Electrical computers and digital processing systems: memory – Storage accessing and control – Specific memory composition
Reexamination Certificate
2002-02-19
2004-08-17
Portka, Gary (Department: 2188)
Electrical computers and digital processing systems: memory
Storage accessing and control
Specific memory composition
C711S111000, C711S112000, C711S163000, C709S229000
Reexamination Certificate
active
06779083
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
This invention relates to a storage subsystem to be accessed from a computer. More particularly, this invention relates to an access to a logical unit inside a storage subsystem.
2. Description of the Related Art
Fiber Channel protocol has been standardized in recent years and SAN (Storage Area Network) environment using this protocol as the infrastructure has become complicated and diversified. As a result, the number of computers connected to the storage subsystem and their kinds, or a kind of OS (Operation System), and the number of logical units required for the storage subsystem have drastically increased. Further, an environment in which various protocols other than the Fiber Channel such as SCCI, ESCON, TCP/IP, iSCSI, etc, can be simultaneously used has been set up. Here, the term “computer” represents those electronic appliances having electronic circuits that can be connected to a network.
Such an environment means that various kinds of computers gain access to one storage subsystem. The term “computer” includes so-called large-scale host computers and compact personal computers. When these various computers gain access to the storage subsystem, the expression such as “host gains access” and “host gains access” is used herein appropriately.
Under such circumstances, the security function to the storage subsystem resources that relies on OS, middleware and application software on the host side according to the prior art technology is not sufficient in some cases, and the necessity for a higher LUN security function for preventing an illegal access to logical units (hereinafter abbreviated as “LU” from time to time) has increased rapidly. Incidentally, the term “LUN” represents the logical unit number inside the storage subsystem.
JP2000276406 is one of the references that describe means for accomplishing the security function to the storage subsystem resources (logical units). The method of this reference accomplishes the security function as to access approval/rejection to LUN inside the storage subsystem but cannot cope with diversified computers that gain access to a single port. In the practical operation, therefore, the method limits the kind of host computers that can be managed under the single port to only one kind. This limitation in the practical operation cannot follow drastic expansion of the SAN environment described above.
To provide the logical units inside the storage subsystem to computers with the LUN security function, it is necessary to define a greater number of logical units than before under the single port of the storage subsystem and to give the logical units to host computers having a plurality of OS, a plurality of computers having mutually different kinds of OS, and other computers.
Nonetheless, the LUN security function in the existing storage subsystems is not free from the limitation that the kind of OS must be the same even when a large number of computers that can be managed under the single port exist. Furthermore, such a function generally has another limitation that setting of connection interface for the host computers that can be set to the single port must be one. A method for solving these problems would be the one that simply defines a large number of logical units under the single port of the storage subsystem, and divides and gives the logical units as such to a plurality of kinds of OS that gain access to this port.
However, various OS of existing computers have a specification such that when access cannot be made to a logical unit zero (LU
0
) of a storage subsystem, inquiry is not at all made thereafter for subsequent LU of the same system after LU
1
next to LU
0
. Incidentally, according to the SCSI-2 standard, one system includes 8 LU, and LU
0
to LU
7
belong to the same system.
Therefore, when the logical unit number (LUN) inside the storage subsystem is as such given to the host computer, the computer cannot correctly recognize the logical unit as expected on the setting side of the logical units.
Various OS of existing computers mostly set the upper limit of logical unit numbers recognizable under the single port to 256. In other words, even when 257 or more of logical unit number are disposed, the computers cannot recognize the logical units, and this also renders the problem when the logical units inside the storage subsystem are given to the computer under the single port.
On the other hand, when a strong LUN security function is provided in storage subsystems, the most reliable method would be the one that serially checks access approval/rejection of the object LU whenever computers transmit commands. However, this creates the problem of performance because the processing time in the storage subsystem (overhead for security check) becomes greater.
It is therefore a first object of the invention to provide a storage subsystem that groups computers in accordance with OS or into an arbitrary kind without changing existing processing, limitation and other functions of the computers, limits logical units to which the computers so grouped can gain access, and makes it possible to set them on interface in the group unit and to provide a LUN security function under a single port of the storage subsystem.
It is a second object of the invention to provide the security function described above with high-speed access judgment logic of the storage subsystem.
SUMMARY OF THE INVENTION
A storage subsystem according to the invention includes a management table describing correspondence of information (WWN: WorldWide Name) for primarily identifying each computer (inclusive of host computers), information (GID: Group ID) for identifying a group to which the computer belongs and a logical unit number (LUN) inside the storage subsystem for which access from the computer is permitted; a nonvolatile memory for storing the management table; a management table describing correspondence of a management number (S_ID) dynamically allocated when the computer executes login to the storage subsystem and remaining effective until logout, information (WWN) for primarily identifying the computer and information (GID) for identifying the group to which this host computer belongs; a nonvolatile memory for storing the management table; at least one input terminal for setting these management table; at least one storage device; a storage control unit for controlling write/read of data to and from the storage device; and logical units (LUN) corresponding to storage areas of the storage device.
In this storage subsystem, a user can make setting of accessible LUN and setting on a connection interface in an arbitrary group unit of computers under a single port without changing existing processing, limitation and other functions of the computers. Therefore, this storage subsystem can accomplish an access control function, that is, a LUN security function, for computer groups having a plurality of kinds of OS under a single port.
Since this storage subsystem uses GID as identification information on the basis of S_ID allocated at the time of login in place of host identification information WWN, the time required for judging accessible LUN is shorter than when WWN is used, and a high-speed judgment can be made.
Other objects, features and advantages of the invention will become apparent from the following description of the embodiments of the invention taken in conjunction with the accompanying drawings.
REFERENCES:
patent: 4144583 (1979-03-01), Lawson et al.
patent: 4914656 (1990-04-01), Dunphy, Jr. et al.
patent: 4989205 (1991-01-01), Dunphy, Jr. et al.
patent: 5077736 (1991-12-01), Dunphy, Jr. et al.
patent: 5124987 (1992-06-01), Milligan et al.
patent: 5163096 (1992-11-01), Clark et al.
patent: 5210844 (1993-05-01), Shimura et al.
patent: 5237668 (1993-08-01), Blandy et al.
patent: 5239632 (1993-08-01), Larner
patent: 5274783 (1993-12-01), House et al.
patent: 5282247 (1994-01-01), McLean et al.
patent: 5297268 (1994-03-01), Lee et al.
patent: 5469564 (1995-11-01), Junya
patent: 5528584 (1996-06
Hori Koichi
Igarashi Yoshinori
Ito Ryuske
Okami Yoshinori
Uchiumi Katsuhiro
Antonelli Terry Stout & Kraus LLP
Portka Gary
Ross John M.
LandOfFree
Security for logical unit in storage subsystem does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Security for logical unit in storage subsystem, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Security for logical unit in storage subsystem will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3341699