Method for extending the fragment mapping protocol to prevent malicious access to virtualized storage

摘要

Extensions to the Fragment Mapping Protocol are introduced which protect a disk array from malicious client access by exporting file system access information to the storage device. FMP requests received at the storage device can be authorized at a block granularity prior to completion, thereby limiting the exposure of the disk array to malicious clients. Client authorizations can be cached at the storage device to enable the permissions to be quickly extracted for subsequent client accesses to pre-authorized volumes.

主权项

1. A file server for serving a file system, the file server comprising:
an interface configured to receive a query from a storage device to validate a request made by a client device to access a file from the storage device, the query including a user identifier and a file location associated with the file access request; and a non-transitory computer usable medium having a computer readable program code, said computer readable program code including:
a reverse map configured to translate the file location into a file descriptor, the file descriptor being used to obtain meta-data corresponding to the file; anda permission query handler, operative to determine, in response to the meta-data and access information associated with the file descriptor, whether the client device associated with the user identifier is authorized to access the file, the interface configured to send a determination indication to the data storage device in order to prompt the data storage device to allow the client device to access the file only if the client device is authorized to access the file.