Method and system for implementing hierarchical permission maps in a layered volume graph

Abstract

The invention is for a method of mapping hierarchical volume permission to top level permissions in a layered volume graph of a virtual data storage system with hierarchy of storage volumes requiring permission at every volume level and the top level volume exposed to the hosts via intelligent switches comprising: applying volume level permissions on a volume of the volume graph and mapping condensed permission hierarchically for the entire volume graph to the top level volume from said individual volume level permission.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows a logical volume.

FIGS. 2 a, 2b and 2c show exemplary diagrams of various types of volumes, viz. Slice, Concat and Mirror Volumes, respectively.

FIG. 3 shows a Hierarchical Volume Graph.

FIG. 4 shows Volume Permissions applied on a Logical block address (LBA) range within a volume.

FIG. 5 shows a Sample Volume Permission Map.

FIGS. 6 a and 6b show exemplary diagrams illustrating the map RegionInChild technique for a Slice Volume and Concat Volume, respectively.

FIGS. 7 a and 7b show exemplary diagrams illustrating the mapChildRegion technique for a Slice Volume and Concat Volume, respectively.

FIG. 8 shows the technique of calculating Top Level Volume Permissions, according to the present invention.

FIG. 9 shows the effective Top Level Volume Permissions, achieved by implementing the technique, according to the present invention.

FIG. 10 shows how local volume permission maps get modified, according to the present invention.

FIG. 11 shows the technique of Merging adjacent regions of a Volume Permission Map, according to the present invention.

FIG. 12 shows Class Diagram of Volume in accordance with the present invention.

FIG. 13 a and FIG. 13b show diagrammatic flow-chart illustrations of the mechanism of mapping hierarchical volume permissions to top level permissions, according to the present invention.

FIG. 14 shows an exemplary diagram of a system for implementing the present invention.

FIG. 15 shows how the I/O issued by a host is split into Fast Path and Slow Path, according to the present invention.

Claims

1. A method of mapping hierarchical volume permissions to top level volume permissions in a layered volume graph structure of a virtualized data storage system having a hierarchy of storage volumes requiring permissions (or access control) at every volume level, wherein said top level volume is exposed to the hosts via intelligent multi-protocol switch(es), said method comprising the steps of: applying volume permissions on a volume within said volume graph structure; andmapping condensed permissions hierarchically for the said entire volume graph structure to the top level volume from said individual volume permission.

2. The method as claimed in claim 1, wherein said storage volumes comprise storage applications.

3. The method as claimed in claim 1, wherein said step of applying volume permissions on a volume involves first determining the Logical Block Address (LBA) range in the volume affected by the permission or new permission and then applying the permission or new permission to the affected range while overwriting the new permission on the existing permission for overlapping range of the new and old permission.

4. The method as claimed in claim 3, wherein each volume has a local permission map which contains permissions applied on different extents of LBA ranges within said volume.

5. The method as claimed in claim 4, wherein said LBA range of a volume starts from 0 and ends at the maximum capacity of the volume.

6. The method as claimed in claim 4, wherein said permission map for a volume is a list of contiguous permission map entries comprising contiguous volume extents or regions in volume identified by a tuple (offset, length), the offset being zero based from the start of the volume and length being the size of the extent or region, and the permissions applied on each of the volume extents.

7. The method as claimed in claim 3, wherein in the event of new region intersecting any old map entry regions, said old regions are caused to split.

8. The method as in claim 1, wherein said permissions which are applied on said volume, are adapted to control the action which ought to be taken in the event of an IO happening on the LBA range within said volume affected by the permission.

9. The method as in claim 1, wherein said permissions may be FAULT_ON_READ, FAULT_ON_WRITE, ALLOW IO or HOLD_IO.

10. The method as claimed in claim 9, wherein FAULT_ON_READ permission applied on a specific LBA range results in all READ operations being faulted back to the storage application.

11. The method as claimed in claim 9, wherein FAULT_ON_WRITE permission applied on a specific LBA range results in all WRITE operations being faulted back to the storage application.

12. The method as claimed in claim 9, wherein HOLD_IO permission applied on a specific LBA range results in all operations being kept on hold until the permission is changed.

13. The method as claimed in claim 9, wherein ALLOW IO permission applied on a specific LBA range results in both READ and WRITE operations being allowed on the specified range.

14. The method as claimed in claim 1, wherein a parent-child relationship is established by the arrangement of the volumes in the layered volume graph structure, said volumes being stacked hierarchically over each other.

15. The method as claimed in claim 1, wherein mapping condensed permissions to the top level volume comprises the steps of: applying ALLOW permission, as the default permission, at every region within the top level volume;mapping the region of the top level volume into the child volumes by traversing down the layered volume graph structure;rolling up the child permissions to the parent level volume, in the event of the corresponding child regions having a non ALLOW permission; continuing the process to the next child level volume, in the event of the corresponding region in the preceding child volume being set to ALLOW permission andcontinuing the process until all top level volume ALLOW regions have been filled up by said rolling up the child permissions, or the end of the graph has been reached, in which case the corresponding top level volume region(s) is set to ALLOW.

16. The method as claimed in claim 15, wherein an appropriate message is generated for a host trying to access a volume extent with FAULT_ON_READ or FAULT_ON_WRITE or HOLD_IO permission.

17. The method as claimed in claim 15, wherein in the event of a different permission being set in the said corresponding region in parent volume, the permissions of said parent volume takes precedence.

18. The method as claimed in claim 1, wherein each volume in the layered volume graph structure is adapted to provide functionality for two basic mapping models, namely mapping of a region in a parent volume into corresponding child volume (mapRegionInChild) and mapping of a region in a child volume into a corresponding region in a parent volume (mapChildRegion).

19. The method as claimed in claim 18, wherein a mapRegionInChild method is adapted for mapping of a region in a parent volume into corresponding region(s) in the child volume(s), the output of said method being a tuple giving the child volume(s) and the mapped region(s) defined by the offset and length in the childvolume(s).

20. The method as claimed in claim 18, wherein a mapChildRegion method is adapted for mapping of a region in a child volume into the corresponding region in the parent volume, the output of said method being a tuple giving the parent volume and the mapped region defined by the offset and length in the parent volume.

21. The method as claimed in claim 1, wherein condensed permission for the top level volume is applied by reducing redundancy so that adjacent extents in the volume with identical permission are merged together.

22. The method as claimed in claim 1, wherein said virtualized data storage system comprises one or more of different physical storage networks and devices.

23. The method as claimed in claim 1, wherein said layered volume graph structure comprises volumes of various types, such as simple volume, slice volume, concat volume, stripe volume, mirrored volume and any other type of volume.

24. A system for implementing hierarchical permission maps in a layered volume graph structure of a virtualized data storage volume having a hierarchy of storage volumes requiring permissions (or access control) at every volume level, said system comprising: intelligent multi-protocol switch(es) between host server(s) and virtualized data storage volume, said switch(es) being adapted to read the hierarchical volume permission set at the top most level of said volume graph structure;means for storage virtualization;means for applying volume permissions on a volume within said volume graph structure andmeans for condensing permissions from the individual volume levels to the top most volume level of said volume graph structure hierarchically for the entire volume graph structure for access control through said intelligent switch(es).

25. The system as claimed in claim 24, wherein said means for storage virtualization, applying individual volume level permissions and condensing individual volume level permissions to a hierarchical top most volume level permission resides on a controller device that runs the storage application.

26. The system as claimed in claim 24, wherein means for virtualization and/or applying individual volume level permissions and/or condensing individual volume level permission to a hierarchical top most volume level permission resides on the intelligent switch(es).

27. The system as claimed in claim 24, wherein I/O issued by the host server(s) is caused to split into Fast path and Slow path by the intelligent switch(es) and depending on the permission mapped to the top most volume level as read by the switch(es), the Fast Path I/O is either faulted back to the storage application or the host allowed access to the storage according to the mapping module.

28. A storage area network connected to a plurality of host computers, wherein the storage is a virtual storage with a hierarchical volume structure and the storage application is adapted to set permission for individual volumes in the volume graph and also map the hierarchical top level volume permission by condensing, combining and accumulating individual volume level permissions to the top level volume in the hierarchy comprising: at least one physical storage device configured to virtual storage volumes with a hierarchical structure;a plurality of host computers connected to the virtual storage volumes through multi-protocol intelligent switch(es);a controller device, being a generic computing device that runs the applications for storage virtualization, for applying individual volume level permissions and for mapping the hierarchical permissions to the top most level of the volume graph by combining, condensing and accumulating the individual volume level permissions to the top most level, wherein said application for mapping the top most level hierarchical permission initially sets ALLOW permission as the default permission for the entire region of the top most level volume in the hierarchy and then rolls up the individual volume level permissions to the top level volume whenever interrupted by a negative or hold permission in the corresponding region of next or subsequent child volume in the hierarchy;a communication channel between the host computer(s) and virtual volumes through said intelligent switch(es) wherein all I/Os from the hosts are broken into fast path or slow path and depending on the volume permission as read by the switch from the mapped top level hierarchical permission the fast path I/O is faulted back to the storage application or allowed access to the respective physical storage as per the mapping module while generating appropriate message for the host when the access is denied or kept on hold: anda table comprising the permission map with rolled up permission of all individual volume level permission to the top most level of the hierarchical volume graph, wherein said table is embedded in a memory of said controller device to allow, hold or deny access to the host requesting the permission.

29. The network as claimed in claim 28, wherein the application for storage virtualization and/or for applying individual volume level permission and/or for condensing the hierarchical permission from the individual volumes to the top most volume level is run on the intelligent switch(es) instead of the controller device.

30. A computer program product comprising a computer readable storage medium having a computer program embedded therein, said program being adapted to map the volume level permission at the individual volumes to top level volume permission in a hierarchical volume graph of a virtual storage by rolling up the respective volume level permission to the top most level of the hierarchical volume graph, wherein the permission applied to a corresponding region of a parent volume always gets precedence over the permission applied on the same region of child in the hierarchy.