As larger cloud computing architectures are introduced, the performance and administrative bottlenecks associated with the traditional network and storage have become a significant problem. There has been an increased interest in using high performance lossless interconnects such as InfiniBand (IB) technology as the foundation for a cloud computing fabric.
Shared services within an InfiniBand™ (IB) fabric can be protected by controlling partition membership for both IB ports representing clients of the shared service as well as IB ports representing providers of the shared service.
When a single IB port represents a single resource that each relevant client may access, then it is possible to use a partition membership scheme. In this partition membership scheme, the clients may be limited members of the relevant partition and the provider may be a full member of the relevant partition. In this way, all clients can access the shared resource but they will not be able to communicate between themselves using the relevant partition.
However, when a provider represents a large number of individual resources that each should only be available to a single client or a limited set of clients, as well as when groups of clients require full membership in a partition that is used to access shared resources, then the provider of the shared service will either need to have membership in a large number of partitions and/or it will need to differentiate client access rights using more information that just the partition information in incoming request packets.
One proposed solution would be to use the source GID/GUID and/or the source LID of the request packets in order to identify the sender. However, this has the disadvantage that one then has to use different context describing each individual client port and this can be a scalability issue if multiple clients share the same resource, and in addition, the use of GID/GUIDs requires complex hash (or CAM in HW) based lookup schemes rather than simple linearly addressed lookup tables in order to facilitate access control operations to take place at wire speed of the incoming request packets.
Another issue with both LID and GID/GUID based access control is that such values can change due to subnet/fabric re-configuration as well as due to migration of clients between different HCAs.
This is the general area that embodiments of the claimed invention are intended to address.