Storage system, computer system, and method of authorizing an initiator in the storage system or the computer system
First Claim
Patent Images
1. A storage system having a plurality of storing areas that can be accessed from a plurality of computers connected to the storage system through a network, comprising:
- a control unit; and
a plurality of disk devices that constitute said plurality of storing areas and are connected to said control unit;
wherein;
said control unit comprises;
an interface connected to said network;
a memory; and
a second interface connected to said plurality of disk devices;
said memory stores;
an authorization table which stores a combination of an computer identifier that identifies a computer among said plurality of computers and a storing area identifier that specifies a storing area accessible from the computer identified by said computer identifier;
an authentication table which stores a combination of a user identifier that identifies a user who uses one of said plurality of computers and authentication information that authenticates said user;
an authentication name authorization table which stores a combination of an user identifier and a storing area identifier of a storing area that a user identified by said user identifier is permitted to access; and
said control unit;
uses said authorization table to authorize a computer that accesses a storing area;
uses said authentication table to authenticate a user who accesses said storage system;
uses said authentication name authorization table to judge whether the authenticated user who accesses a storing area from the authorized computer has a valid access right to said storing area; and
permits the access by said user only when said user has the valid access right.
2 Assignments
0 Petitions
Accused Products
Abstract
In a computer system in which one or more computers on which one or more initiators operate and a storage device on which one or more targets operate are connected with each other through a network, an authentication table for authenticating validity of a user of a computer is associated with an authorization table for authorizing access of an initiator to a certain target, to limit such accesses.
-
Citations
18 Claims
-
1. A storage system having a plurality of storing areas that can be accessed from a plurality of computers connected to the storage system through a network, comprising:
-
a control unit; and
a plurality of disk devices that constitute said plurality of storing areas and are connected to said control unit;
wherein;
said control unit comprises;
an interface connected to said network;
a memory; and
a second interface connected to said plurality of disk devices;
said memory stores;
an authorization table which stores a combination of an computer identifier that identifies a computer among said plurality of computers and a storing area identifier that specifies a storing area accessible from the computer identified by said computer identifier;
an authentication table which stores a combination of a user identifier that identifies a user who uses one of said plurality of computers and authentication information that authenticates said user;
an authentication name authorization table which stores a combination of an user identifier and a storing area identifier of a storing area that a user identified by said user identifier is permitted to access; and
said control unit;
uses said authorization table to authorize a computer that accesses a storing area;
uses said authentication table to authenticate a user who accesses said storage system;
uses said authentication name authorization table to judge whether the authenticated user who accesses a storing area from the authorized computer has a valid access right to said storing area; and
permits the access by said user only when said user has the valid access right. - View Dependent Claims (2, 3, 4, 10, 11, 12)
-
-
5. A computer system comprising:
-
a computer on which an initiator operates;
a storage system on which targets operate; and
a network connecting said computer and said storage system with each other;
wherein;
according to an instruction of a user, said computer sends said storage system a login request that includes an identifier of said initiator and an identifier of a target and an authentication request that includes an identifier which identifies said user and authentication information;
said storage system has;
an authorization table which stores a combination of the identifier of said initiator and an identifier of a target that said initiator is permitted to log in among said targets;
an authentication table which stores a combination of an identifier of a user of said computer and authentication information that authenticates said user; and
an authentication name authorization table which stores a combination of the identifier of said user and an identifier of a target that said user is permitted to access among said targets;
said storage system uses said authorization table to authorize the initiator which is the source of said login request, uses said authentication table to authenticate the user who has sent said authentication request, and uses said authentication name authorization table to judge whether said authenticated user who has logged in from said authorized initiator has a valid access right to said target and permits the login only when the user has the valid access right. - View Dependent Claims (6, 7, 8, 9, 14)
-
-
13. A storage system having a plurality of storing areas that can be accessed from a computer connected through a network, wherein:
-
said storage system comprising;
an arithmetic unit and a memory;
said memory stores;
an authorization table which stores a combination of an identifier of a computer and an identifier of a storing area that said computer is permitted to access;
an authentication table which stores a combination of an identifier of a user and authentication information which authenticates said user; and
an authentication name authorization table which stores a combination of an identifier of a user and a storing area identifier of an storing area that said user can access and a combination of the identifier of said user and a computer identifier which identifies a computer that the user identified by said identifier is permitted to use; and
when a login request that includes the identifier of said computer and an identifier of a storing area as an access destination is received from said computer, then said arithmetic unit performs authorization processing to check the received login request referring to said authorization table to authorize the computer which is the source of said login request;
when an authentication request that includes the identifier and the authentication information of the user is received from said computer, then said arithmetic unit performs authentication processing to check the received authentication request referring to said authentication table to authenticate validity of said user; and
when an authentication request that includes the identifier of the computer authorized in said authorization processing, the identifier of the storing area that said computer is permitted to access and the identifier of the user authenticated in said authentication processing is received from said computer, then said arithmetic unit performs authentication name authorization processing to check the received authentication request referring to said authentication name authorization table and accepts the login request when the received authentication request agrees with the authentication name authorization table.
-
-
15. A storage system that can be accessed from a plurality of devices connected through a network and has a plurality of storing areas, wherein:
-
said storage system comprises a control unit and a plurality of disk devices that constitute said plurality of storing areas and are connected to said control unit;
said control unit comprises an interface connected to said network, a memory and a second interface connected to said plurality of disk devices;
said memory stores;
an authorization table which stores a combination of a device identifier which identifies one of said plurality of devices and a storing area identifier which specifies a storing area that a device identified by said device identifier can access;
an authentication table which stores a combination of a user identifier which identifies a user who uses said device and authentication information which authenticates said user; and
an authentication name authorization table which stores a combination of said user identifier and a storing area identifier of a storing area that the user identified by said user identifier is permitted to access; and
said control unit uses said authorization table to authorize a device accessing a storing area, said authentication table to authenticate a user accessing said storage system, and said authentication name authorization table to judge whether the authenticated user accessing from said authorized device has a valid access right to said storing area, and permits the access only when said user has the valid access right. - View Dependent Claims (16, 17)
-
-
18. A computer system comprising:
-
a computer on which an initiator operates;
a storage system on which targets operate;
a network that connects said computer and said storage system with each other;
a storage management device connected to said network; and
a name management device connected to said network;
wherein;
according to an instruction of a user, said computer sends said storage system a login request that includes an identifier of said initiator and an identifier of a target and an authentication request that includes an identifier which identifies said user and authentication information;
said storage system has an authorization table which stores a combination of the identifier of said initiator and an identifier of a target that said initiator is permitted to log in among said targets, an authentication table which stores a combination of the identifier of the user of said computer and the authentication information which authenticates said user, and an authentication name authorization table which stores a combination of the identifier of said user and an identifier of a target that said user is permitted to access among said targets;
said storage management device has an input device which receives input of information to be stored into said authorization table, said authentication table and said authentication name authorization table;
said storage management device sends information inputted through said input device to said storage system through said network;
said storage management device acquires identifiers of said initiator and said targets operating respectively on said computer and said storage system connected to said network, and has an interface which presents the acquired identifiers in a format in which a user can select identifiers;
said name management device has a domain table which manages the identifier of said initiator in association with the identifier of said target that said initiator is permitted to access;
when said name management device receives a discovery request including the identifier of said initiator from said initiator, then said name management device returns the identifier of the target that said initiator is permitted to access, to the initiator which is the request source;
before said computer sends said first login request, said computer sends a discovery request including the identifier of said initiator to said name management device, to acquire the identifier of the target that said initiator is permitted to access; and
said storage system uses said authorization table to authorize the initiator which is the sending source of said login request, said authentication table to authenticate the user who has sent said authentication request, and said authentication name authorization table to judge whether the authenticated user who has logged in from said authorized initiator has a valid access right to said target, and permits the login only when said user has the valid access right.
-
Specification