摘要 |
An access control agent is advantageously deployed at a host device to prevent malicious use of a storage system by unauthorized hosts and users. In one embodiment the access control agent is disposed in a processing path between the application and the storage device. An application is mounted as an image file by a loop device to provide a virtual file system. The virtual file system is populated with access control information for each block of the file. Application I/O requests are mapped to physical blocks of the storage by the loop device, and the access control information is used to filter the access requests to preclude unauthorized requests from being forwarded to the storage client (and consequently the storage devices). With such an arrangement, access rights can be determined at I/O accesses, file and block granularity for each user.
|