Storage system, computer system, and method of authorizing an initiator in the storage system or the computer system

US 20050257274A1
Filed: 06/29/2004
Published: 11/17/2005
Est. Priority Date: 04/26/2004
Status: Active Grant

First Claim

Patent Images

1. A storage system having a plurality of storing areas that can be accessed from a plurality of computers connected to the storage system through a network, comprising:

a control unit; and

a plurality of disk devices that constitute said plurality of storing areas and are connected to said control unit;

wherein;

said control unit comprises;

an interface connected to said network;

a memory; and

a second interface connected to said plurality of disk devices;

said memory stores;

an authorization table which stores a combination of an computer identifier that identifies a computer among said plurality of computers and a storing area identifier that specifies a storing area accessible from the computer identified by said computer identifier;

an authentication table which stores a combination of a user identifier that identifies a user who uses one of said plurality of computers and authentication information that authenticates said user;

an authentication name authorization table which stores a combination of an user identifier and a storing area identifier of a storing area that a user identified by said user identifier is permitted to access; and

said control unit;

uses said authorization table to authorize a computer that accesses a storing area;

uses said authentication table to authenticate a user who accesses said storage system;

uses said authentication name authorization table to judge whether the authenticated user who accesses a storing area from the authorized computer has a valid access right to said storing area; and

permits the access by said user only when said user has the valid access right.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a computer system in which one or more computers on which one or more initiators operate and a storage device on which one or more targets operate are connected with each other through a network, an authentication table for authenticating validity of a user of a computer is associated with an authorization table for authorizing access of an initiator to a certain target, to limit such accesses.

Citations

18 Claims

1. A storage system having a plurality of storing areas that can be accessed from a plurality of computers connected to the storage system through a network, comprising:
- a control unit; and
  
  a plurality of disk devices that constitute said plurality of storing areas and are connected to said control unit;
  
  wherein;
  
  said control unit comprises;
  
  an interface connected to said network;
  
  a memory; and
  
  a second interface connected to said plurality of disk devices;
  
  said memory stores;
  
  an authorization table which stores a combination of an computer identifier that identifies a computer among said plurality of computers and a storing area identifier that specifies a storing area accessible from the computer identified by said computer identifier;
  
  an authentication table which stores a combination of a user identifier that identifies a user who uses one of said plurality of computers and authentication information that authenticates said user;
  
  an authentication name authorization table which stores a combination of an user identifier and a storing area identifier of a storing area that a user identified by said user identifier is permitted to access; and
  
  said control unit;
  
  uses said authorization table to authorize a computer that accesses a storing area;
  
  uses said authentication table to authenticate a user who accesses said storage system;
  
  uses said authentication name authorization table to judge whether the authenticated user who accesses a storing area from the authorized computer has a valid access right to said storing area; and
  
  permits the access by said user only when said user has the valid access right.
- View Dependent Claims (2, 3, 4, 10, 11, 12)
- - 2. A storage system according to claim 1, wherein:
    - when said control unit authorizes said computer, said control unit receives a login request through said interface, said login request having been sent by said computer at time when said computer accesses said storing area;
      
      extracts a combination of a computer identifier of the computer that has sent said login request and a storing area identifier of said storing area to which said computer requests access, from said login request;
      
      compares said extracted combination with combinations stored in said authorizes table; and
      
      authorizes said computer that has sent said login request, when said authorization table stores a combination coincident with said extracted combination;
      
      when said control unit authenticates-said user, said control unit receives an authentication request sent from said computer, through said interface;
      
      extracts a combination of a user identifier and authentication information from said authentication request;
      
      compares the extracted combination with combinations stored in said authentication table; and
      
      authenticates said user when said authentication table stores a combination coincident with said extracted combination; and
      
      in a case where a combination of the storing area identifier extracted from said login request and the user identifier extracted from said authentication request is a combination stored in said authentication name authorization table, then said control unit judges that said user has the valid access right.
  - 3. A storage system according to claim 1, wherein:
    - said memory stores a second authentication name authorization table instead of said authentication name authorization table, said second authentication name authorization table storing a combination of a user identifier and a storing area identifier of a storing area that a user identified by said user identifier can access and a combination of said user identifier and a computer identifier which identifies a computer that said user identified by said user identifier is permitted to use; and
      
      said control unit uses said second authentication name authorization table to judge whether said authenticated user accessing from said authorized computer is a valid user of said computer and has a valid access right to said storing area, and permits the access of said user only when said user is the valid user and has the valid access right.
  - 4. A storage system according to claim 1, wherein:
    - said computer identifier and said storing area identifier are iSCSI names.
  - 10. A storage system according to claim 1, wherein:
    - said memory stores a third authentication name authorization table which stores a combination of said user identifier and said computer identifier of the computer that the user identified by said user identifier is permitted to use, instead of said authentication name authorization table; and
      
      said control unit uses said third authentication name authorization table to judge whether said authenticated user who accesses said authorized computer is a valid user of said computer and whether said user has a valid access right to said storing area, and permits the access only when said user is the valid user and has the valid access right.
  - 11. A storage system according to claim 1, wherein:
    - said memory stores a second authorization table which stores a combination of the identifier of said user, said storing area identifier of the storing area that said user can access and said computer identifier of said computer that can access said storing area, instead of said authentication name authorization table and said authorization table; and
      
      said control unit uses said second authorization table to judge whether said authenticated user who accesses from said authorized computer is a valid user of said computer and has a valid access right to said storing area, and permits the access only when said user is the valid user and has the valid access right.
  - 12. A storage system according to claim 1, wherein:
    - said memory stores a third authorization table which stores a combination of the identifier of said user, the computer identifier of the computer that said user is permitted to use and the storing area identifier of the storing area that said computer can access, instead of said authentication name authorization table; and
      
      said control unit uses said third authorization table to judge whether said authenticated user who accesses from said authorized computer is a valid user of said computer and has a valid access right to said storing area, and permits the access only when said user is the valid user and has the valid access right.

5. A computer system comprising:
- a computer on which an initiator operates;
  
  a storage system on which targets operate; and
  
  a network connecting said computer and said storage system with each other;
  
  wherein;
  
  according to an instruction of a user, said computer sends said storage system a login request that includes an identifier of said initiator and an identifier of a target and an authentication request that includes an identifier which identifies said user and authentication information;
  
  said storage system has;
  
  an authorization table which stores a combination of the identifier of said initiator and an identifier of a target that said initiator is permitted to log in among said targets;
  
  an authentication table which stores a combination of an identifier of a user of said computer and authentication information that authenticates said user; and
  
  an authentication name authorization table which stores a combination of the identifier of said user and an identifier of a target that said user is permitted to access among said targets;
  
  said storage system uses said authorization table to authorize the initiator which is the source of said login request, uses said authentication table to authenticate the user who has sent said authentication request, and uses said authentication name authorization table to judge whether said authenticated user who has logged in from said authorized initiator has a valid access right to said target and permits the login only when the user has the valid access right.
- View Dependent Claims (6, 7, 8, 9, 14)
- - 6. A computer system according to claim 5, wherein:
    - said storage system further has a second authentication name authorization table which stores a combination of the identifier of said user and an identifier of an initiator that said user is permitted to use among initiators; and
      
      to judge existence of an access right to said target, said storage system uses said second authentication name authorization table to judge whether said authenticated user who has accessed the storage system from said authorized initiator is a valid user who is permitted to use said initiator and judges existence of said access right to said target only when the user is the valid user.
  - 7. A computer system according to claim 5, wherein:
    - said computer system further comprises a storage management device connected to said network;
      
      said storage management device has an input device which receives input of information to said authorization table, said authentication table and said authentication name authorization table; and
      
      said storage management device sends information inputted through said input device, to said storage system through said network.
  - 8. A computer system according to claim 7, wherein:
    - said storage management device acquires the identifiers of said initiator and said target respectively operating on said computer and said storage system connected to said network, and said storage management device is provided with an interface which presents said acquired identifiers in a format in which a user can select the identifiers.
  - 9. A computer system according to claim 8, wherein:
    - said computer system further comprises a name management device connected to said network;
      
      said name management device has a domain table which manages the identifier of said initiator in association with the identifiers of the targets that said initiator is permitted to access;
      
      when said name management device receives a discovery request including the identifier of said initiator from said initiator, said name management device returns the identifiers of the target that said initiator is permitted to access, to the initiator which is the source of the request; and
      
      before said computer sends said login request, sends said discovery request including the identifier of said initiator to said name management device to acquire the identifiers of the targets that said initiator is permitted to access.
  - 14. A computer system according to claim 8, wherein:
    - said computer system further comprises a second storage system connected to said network;
      
      said first storage system operates as an initiator;
      
      said second storage system receives access from the first storage system and has a plurality of storing areas;
      
      said second storage system has;
      
      an authorization table which stores a combination of a storage system identifier which identifies said first storage system and a storing area identifier which identifies a storing area that said first storage system is permitted to access;
      
      an authentication table which stores a combination of a user identifier which identifies a user of said first storage system and authentication information which authenticates said user; and
      
      an authentication name authorization table which stores a combination of the identifier of said user and the storing area identifier of the storing area that said user can access;
      
      said second storage system uses;
      
      said authorization table to authorize said first storage system accessing said storing area;
      
      said authentication table to authenticate the user accessing said storage system; and
      
      said authentication name authorization table to judge whether the authenticated user accessing from the authorized first storage system has a valid access right to said storing area and permits the access only when the user has the valid access right.

13. A storage system having a plurality of storing areas that can be accessed from a computer connected through a network, wherein:
- said storage system comprising;
  
  an arithmetic unit and a memory;
  
  said memory stores;
  
  an authorization table which stores a combination of an identifier of a computer and an identifier of a storing area that said computer is permitted to access;
  
  an authentication table which stores a combination of an identifier of a user and authentication information which authenticates said user; and
  
  an authentication name authorization table which stores a combination of an identifier of a user and a storing area identifier of an storing area that said user can access and a combination of the identifier of said user and a computer identifier which identifies a computer that the user identified by said identifier is permitted to use; and
  
  when a login request that includes the identifier of said computer and an identifier of a storing area as an access destination is received from said computer, then said arithmetic unit performs authorization processing to check the received login request referring to said authorization table to authorize the computer which is the source of said login request;
  
  when an authentication request that includes the identifier and the authentication information of the user is received from said computer, then said arithmetic unit performs authentication processing to check the received authentication request referring to said authentication table to authenticate validity of said user; and
  
  when an authentication request that includes the identifier of the computer authorized in said authorization processing, the identifier of the storing area that said computer is permitted to access and the identifier of the user authenticated in said authentication processing is received from said computer, then said arithmetic unit performs authentication name authorization processing to check the received authentication request referring to said authentication name authorization table and accepts the login request when the received authentication request agrees with the authentication name authorization table.

15. A storage system that can be accessed from a plurality of devices connected through a network and has a plurality of storing areas, wherein:
- said storage system comprises a control unit and a plurality of disk devices that constitute said plurality of storing areas and are connected to said control unit;
  
  said control unit comprises an interface connected to said network, a memory and a second interface connected to said plurality of disk devices;
  
  said memory stores;
  
  an authorization table which stores a combination of a device identifier which identifies one of said plurality of devices and a storing area identifier which specifies a storing area that a device identified by said device identifier can access;
  
  an authentication table which stores a combination of a user identifier which identifies a user who uses said device and authentication information which authenticates said user; and
  
  an authentication name authorization table which stores a combination of said user identifier and a storing area identifier of a storing area that the user identified by said user identifier is permitted to access; and
  
  said control unit uses said authorization table to authorize a device accessing a storing area, said authentication table to authenticate a user accessing said storage system, and said authentication name authorization table to judge whether the authenticated user accessing from said authorized device has a valid access right to said storing area, and permits the access only when said user has the valid access right.
- View Dependent Claims (16, 17)
- - 16. A storage system according to claim 15, wherein:
    - said plurality of devices are plurality of computers.
  - 17. A storage system according to claim 15, wherein:
    - said plurality of devices are plurality of storage systems.

18. A computer system comprising:
- a computer on which an initiator operates;
  
  a storage system on which targets operate;
  
  a network that connects said computer and said storage system with each other;
  
  a storage management device connected to said network; and
  
  a name management device connected to said network;
  
  wherein;
  
  according to an instruction of a user, said computer sends said storage system a login request that includes an identifier of said initiator and an identifier of a target and an authentication request that includes an identifier which identifies said user and authentication information;
  
  said storage system has an authorization table which stores a combination of the identifier of said initiator and an identifier of a target that said initiator is permitted to log in among said targets, an authentication table which stores a combination of the identifier of the user of said computer and the authentication information which authenticates said user, and an authentication name authorization table which stores a combination of the identifier of said user and an identifier of a target that said user is permitted to access among said targets;
  
  said storage management device has an input device which receives input of information to be stored into said authorization table, said authentication table and said authentication name authorization table;
  
  said storage management device sends information inputted through said input device to said storage system through said network;
  
  said storage management device acquires identifiers of said initiator and said targets operating respectively on said computer and said storage system connected to said network, and has an interface which presents the acquired identifiers in a format in which a user can select identifiers;
  
  said name management device has a domain table which manages the identifier of said initiator in association with the identifier of said target that said initiator is permitted to access;
  
  when said name management device receives a discovery request including the identifier of said initiator from said initiator, then said name management device returns the identifier of the target that said initiator is permitted to access, to the initiator which is the request source;
  
  before said computer sends said first login request, said computer sends a discovery request including the identifier of said initiator to said name management device, to acquire the identifier of the target that said initiator is permitted to access; and
  
  said storage system uses said authorization table to authorize the initiator which is the sending source of said login request, said authentication table to authenticate the user who has sent said authentication request, and said authentication name authorization table to judge whether the authenticated user who has logged in from said authorized initiator has a valid access right to said target, and permits the login only when said user has the valid access right.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hitachi, Ltd.
Original Assignee
Hitachi, Ltd.
Inventors
Shiga, Kenta, Kumagai, Atsuya, Nakatsuka, Daiki, Fujiwara, Keisei

Granted Patent

US 7,353,542 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/28
CPC Class Codes

G06F 21/31   User authentication

G06F 21/6218   to a system of files or obj...

G06F 21/805   using a security table for ...

H04L 63/101   Access control lists [ACL]

Storage system, computer system, and method of authorizing an initiator in the storage system or the computer system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Storage system, computer system, and method of authorizing an initiator in the storage system or the computer system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links