This invention relates generally to system topologies, such as those of storage-area networks (SANs), and more particularly to managing access control within such system topologies.
Storage-area networks (SANs) are becoming more plentiful within large networking environments that have large storage needs. A SAN typically connects multiple servers to a centralized pool of disk storage. The SAN usually allows data transfers among computers and disks to occur at the same high peripheral channel speeds as if the computers and disks were directly attached to one another. For instance, fiber channel (FC) and small computer system interface (SCSI) technologies may be used for connecting the computers and the disks.
For SANs and other types of system topologies, an important issue is the management of access control among the topologies. Managing access control includes deriving, realizing, and/or comparing access control among consumers of resources and the resources themselves. In the case of SANs, the consumers may be the computers, or clients or servers, that read data from and write data to the SAN disks, whereas the resources may be the disks themselves. The term accessor is used to mean a consumer of resources within a system topology, and the term accessible is used to mean a resource within a system topology.
Access control ensures that accessors can properly access accessibles. Within complicated and sophisticated SANs, for instance, there may a number of different methods by which access control can be implemented. In a FC switch-based SAN fabric, computer operating system (OS) filter drivers, SCSI logical unit number (LUN) masking, and fabric zoning may all be used as different access control methods between accessors and accessibles. A given accessor may be permitted to access a given accessible by zero or more of such access control methods.
As SANs become more complicated and sophisticated, management of their access control also becomes more complicated. SAN administrators and systems may wish to view the current state, or snapshot, of access control among accessors and accessibles within the SAN. They may wish to compare one access control snapshot with another such snapshot, to learn the differences among these configurations. They may also wish to restore the current access control configuration to a previously saved access control configuration.
However, current solutions to these needs have shortcomings. The snapshots obtained are typically not repeatable. That is, obtaining consecutive access control snapshots of a SAN or other system topology whose accessibility is unchanging may nevertheless yield different results. This and other shortcomings make for less than desirable configuration comparisons, for instance. Differences between configurations may be reported even where none exist. Spurious differences may be reported. As a result, restoring a current configuration to a previously saved configuration may be difficult, or impossible. Also, such a solution can involve making more changes to the current configuration during the restore than needed, which may be undesirable.
For these described reasons, as well as other reasons, there is a need for the present invention.