Storage apparatus and access management method therefor
First Claim
1. A storage apparatus for processing a command transmitted by a host computer connected to said storage apparatus by a network, said storage apparatus comprising:
- a storage unit for storing data to be processed in accordance with said command;
a memory for holding an access management table for storing first information on identification of said host computer;
a first determination means for determining whether or not a frame of a login request transmitted by said host computer includes second information on identification of said host computer;
a request means for transmitting a request to a source address specified in the frame of the login request in order to request said host computer to transmit the first information on identification of said host computer in a case where the determination result output by said first determination means indicates that the frame of the login request does not include the desired second information; and
a second determination means for carrying out a determination process on the first information transmitted by said host computer in response to the request issued by said request means by examination of said access management table;
wherein a decision as to whether or not to approve the login request is made in accordance with the determination result output by said second determination means.
1 Assignment
0 Petitions
Accused Products
Abstract
An access control management method is provided for managing access permits for access requests transmitted by an external apparatus to a storage apparatus by way of a network. The storage apparatus receives a frame of a login request from the external apparatus and determines whether or not the received frame includes second information for identifying the external apparatus (first determination process). In a case where a result of the first determination process indicates that the frame does not include the second information, acquisition of first information for identifying the external apparatus from the external apparatus is requested and the acquired first information is checked in order to determine whether or not an access permit should be given to the external apparatus (second determination process). In a case where a result of the second determination process indicates that an access permit should be given to the external apparatus, an access request made by the external apparatus as a request for an access to the storage apparatus is approved. As a result, it is possible to improve security of an access request made by the external apparatus serving as a host computer by adoption of an iSCSI protocol as a request for an access to the storage apparatus.
-
Citations
22 Claims
-
1. A storage apparatus for processing a command transmitted by a host computer connected to said storage apparatus by a network, said storage apparatus comprising:
-
a storage unit for storing data to be processed in accordance with said command;
a memory for holding an access management table for storing first information on identification of said host computer;
a first determination means for determining whether or not a frame of a login request transmitted by said host computer includes second information on identification of said host computer;
a request means for transmitting a request to a source address specified in the frame of the login request in order to request said host computer to transmit the first information on identification of said host computer in a case where the determination result output by said first determination means indicates that the frame of the login request does not include the desired second information; and
a second determination means for carrying out a determination process on the first information transmitted by said host computer in response to the request issued by said request means by examination of said access management table;
wherein a decision as to whether or not to approve the login request is made in accordance with the determination result output by said second determination means. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An access control management method for managing an access permit for an access request transmitted by an external apparatus to a storage apparatus by way of a network, said access control management method comprising the steps of:
-
receiving a frame of a login request from said external apparatus in said storage apparatus;
determining whether or not the received frame includes second information for identifying said external apparatus in a first determination process;
requesting acquisition of first information for identifying said external apparatus from said external apparatus in a case where a result of said first determination process indicates that the frame does not include the second information;
checking said acquired first information in a second determination process in order to determine whether or not an access permit should be given to said external apparatus; and
approving an access request made by said external apparatus as a request for an access to said storage apparatus in a case where a result of said second determination process indicates that an access permit should be given to said external apparatus. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. An access control management method for managing access permits for accesses made by a first apparatus as accesses to a second apparatus connected to said first apparatus by a network, said access control management method comprising the steps of:
-
acquiring predetermined first information from said first apparatus serving as an initiator of a communication in a case where said communication is determined to be unimplementable through said network in a first check mode of determining whether or not an access made by said first apparatus as an access to said second apparatus is an access made through said network by checking second information transmitted from said first apparatus to said second apparatus; and
processing a command transmitted by said first apparatus to said second apparatus if an access requested by said command is permitted in a second check mode of determining whether or not an access made by said first apparatus as an access to said second apparatus is permitted by checking said first information acquired from said first apparatus. - View Dependent Claims (18, 19)
-
-
20. A command-processing method for carrying out a communication between a first apparatus having an iSCSI initiator and a second apparatus having an iSCSI target through an IP network, said command-processing method comprising the steps of:
-
receiving a frame of a login request made by said first apparatus in said second apparatus;
checking whether or not said frame includes first predetermined information for identifying said first apparatus;
issuing a request from said second apparatus for acquisition of second predetermined information for identifying said first apparatus from said first apparatus in a case where said frame does not include said first predetermined information;
checking whether or not an access made by said first apparatus is to be permitted by examination of said second predetermined information transmitted by said first apparatus to said second apparatus; and
processing a command transmitted by said first apparatus to said second apparatus in said iSCSI target of said second apparatus in a case where a result of checking indicates that an access made by said first apparatus as an access to said second apparatus is permitted. - View Dependent Claims (21)
-
-
22. A storage apparatus for executing a command received from a host computer connected to said storage apparatus by an IP network, said storage apparatus comprising:
-
a storage unit for storing data to be processed by execution of said command;
a memory for holding an access management table for storing first information on identification of said host computer; and
a processing unit for processing a request received from said host computer;
wherein said processing unit;
carries out a first determination process to determine whether or not a frame of a login request received from said host computer includes second information on identification of said host computer;
transmits a request to a source address specified in said frame of said login request in order to request said host computer to transmit first information on identification of said host computer, and carries out a second determination process on first information transmitted by said host computer in response to said request by examination of said access management table in a case where a determination result output by said first determination process indicates that said frame of said login request does not include desired second information; and
makes a decision as to whether or not to approve said login request in accordance with a determination result output by said second determination process.
-
Specification