Computer system controlling accesses to storage apparatus
First Claim
1. A computer coupled to a storage apparatus via a network, comprising:
- an I/O processing unit which issues an I/O request to the storage apparatus;
an I/O command issuing unit which is coupled to the network and which receives said I/O request from the I/O processing unit and transmits said I/O request to the storage apparatus via the network;
wherein;
the I/O processing unit inputs a predetermined program identifier and a request address, generates, with a first function, one value to be used as a new address including said program identifier, and issues said I/O request using the new address,the I/O command issuing unit manages a table associating at least one said program identifier, at least one logical volume existing in said storage apparatus and at least one network address with each other, if said I/O request is an I/O request issued to one said logical volume existing in said storage apparatus that is prescribed to be a protected logical volume, a second function which receives as one input value said new request address and generates, in an operation inverse to that of said first function, said original request address and said program identifier as two output values, said table is searched for said at least one network address associated with said generated program identifier and said at least one logical volume indicated by said generated original request address, and a communication with said storage apparatus is carried out by using said at least one network address as an address of a transmission originator in order to issue an I/O command using said original request address.
1 Assignment
0 Petitions
Accused Products
Abstract
Since no control of accesses made by a computer as accesses to a storage apparatus is executed, the computer can be used illegally to steal and improperly change data stored in the storage apparatus. Thus, an access-control mechanism external to the computer is constructed to solve this problem. That is to say, the control of accesses is executed in the storage apparatus and a network apparatus for each program executed by the computer. In order to enhance the implementability of such control of accesses, the control is executed without extending a variety of protocols of communications among the computer, the network apparatus and the storage apparatus. By implementing the control of accesses in this way, a program other than programs specified in advance is not capable of making an access to data stored in the storage apparatus. Thus, even if the computer is used illegally, data stored in the storage apparatus can be prevented from being stolen and changed improperly.
18 Citations
4 Claims
-
1. A computer coupled to a storage apparatus via a network, comprising:
-
an I/O processing unit which issues an I/O request to the storage apparatus; an I/O command issuing unit which is coupled to the network and which receives said I/O request from the I/O processing unit and transmits said I/O request to the storage apparatus via the network; wherein; the I/O processing unit inputs a predetermined program identifier and a request address, generates, with a first function, one value to be used as a new address including said program identifier, and issues said I/O request using the new address, the I/O command issuing unit manages a table associating at least one said program identifier, at least one logical volume existing in said storage apparatus and at least one network address with each other, if said I/O request is an I/O request issued to one said logical volume existing in said storage apparatus that is prescribed to be a protected logical volume, a second function which receives as one input value said new request address and generates, in an operation inverse to that of said first function, said original request address and said program identifier as two output values, said table is searched for said at least one network address associated with said generated program identifier and said at least one logical volume indicated by said generated original request address, and a communication with said storage apparatus is carried out by using said at least one network address as an address of a transmission originator in order to issue an I/O command using said original request address.
-
-
2. In a computer system including a computer and a storage apparatus coupled to the computer, a method of issuing an I/O request to the storage apparatus via a network, comprising the steps of:
-
setting, by the computer, a program identifier in advance in a first program executed on said computer; applying, by the computer, a first function to the program identifier as a first input value and a separate original request address obtained by said first program as a second input value to generate a new request address as an output value of the first function, wherein said new request address is different from said original request address, but of the same overall size; issuing, by the computer, said I/O request by said first program using said new request address in said I/O request; receiving, by the computer, said I/O request by a second program running on said computer; applying, by the computer, by said second program a second function to the new request address to derive said program identifier and said original request address; and forwarding, by the computer, the I/O request by said second program to said storage apparatus using said original request address for the I/O request, and using a network address associated with said program identifier as an originating address of said I/O request, when said program identifier indicates that said first program is authorized to access a target of said I/O request. - View Dependent Claims (3, 4)
-
Specification