SECURITY METHOD AND SYSTEM FOR STORAGE SUBSYSTEM
First Claim
1. A storage system, comprising:
- a processor, in response to receiving a first frame from at least one computer of a plurality of computers according to a fibre channel protocol, being adapted to send a second frame to the at least one computer of the plurality of computers according to said fiber channel protocol;
wherein, if the first frame is received from a first computer and includes a first virtual logical unit number (LUN), which corresponds to a first LUN identifying a first LU which is accessible by the first computer, the storage system is adapted to send the second frame wherein the first virtual LUN is 0, and the second frame includes first information indicating that the first LU, related to the first virtual LUN is installed in the storage system,wherein, if the first frame is received from a second computer of the plurality of computers, other than the first computer, and includes a second virtual LUN, which does not relate to any LU that is accessible by the second computer, the storage system is adapted to send the second frame, the second frame including second information indicating that the second LU, related to the second virtual LUN, is not installed in the storage system, wherein, if the first frame is received from a third computer, other than the first and second computers, and includes a third virtual LUN, which corresponds to a third LUN, different from the first LUN, identifying a third LU which is accessible by the third computer, the storage system is adapted to send the second frame including third information,wherein third virtual LUN is 0, and the third information indicates that the third LU, related to the third virtual LUN, is installed in the storage system.
0 Assignments
0 Petitions
Accused Products
Abstract
According to the present invention, techniques for performing security functions in computer storage subsystems in order to prevent illegal access by the host computers according to logical unit (LU) identity are provided. In representative embodiments management tables can be used to disclose the Logical Unit in the storage subsystem to the host computers in accordance with the users operational needs. In a specific embodiment, accessibility to a storage subsystem resource can be decided when an Inquiry Command is received, providing systems and apparatus wherein there is no further need to repeatedly determine accessibility for subsequent accesses to the Logical Unit. Many such embodiments can maintain relatively high performance, while providing robust security for each LU.
-
Citations
40 Claims
-
1. A storage system, comprising:
-
a processor, in response to receiving a first frame from at least one computer of a plurality of computers according to a fibre channel protocol, being adapted to send a second frame to the at least one computer of the plurality of computers according to said fiber channel protocol; wherein, if the first frame is received from a first computer and includes a first virtual logical unit number (LUN), which corresponds to a first LUN identifying a first LU which is accessible by the first computer, the storage system is adapted to send the second frame wherein the first virtual LUN is 0, and the second frame includes first information indicating that the first LU, related to the first virtual LUN is installed in the storage system, wherein, if the first frame is received from a second computer of the plurality of computers, other than the first computer, and includes a second virtual LUN, which does not relate to any LU that is accessible by the second computer, the storage system is adapted to send the second frame, the second frame including second information indicating that the second LU, related to the second virtual LUN, is not installed in the storage system, wherein, if the first frame is received from a third computer, other than the first and second computers, and includes a third virtual LUN, which corresponds to a third LUN, different from the first LUN, identifying a third LU which is accessible by the third computer, the storage system is adapted to send the second frame including third information, wherein third virtual LUN is 0, and the third information indicates that the third LU, related to the third virtual LUN, is installed in the storage system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A storage system, comprising:
-
a processor controlling to receive a first frame, which is used to inquire about the status of a logical unit (LU), and received from a port of one of a plurality of computers according to a fibre channel protocol, the first frame including a virtual logical unit number (LUN) for a LUN identifying the logical unit, and, in response to receiving the first frame, the processor controlling to send a second frame to the port of the one of the plurality of computers, wherein the second frame includes a code of Qualifier, and wherein the code of Qualifier differs based on whether or not the port of the one of the plurality of computers is permitted to access the LU related to the virtual LUN, and wherein a first virtual LUN, for a first LUN identifying a first LU that is permitted to be accessed by a first port of one of the plurality of computers, is 0, and wherein a second virtual LUN, for a second LUN that is different from the first LUN and identifies a second LU which is permitted to be accessed by a second port of one of the plurality of computers, is also 0. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 29)
-
-
20. A method of controlling a storage system, comprising:
-
a step for receiving a first frame, which is used to inquire about the status of a logical unit (LU), from a port of one of a plurality of computers according to a fibre channel protocol, the first frame including a logical unit number (LUN) corresponding to a logical unit identifier, the logical unit identifier identifying the LU in the storage system; a step for sending a second frame to the port according to said fibre channel protocol in response to the first frame; wherein a code of Qualifier included in the second frame differs based on whether or not the port of the one of the plurality of computers is permitted to access the LU related to the LUN, and wherein a first LUN, corresponding to a first logical unit identifier identifying a first LU that is permitted to be accessed by a first port of one of the plurality of computers, is 0, and wherein a second LUN, different from the first LUN and corresponding to a second logical unit identifier identifying a second LU that is permitted to be accessed by a second port of one of the plurality of computers, is also 0. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28)
-
-
30. A data object to be stored in a memory unit within a storage system, the data object comprising:
-
a code for receiving a first frame, which is used to inquire about the status of a logical unit (LU), from a port of one of a plurality of computers according to a fibre channel protocol, the first frame including a logical unit number (LUN), which corresponds to a logical unit identifier identifying the LU; and a code for sending a second frame to the port according to said fibre channel protocol in response to the first frame; wherein a Qualifier information in the second frame differs based on whether or not the port is permitted to access the logical unit related to the LUN, and wherein a first LUN, corresponding to a first logical unit identifier identifying a first LU that is permitted to be accessed by a first port of one of the plurality of computers, is 0, and wherein a second LUN, different from the first LUN and corresponding to a second logical unit identifier identifying a second LU that is permitted to be accessed by a second port of one of the plurality of computers, is also 0. - View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
-
Specification