Security method and system for storage subsystem
First Claim
1. A method for controlling access to a logical unit in a computer storage subsystem, said method comprising:
- creating at said computer storage subsystem a first mapping, said first mapping being between a logical unit identifier, a virtual unit identifier and a uniquely assigned host identifier;
creating at said computer storage subsystem a second mapping, said second mapping being between a dynamically assigned host identifier and said uniquely assigned host identifier;
receiving at said computer storage subsystem an inquiry request for at least one virtual logical unit in said computer storage subsystem, said request comprising at least a dynamically assigned host identifier, corresponding to an issuer of said inquiry request, and a requested virtual unit identifier;
searching said second mapping using said dynamically assigned host identifier to obtain a corresponding uniquely assigned host identifier;
searching said first mapping using said corresponding uniquely assigned host identifier;
determining whether access by said issuer of said inquiry request, to a logical unit corresponding to said requested virtual unit identifier, is permissible based upon whether a relation between said corresponding uniquely assigned host identifier to said requested virtual unit identifier exists in said first mapping;
if said access is permissible, then establishing accessibility between said logical unit corresponding to said requested virtual unit identifier and said issuer, said logical unit determined from a relation between said requested virtual unit identifier and a corresponding logical unit identifier determined from said first mapping; and
reporting whether said access is permissible to said issuer of said inquiry request.
0 Assignments
0 Petitions
Accused Products
Abstract
According to the present invention, techniques for performing security functions in computer storage subsystems in order to prevent illegal access by the host computers according to logical unit (LU) identity are provided. In representative embodiments management tables can be used to disclose the Logical Unit in the storage subsystem to the host computers in accordance with the users operational needs. In a specific embodiment, accessibility to a storage subsystem resource can be decided when an Inquiry Command is received, providing systems and apparatus wherein there is no further need to repeatedly determine accessibility for subsequent accesses to the Logical Unit. Many such embodiments can maintain relatively high performance, while providing robust security for each LU.
-
Citations
1 Claim
-
1. A method for controlling access to a logical unit in a computer storage subsystem, said method comprising:
-
creating at said computer storage subsystem a first mapping, said first mapping being between a logical unit identifier, a virtual unit identifier and a uniquely assigned host identifier;
creating at said computer storage subsystem a second mapping, said second mapping being between a dynamically assigned host identifier and said uniquely assigned host identifier;
receiving at said computer storage subsystem an inquiry request for at least one virtual logical unit in said computer storage subsystem, said request comprising at least a dynamically assigned host identifier, corresponding to an issuer of said inquiry request, and a requested virtual unit identifier;
searching said second mapping using said dynamically assigned host identifier to obtain a corresponding uniquely assigned host identifier;
searching said first mapping using said corresponding uniquely assigned host identifier;
determining whether access by said issuer of said inquiry request, to a logical unit corresponding to said requested virtual unit identifier, is permissible based upon whether a relation between said corresponding uniquely assigned host identifier to said requested virtual unit identifier exists in said first mapping;
if said access is permissible, then establishing accessibility between said logical unit corresponding to said requested virtual unit identifier and said issuer, said logical unit determined from a relation between said requested virtual unit identifier and a corresponding logical unit identifier determined from said first mapping; and
reporting whether said access is permissible to said issuer of said inquiry request.
-
Specification