a critical part of storage management. The average file size is typically significantly less than the full capacity of a volume.
Second, the application may overwrite formatted portions of the volume which should not be overwritten, such as the label group for the dataset.
Third, the application may attempt to write formatting information, such as tape marks, which would lead to invalid file formatting on the medium.
Fourth, The application may attempt to unload the medium before the control program has a chance to finish file formatting on the medium. This might allow the application to unload the current medium and access some other medium. For example, some devices provide a Load command. Some device loaders have an automatic mode of loading which causes another volume to be loaded when the current volume is unloaded.
Fifth, the time required to perform an erase function may be significant. On most tape devices, this function requires that the device overwrite any portions of the volume which follow the end of the file. As volume capacities increase, the time spent performing this function increases linearly. For instance, the time to erase a 10 gigabit volume on a device which writes at a 1 megabit per second data rate would be roughly 10,000 seconds or three hours. If a significant number of the files processed require this type of processing, then the availability of tape devices for normal processing is severely impacted.
A second alternative is for the control program to scan through every channel program which is received from an application to determine whether there are any commands which might have undesirable effects. This solution has the following problems.
First, there is overhead associated with the scanning of each channel program.
Second, the channel program is typically in the user's address space which may lead to additional complexities with storage protection keys and address space translation problems.
Third, the control program may need to examine the parameter data associated with the command in order to assess its impact. This implies that a detailed knowledge of the device command set must be coded into the control program. It also creates the problem of having to update the control program every time new functions are introduced so that they are not rejected by the checking performed in the control program (e.g., an unknown function or command must be assumed to be a potential access violation and therefore it must be rejected). This may prohibit the early introduction of new functions by providing support directly in the application without the control program's knowledge.
Fourth, the program may not be able to assess whether the command creates a problem or not. For instance, a Locate command specifies some logical block further down the medium. The control program may or may not know the extent (e.g., the range of logical blocks) of the currently active dataset and therefore may not be able to determine whether the access is outside the range of the dataset.
Thus, there is a need in the art for a fast, inexpensive technique for limiting access to a tape volume which does not waste the unused capacity thereof.