One of the challenges faced by information technology (IT) administrators tasked with administering network and computer resources is provisioning and administering those resources. Provisioning resources generally involves configuring the resources (e.g., computers, routers, file servers, network-attached storage (NAS) systems, and disk arrays configured for use in storage area networks (SANs)) for use in a particular computing environment, and providing users with access to those computer resources. For example, an administrator may configure authorization settings that permit certain users to access and use certain resources, while others without the proper authorization settings are restricted from accessing and using those resources.
When a host or server computer is configured to use a NAS or SAN system, it is generally the host or server administrator that is responsible for provisioning storage on the NAS or SAN system for use with the host or server computer. In the context of a NAS or SAN system, storage provisioning generally involves the creation of data storage entities (e.g., disk groups, volumes, logical unit numbers (LUNs), qtrees, and snapshots) on the storage system. For example, before an application executing on a host or server computer can utilize the data storage services of a NAS or SAN system, a host or server administrator generally needs to create a volume on a virtual disk (e.g., a LUN) of the storage system. Once the volume and LUN have been created on the storage system and the host or server has been configured to use the volume and LUN, an application that requires locally-attached storage, such as Oracle® database, Microsoft® Exchange or SQL server, can begin utilizing the volume on the storage system. To create these data storage entities on a NAS or SAN system, the host or server administrator often utilizes a storage-management application that resides, and executes, on the host or server computer. For instance, one such storage-management application is SnapDrive®—a software product available from Network Appliance® of Sunnyvale, Calif.
When a NAS or SAN system is utilized in an enterprise storage solution, many host or server computers may be configured to utilize the data storage services of the NAS or SAN system. Furthermore, several host or server administrators may be responsible for provisioning storage (e.g., creating and configuring data storage entities) on the NAS or SAN system for use with various host or server computers. For example, a provisioning administrator may generate a volume, while a backup administrator may generate snapshots. Consequently, it is important to have security mechanisms in place to prevent one administrator from accidently or purposefully changing, deleting, undoing or otherwise modifying a data storage entity on the storage system that has been created by another administrator.
One way this is accomplished is by limiting access to the storage system or the storage-management application that enables the provisioning operations. For example, access to the storage system or the storage-management application may be limited to certain administrators by requiring all administrators to provide a user name and/or password in order to access the host on which the storage-management application resides, or alternatively, in order to access the storage-management application itself. However, medium- and large-sized enterprises often have a wide variety of hosts and/or servers executing a variety of applications, and consequently utilizing significant amounts of storage. With medium- to large-sized enterprises, there is often a need for several host and/or server administrators. As the number of host and/or server administrators increases, it becomes more likely that one administrator may purposefully or accidently, change, delete, undo or otherwise modify a data storage entity that has been created by another administrator. Consequently, the effectiveness of user name/password protection in a medium- to large-sized entity is limited.
Another way in which access to a storage-management application and the authority to perform provisioning operations may be controlled is through the use of host- or server-specific user privileges. For instance, many operating systems provide a mechanism for assigning certain privileges or permissions to users by associating a user with certain roles or groups. For instance, a user may be granted root or administrative privileges. Accordingly, users who have been assigned certain roles (e.g., a root user) or users who have been made a member of certain groups (e.g., an administrator group) may have the authority or permission to execute commands and/or applications that other users are not authorized to execute. In particular, a root user, or a user belonging to an administrator group may be authorized to access and use a storage-management application residing on a host or server. However, this type of security mechanism has many of the same problems as a user name/password security mechanism. As the number of users authorized to use storage-management applications increases, so too does the likelihood that one user will purposefully or accidently change, delete, undo or otherwise modify a data storage entity originally provisioned by another user.
Furthermore, neither of the security mechanisms described above provides for flexibility in defining a security policy for data storage entities of a storage system. Specifically, with the security mechanisms described above, there is no way to effectively authorize an administrator to perform a subset of the set of provisioning operations that are made possible by a host- or server-based storage-management application. For instance, with a user name/password security scheme, an administrator who has the proper user credentials (e.g., user name and password) to access the storage-management application is authorized to perform all provisioning operations. A user without the proper credentials is prevented from performing any provisioning operations, including those provisioning operations that pose little or no risk of harm to the existing configuration of the storage system. Similarly, in a security scheme where an administrator's authority to access a storage-management application is tied to an OS-specific privilege (e.g., root user or administrator group), there is no way to provide the administrator with the authority to perform a particular provisioning operation without providing that administrator the additional bundle of privileges that come along with the specific user privilege. Consequently, not only does a user with an effective privilege have authority to perform all of the provisioning operations enabled by the storage-management application, the privilege may also have the undesired effect of providing the user with the authority to access other administrative resources.