Access management method between plural devices constituted by hierarchical relation, management computer, and computer system

US 20060190611A1
Filed: 04/01/2005
Published: 08/24/2006
Est. Priority Date: 02/21/2005
Status: Abandoned Application

First Claim

Patent Images

1. An access management method in a management computer that manages:

a host computer;

a storage system that has an actual data storage area storing data used by the host computer;

a first device that is associated with the actual data storage area and provides the host computer with a virtualized data storage area, and a fabric that is connected to any one of the host computer, the first device, and the storage system via a communication path, the access management method comprising;

defining a first access permission path including a path between the host computer and the first device via the fabric and a second access permission path including a path between the first device and the storage system via the fabric, and when the first access permission path is set in the fabric, setting the first access permission path in the fabric in association with the second access permission path.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a computer system that includes plural host computers and plural data storage apparatuses (storage systems) and performs, in particular, virtualization of a data storage area, unless zoning is performed correctly to activate a zone between a data storage apparatus holding a virtualized data storage area and a device holding a data storage area storing actual data, the storage area storing actual data cannot be used from the host computers. The present invention provides a mechanism for grasping a relation between the virtualized data storage area and the data storage area storing actual data, configuring a zone between data storage apparatuses holding the data storage areas as a special zone, and always activating the special zone at the time of zoning configuration. The invention further provides a mechanism for grasping a relation between the virtualized data storage area and the data storage area storing actual data, associating a zone for connecting the host computers and a first-tier data storage apparatus and a zone for connecting the first-tier data storage apparatus and a second-tier data storage apparatus, and activating a second zone according to switching activating first zone.

42 Citations

View as Search Results

20 Claims

1. An access management method in a management computer that manages:
- a host computer;
  
  a storage system that has an actual data storage area storing data used by the host computer;
  
  a first device that is associated with the actual data storage area and provides the host computer with a virtualized data storage area, and a fabric that is connected to any one of the host computer, the first device, and the storage system via a communication path, the access management method comprising;
  
  defining a first access permission path including a path between the host computer and the first device via the fabric and a second access permission path including a path between the first device and the storage system via the fabric, and when the first access permission path is set in the fabric, setting the first access permission path in the fabric in association with the second access permission path.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. An access management method according to claim 1, wherein the host computer has a host computer network interface connected to a network, the first device has at least one device network interface connected to the network, the storage system has at least one storage interface connected to the network, the first access permission path is an access permission path between the host computer network interface of the host computer and the device network interface of the first device, the second access permission path is an access permission path between the second device network interface and the storage network interface of the storage system, and the management computer judges whether the second access permission path is set together with the first access permission path on the basis of an correspondence relation between the virtualized data storage area and the actual data storage area, a correspondence relation between the virtualized data storage area and the second device network interface, and a correspondence relation between the storage interface and the actual data storage area.
  - 3. An access management method according to claim 2, wherein the host computer network interface, the device network interface, and the storage network interface are device ports, the fabric includes at least one switch, the switch has plural switch ports connected to the device ports via a communication line and controls data communication among the switch ports according to a zone configuration, each of the access permission paths includes the zone, and when the second access permission path is associated with the first access permission path and set in the fabric, the management computer activates a zone set, which includes a zone belonging to the first access permission path and a zone belonging to the second access permission path, in the fabric.
  - 4. An access management method according to claim 3, wherein the zone is constituted by a combination of port identifiers specifying the switch ports.
  - 5. An access management method according to claim 3, wherein the zone is constituted by a combination of World Wide Names of device ports connected to the switch ports.
  - 6. An access management method according to claim 1, wherein the device is a storage system.
  - 7. An access management method according to claim 1, wherein the management computer specifies the second access permission path, which is an access permission path including the storage system that has the actual data storage area storing the data used by the host computer, as a specific access permission path, and when the first access permission path including the host computer is set, the first access permission path is set in association with the specific access permission path.
  - 8. An access management method according to claim 1, wherein the first access permission path is an access permission path between the host computer and the virtualized data storage area, the second access permission path is an access permission path between the virtualized data storage area and the actual data storage area, and when the first access permission path and the second access permission path have the same virtualized data storage area each, the management computer sets the first access permission path in association with the second access permission path in the fabric.

9. A computer system comprising:
- a host computer;
  
  a second-tier storage system that has an actual data storage area storing data used by the host computer;
  
  a first-tier storage system that provides the host computer with a virtualized data storage area associated with the actual data storage area;
  
  a switch connected to the host computer, the first-tier storage system, and the second-tier storage system via a communication path; and
  
  a management computer connected to the host computer, the first-tier storage system, the second-tier storage system, and the switch via a network, wherein the switch has plural ports connected to the host computer, the first-tier storage system, and the second-tier storage system, respectively, the management computer includes;
  
  a memory that holds configuration information of plural zones permitting communication in the computer system via at least one port provided in the switch; and
  
  a control unit that, when any one of the zones is a first zone permitting communication between the host computer and a virtualized data storage area provided to the host computer, extracts a second zone permitting communication with an actual data storage area associated with the virtualized data storage area from the memory and instructs the switch to configure the second zone in association with the first zone via a network.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. A computer system according to claim 9, wherein the switch has a first port connected to the host computer via a communication path, a second port and a third port that are connected to the first-tier storage system via a communication path, and a fourth port that is connected to the second-tier storage system via a communication path, the first-tier storage system holds an association of a port of the first-tier storage system connected to the third port, the virtualized data storage area and an association of the virtualized data storage area and the actual data storage area, the second-tier storage system holds an association of a port of the second-tier storage system connected to the fourth port and the actual data storage area, and the control unit provided in the management computer performs control for acquiring each of the associations from the first-tier storage system and the second-tier storage system via the network, extracting a second zone associated with the first zone from the acquired associations, and holding the extracted second zone in the memory as a special zone.
  - 11. A computer system according to claim 10, wherein the special zone is the second zone, and when communication control according to the first zone is activated-, the control unit of the management computer instructs the switch to configure the special zone in association with the first zone.
  - 12. A computer system according to claim 10, wherein when the first zone is a zone including permission of communication with the actual data storage area associated with the virtualized data storage area, the special zone associated with the first zone is not present.
  - 13. A computer system according to claim 11, wherein the management computer defines a zone set including the first zone and the special zone as members and instructs the switch to activate the zone set via the network.
  - 14. A computer system according to claim 10, wherein the first-tier storage system includes an actual storage area storing data used by the computer and holds an association of a port of the first-tier storage system and the actual storage area, the memory of the management computer holds configuration information of a third zone that permits communication between the host computer and the actual data storage area, and the control unit of the management computer acquires the association of the port of the first-tier storage system and the actual data storage area via the network and, when communication control according to any one of zones defined by the configuration information of zones held on the memory is activated, the first-tier storage system judges whether it is necessary to transmit the read or write request received from the computer system to the second-tier storage system on the basis of the zone configuration information and the association of the port of the first-tier storage system and the actual data storage area and, when it is judged that it is not necessary, instructs the switch to configure the third zone via the network without associating the third zone with other zones and without holding a special zone associated with the third zone in the memory.
  - 15. A computer system according to claim 9, wherein, when the memory does not have the second zone associated with the first zone, the control unit of the management computer defines a second zone having at least a port not belonging to the first zone of the first-tier storage system associated with the virtualized data storage area as a member from a correspondence relation between the virtualized data storage area and the actual data storage area, a correspondence relation between the port not belonging to the first zone, of the first-tier storage system and the virtualized data storage area, and a correspondence relation between the port of the second-tier storage system and the actual data storage area and holds the defined second zone in the memory as a special zone.

16. A switch comprising:
- plural switch ports connected to a host computer and plural devices via a communication path;
  
  a memory that holds zone configuration information that defines zones permitting communication including at least one of a path between plural devices or a path between the host computer and the devices; and
  
  a CPU that is connected to the memory and the switch ports, wherein the CPU reads out the zone configuration information from the memory, holds a first zone, which includes a switch port connected to a first device receiving a request from a host computer and a switch port connected to a second device storing the data, as a special zone among the zones defined by the zone configuration information, configures a second zone defined by a zone including the switch port connected to the first device in association with the first zone serving as the special zone, and permits communication among the switch ports.
- View Dependent Claims (17, 18, 19, 20)
- - 17. A switch according to claim 16, wherein the management computer has a host computer port connected to the communication path, the devices have device ports connected to the communication path, the zone configuration information is a combination including at least one of a combination of a name of the host computer port permitted to communicate and the device ports or a combination of the plural device ports, and the CPU defines a zone set having the first zone serving as the special zone and the second zone as members and holds the zone set in the memory.
  - 18. A switch according to claim 17, wherein the first device is a virtualized device that provides a virtualized data storage area recognizable by the host computer, the second device is a storage device that includes an actual data storage area that corresponds to the virtualized data storage area and stores data used by the host computer, and device ports held by virtualized devices included in the first zone and the second zone are associated with the virtualized data storage area.
  - 19. A switch according to claim 17, wherein the special zone has names of the device ports, which are held by the first device and the second device, respectively, as zone members.
  - 20. A switch according to claim 18, wherein the virtualized device includes an external device port, which sends a request to read out data from and write data in the storage device to the outside according to a request from the host computer, and holds a zone including the external port in the memory as a special zone.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hitachi, Ltd.
Original Assignee
Hitachi, Ltd.
Inventors
Yamamoto, Masayuki, Kaneda, Yasunori, Taguchi, Yuichi, Miyazaki, Fumi

Application Number

US11/097,037
Publication Number

US 20060190611A1
Time in Patent Office

Days
Field of Search
US Class Current

709/229
CPC Class Codes

G06F 3/0605   by facilitating the interac...

G06F 3/062   Securing storage systems

G06F 3/0635   by changing the path, e.g. ...

G06F 3/0637   Permissions

G06F 3/0665   at area level, e.g. provisi...

G06F 3/0685   Hybrid storage combining he...

H04L 67/1097   for distributed storage of ...

H04L 67/2885   Hierarchically arranged int...

Access management method between plural devices constituted by hierarchical relation, management computer, and computer system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

42 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Access management method between plural devices constituted by hierarchical relation, management computer, and computer system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

42 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links