Computer system controlling accesses to storage apparatus

US 7,464,188 B2
Filed: 01/20/2004
Issued: 12/09/2008
Est. Priority Date: 03/31/2003
Status: Active Grant

First Claim

Patent Images

1. A computer coupled to a storage apparatus via a network, comprising:

an I/O processing unit which issues an I/O request to the storage apparatus;

an I/O command issuing unit which is coupled to the network and which receives said I/O request from the I/O processing unit and transmits said I/O request to the storage apparatus via the network;

wherein;

the I/O processing unit inputs a predetermined program identifier and a request address, generates, with a first function, one value to be used as a new address including said program identifier, and issues said I/O request using the new address,the I/O command issuing unit manages a table associating at least one said program identifier, at least one logical volume existing in said storage apparatus and at least one network address with each other, if said I/O request is an I/O request issued to one said logical volume existing in said storage apparatus that is prescribed to be a protected logical volume, a second function which receives as one input value said new request address and generates, in an operation inverse to that of said first function, said original request address and said program identifier as two output values, said table is searched for said at least one network address associated with said generated program identifier and said at least one logical volume indicated by said generated original request address, and a communication with said storage apparatus is carried out by using said at least one network address as an address of a transmission originator in order to issue an I/O command using said original request address.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Since no control of accesses made by a computer as accesses to a storage apparatus is executed, the computer can be used illegally to steal and improperly change data stored in the storage apparatus. Thus, an access-control mechanism external to the computer is constructed to solve this problem. That is to say, the control of accesses is executed in the storage apparatus and a network apparatus for each program executed by the computer. In order to enhance the implementability of such control of accesses, the control is executed without extending a variety of protocols of communications among the computer, the network apparatus and the storage apparatus. By implementing the control of accesses in this way, a program other than programs specified in advance is not capable of making an access to data stored in the storage apparatus. Thus, even if the computer is used illegally, data stored in the storage apparatus can be prevented from being stolen and changed improperly.

18 Citations

4 Claims

1. A computer coupled to a storage apparatus via a network, comprising:
- an I/O processing unit which issues an I/O request to the storage apparatus;
  
  an I/O command issuing unit which is coupled to the network and which receives said I/O request from the I/O processing unit and transmits said I/O request to the storage apparatus via the network;
  
  wherein;
  
  the I/O processing unit inputs a predetermined program identifier and a request address, generates, with a first function, one value to be used as a new address including said program identifier, and issues said I/O request using the new address,the I/O command issuing unit manages a table associating at least one said program identifier, at least one logical volume existing in said storage apparatus and at least one network address with each other, if said I/O request is an I/O request issued to one said logical volume existing in said storage apparatus that is prescribed to be a protected logical volume, a second function which receives as one input value said new request address and generates, in an operation inverse to that of said first function, said original request address and said program identifier as two output values, said table is searched for said at least one network address associated with said generated program identifier and said at least one logical volume indicated by said generated original request address, and a communication with said storage apparatus is carried out by using said at least one network address as an address of a transmission originator in order to issue an I/O command using said original request address.

2. In a computer system including a computer and a storage apparatus coupled to the computer, a method of issuing an I/O request to the storage apparatus via a network, comprising the steps of:
- setting, by the computer, a program identifier in advance in a first program executed on said computer;
  
  applying, by the computer, a first function to the program identifier as a first input value and a separate original request address obtained by said first program as a second input value to generate a new request address as an output value of the first function, wherein said new request address is different from said original request address, but of the same overall size;
  
  issuing, by the computer, said I/O request by said first program using said new request address in said I/O request;
  
  receiving, by the computer, said I/O request by a second program running on said computer;
  
  applying, by the computer, by said second program a second function to the new request address to derive said program identifier and said original request address; and
  
  forwarding, by the computer, the I/O request by said second program to said storage apparatus using said original request address for the I/O request, and using a network address associated with said program identifier as an originating address of said I/O request, when said program identifier indicates that said first program is authorized to access a target of said I/O request.
- View Dependent Claims (3, 4)
- - 3. A method according to claim 2, further including steps ofreceiving said I/O request by a network apparatus in said network, and determining by said network apparatus, on the basis of said network address associated with said program identifier used as the originating address of the I/O request, whether or not communication with the target of said I/O request in said storage apparatus is permitted.
  - 4. A method according to claim 2, further including steps ofreceiving said I/O request by said storage apparatus, anddetermining by said storage apparatus, on the basis of said network address associated with said program identifier used as the originating address of the I/O request, whether or not communication with the target of said I/O request in said storage apparatus is permitted.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hitachi, Ltd.
Original Assignee
Hitachi, Ltd.
Inventors
Shimizu, Akira, Fujiwara, Shinji
Primary Examiner(s)
Kindred; Alford W
Assistant Examiner(s)
FRANKLIN, RICHARD B

Application Number

US10/759,204
Publication Number

US 20040193739A1
Time in Patent Office

1,785 Days
Field of Search

710/3, 710/4, 710/36, 710/39, 711/163, 711/1, 711/6, 711/200, 711/202, 711/214, 711/220, 711/203, 726 11- 14, 726/17
US Class Current

710/3
CPC Class Codes

G06F 21/6245 Protecting personal data, e...

G06F 21/78 to assure secure storage of...

Computer system controlling accesses to storage apparatus

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

18 Citations

4 Claims

Specification

Solutions

Use Cases

Quick Links

Computer system controlling accesses to storage apparatus

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

4 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links