Security method and system for storage subsystem
First Claim
Patent Images
1. A method for controlling access to a logical unit in a computer storage subsystem, said method comprising:
- creating at said computer storage subsystem a first mapping, said first mapping being between a logical unit identifier, a virtual unit identifier and a uniquely assigned host identifier;
creating at said computer storage subsystem a second mapping, said second mapping being between a dynamically assigned host identifier and said uniquely assigned host identifier;
receiving at said computer storage subsystem an inquiry request for at least one virtual logical unit in said computer storage subsystem, said request comprising at least a dynamically assigned host identifier, corresponding to an issuer of said inquiry request, and a requested virtual unit identifier;
searching said second mapping using said dynamically assigned host identifier to obtain a corresponding uniquely assigned host identifier;
searching said first mapping using said corresponding uniquely assigned host identifier;
determining whether access by said issuer of said inquiry request, to a logical unit corresponding to said requested virtual unit identifier, is permissible based upon whether a relation between said corresponding uniquely assigned host identifier to said requested virtual unit identifier exists in said first mapping;
if said access is permissible, then establishing accessibility between said logical unit corresponding to said requested virtual unit identifier and said issuer, said logical unit determined from a relation between said requested virtual unit identifier and a corresponding logical unit identifier determined from said first mapping; and
reporting whether said access is permissible to said issuer of said inquiry request.
0 Assignments
0 Petitions
Accused Products
Abstract
According to the present invention, techniques for performing security functions in computer storage subsystems in order to prevent illegal access by the host computers according to logical unit (LU) identity are provided. In representative embodiments management tables can be used to disclose the Logical Unit in the storage subsystem to the host computers in accordance with the users operational needs. In a specific embodiment, accessibility to a storage subsystem resource can be decided when an Inquiry Command is received, providing systems and apparatus wherein there is no further need to repeatedly determine accessibility for subsequent accesses to the Logical Unit. Many such embodiments can maintain relatively high performance, while providing robust security for each LU.
-
Citations
1 Claim
-
1. A method for controlling access to a logical unit in a computer storage subsystem, said method comprising:
-
creating at said computer storage subsystem a first mapping, said first mapping being between a logical unit identifier, a virtual unit identifier and a uniquely assigned host identifier;
creating at said computer storage subsystem a second mapping, said second mapping being between a dynamically assigned host identifier and said uniquely assigned host identifier;
receiving at said computer storage subsystem an inquiry request for at least one virtual logical unit in said computer storage subsystem, said request comprising at least a dynamically assigned host identifier, corresponding to an issuer of said inquiry request, and a requested virtual unit identifier;
searching said second mapping using said dynamically assigned host identifier to obtain a corresponding uniquely assigned host identifier;
searching said first mapping using said corresponding uniquely assigned host identifier;
determining whether access by said issuer of said inquiry request, to a logical unit corresponding to said requested virtual unit identifier, is permissible based upon whether a relation between said corresponding uniquely assigned host identifier to said requested virtual unit identifier exists in said first mapping;
if said access is permissible, then establishing accessibility between said logical unit corresponding to said requested virtual unit identifier and said issuer, said logical unit determined from a relation between said requested virtual unit identifier and a corresponding logical unit identifier determined from said first mapping; and
reporting whether said access is permissible to said issuer of said inquiry request.
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeHitachi, Ltd.
-
Original AssigneeHitachi, Ltd.
-
InventorsOkami, Yoshinori, Ito, Ryusuke
-
Granted Patent
-
Time in Patent OfficeDays
-
Field of Search
-
US Class Current707/9
-
CPC Class CodesG06F 2003/0697 device management, e.g. han...G06F 21/62 Protecting access to data v...G06F 2221/2141 Access rights, e.g. capabil...G06F 3/0601 Interfaces specially adapte...G06F 3/0622 in relation to accessG06F 3/0635 by changing the path, e.g. ...G06F 3/0637 PermissionsG06F 3/0659 Command handling arrangemen...G06F 3/067 Distributed or networked st...H04L 61/103 across network layers, e.g....H04L 67/1097 for distributed storage of ...Y10S 707/954 RelationalY10S 707/99933 Query processing, i.e. sear...Y10S 707/99939 Privileged access
