VIRTUAL COMPUTER SYSTEM, ACCESS CONTROL METHOD AND COMMUNICATION DEVICE FOR THE SAME

US 20100313256A1
Filed: 06/04/2010
Published: 12/09/2010
Est. Priority Date: 06/05/2009
Status: Active Grant

First Claim

Patent Images

1. A computer system comprising:

a plurality of physical computers;

at least one virtual computer operable to be executed on the physical computers; and

a determination unit operable to determine whether login to an external device from the virtual computer is acceptable or unacceptable,wherein the virtual computer is allocated an identifier for accessing the external device,wherein, upon receiving login inquiry to the external device from a certain virtual computer and referring to allocation information of the identifier allocated to the virtual computer, the determination unit compares the identifier allocated to the certain virtual computer with the identifier allocated to another virtual computer to be executed on a physical computer different from the physical computer on which the certain virtual computer is executed, andwherein the login is rejected when the identifier allocated to the certain virtual computer agrees with the identifier allocated to the another virtual computer, and the login is accepted when the identifier allocated to the certain virtual computer disagrees with the identifier allocated to the another virtual computer.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a plural computer system executing a virtual computer, an exterior storage volume may receive unjustly multiple access, and contents of the volume may be destroyed. Provided are: a switch coupling a virtual computer and I/O, a virtual computer managing unit coupled to a computer and the switch, and a determination unit determining a login acceptance/rejection of a virtual computer and I/O. The virtual computer possesses a virtual HBA, and upon receiving a login inquiry to the I/O from a certain virtual computer, a determination unit compares an identifier allocated to the certain virtual computer with an identifier allocated to another virtual computer to be executed on a physical computer different from the physical computer on which the certain virtual computer is executed, and determines login acceptance/rejection. Accordingly, an access control to the I/O is performed.

Citations

20 Claims

1. A computer system comprising:
- a plurality of physical computers;
  
  at least one virtual computer operable to be executed on the physical computers; and
  
  a determination unit operable to determine whether login to an external device from the virtual computer is acceptable or unacceptable,wherein the virtual computer is allocated an identifier for accessing the external device,wherein, upon receiving login inquiry to the external device from a certain virtual computer and referring to allocation information of the identifier allocated to the virtual computer, the determination unit compares the identifier allocated to the certain virtual computer with the identifier allocated to another virtual computer to be executed on a physical computer different from the physical computer on which the certain virtual computer is executed, andwherein the login is rejected when the identifier allocated to the certain virtual computer agrees with the identifier allocated to the another virtual computer, and the login is accepted when the identifier allocated to the certain virtual computer disagrees with the identifier allocated to the another virtual computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer system according to claim 1,wherein the physical computer and the external device are coupled with each other via a communication device.
  - 3. The computer system according to claim 2,wherein the external device is an I/O device and the identifier is a World Wide Name (WWN).
  - 4. The computer system according to claim 3,wherein the communication device is a Fibre Channel switch,wherein the physical computer includes a physical Host Bus Adapter (HBA) coupled to the Fibre Channel switch,wherein the virtual computer includes a virtual HBA to be executed under the control of a virtual machine monitor on the physical computer and utilizing the allocated identifier,wherein the virtual machine monitor instructs I/O operation to the physical HBA by emulating I/O operation to the virtual HBA for the virtual computer to access the I/O device, andwherein the determination unit possesses a function to answer refusal of connection to the physical HBA, when the determination unit refuses the login.
  - 5. The computer system according to claim 3, further comprising:
    - a managing unit coupled to the physical computer and the communication device and operable to manage control of the virtual computer,wherein the managing unit possesses allocation information of the identifier.
  - 6. The computer system according to claim 5,wherein the managing unit includes the determination unit, andwherein the login inquiry is transmitted from the communication device.
  - 7. The computer system according to claim 3,wherein the communication device includes a cache holding allocation information of the identifier.
  - 8. The computer system according to claim 7,wherein the physical HBA is coupled to the communication device via a port,wherein the port possesses a port ID allocated by a port-ID allocation unit included in the communication device, andwherein the determination unit is the port-ID allocation unit.
  - 9. The computer system according to claim 3,wherein the physical HBA is coupled to the communication device via a port,wherein the port possesses a port ID allocated by a port-ID allocation unit included in the communication device,wherein the port ID is held in connection information of the physical computer and the communication device, andwherein the managing unit possesses the connection information.
  - 10. The computer system according to claim 3,wherein the determination is performed after one of updating allocation information of the identifier when the virtual computer is activated after the virtual computer is moved onto another physical computer and updating the allocation information when the virtual computer is suspended to move onto a different physical computer.

11. An access control method in a virtual computer system including a plurality of physical computers, at least one virtual computer to be executed on the physical computers, and a determination unit for determining whether login to an external device by the virtual computer is acceptable or unacceptable, the access control method comprising the steps of:
- allocating to the virtual computer an identifier to access the external device;
  
  referring by the determination unit to allocation information of the identifier allocated to the virtual computer upon receiving login inquiry to the external device from a certain virtual computer;
  
  comparing by the determination unit the identifier allocated to the certain virtual computer with the identifier allocated to another virtual computer to be executed on a physical computer different from the physical computer on which the certain virtual computer is executed;
  
  rejecting the login when the identifier allocated to the certain virtual computer agrees with the identifier allocated to the another virtual computer; and
  
  accepting the login when the identifier allocated to the certain virtual computer disagrees with the identifier allocated to the another virtual computer.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The access control method according to claim 11,wherein the physical computer and the external device are coupled with each other via a communication device.
  - 13. The access control method according to claim 12,wherein the external device is an I/O device and the identifier is a World Wide Name (WWN).
  - 14. The access control method according to claim 13,wherein the communication device is a Fibre Channel switch,wherein the physical computer includes a physical Host Bus Adapter (HBA) coupled to the Fibre Channel switch,wherein the virtual computer includes a virtual HBA utilizing the allocated identifier,wherein a virtual machine monitor on the physical computer controls the virtual computer, and emulates, as I/O operation to the physical HBA, I/O operation to the virtual HBA for the virtual computer to access the I/O device, andwherein the determination unit answers refusal of connection to the physical HBA, when the determination unit refuses the login.
  - 15. The access control method according to claim 13, further comprising the step of:
    - managing control of the virtual computer by a managing unit coupled to the physical computer and the communication device,wherein the managing unit possesses allocation information of the identifier.
  - 16. The access control method according to claim 15,wherein the managing unit includes the determination unit, andwherein the communication device transmits the login inquiry.
  - 17. The access control method according to claim 13,wherein a cache included in the communication device and holding allocation information of the identifier is utilized.
  - 18. The access control method according to claim 17,wherein the physical HBA is coupled to the communication device via a port,wherein the communication device includes a port-ID allocation unit,wherein the port-ID allocation unit allocates a port ID to the port, andwherein the port-ID allocation unit performs the determination.

19. A communication device comprising:
- a port possessing a port number;
  
  a port-ID allocation unit, anda cache operable to acquire periodically summary information summarizing allocation information of an identifier allocated to a virtual computer on a physical computer, for use in accessing an external device, the cache being operable to hold the summary information,wherein the summary information possesses the port number and an accepted identifier which is an identifier allocated to a virtual computer accepted to login to the port,wherein, upon receiving login inquiry to the external device from a certain virtual computer, the port-ID allocation unit determines whether the combination of a port number included in the received login inquiry and an identifier to use the port and the combination of a port number possessed by the summary information and the accepted identifier are in agreement, andwherein, when the port-ID allocation unit determines that the combinations are in agreement, the login is accepted, and when the port-ID allocation unit determines that the combinations are in disagreement, the login is rejected.
- View Dependent Claims (20)
- - 20. The communication device according to claim 19,wherein the communication device is a Fibre Channel switch.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hitachi, Ltd.
Original Assignee
Hitachi, Ltd.
Inventors
SEKIGUCHI, Tomoki, Inomata, Hirofumi

Granted Patent

US 8,510,815 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/7
CPC Class Codes

H04L 63/102 Entity profiles

VIRTUAL COMPUTER SYSTEM, ACCESS CONTROL METHOD AND COMMUNICATION DEVICE FOR THE SAME

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

VIRTUAL COMPUTER SYSTEM, ACCESS CONTROL METHOD AND COMMUNICATION DEVICE FOR THE SAME

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links