Security method and system for storage subsystem

US 8,700,587 B2
Filed: 09/14/2009
Issued: 04/15/2014
Est. Priority Date: 01/14/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A storage system, comprising:

a memory storing WWN and S_ID conversion information, which includes a WWN and an S_ID, and a logical unit number (LUN) access management information which includes the WWN, a virtual LUN and a LUN;

a processor which, in response to receiving a first frame including a request, which is used to inquire about the status of a logical unit (LU), and being received from at least one computer of a plurality of computers according to a fibre channel protocol, is configured to;

obtain an S_ID from the first frame,search for a WWN by referring to the WWN and S_ID conversion information and using the S_ID, andsearch for a virtual LUN by referring to the LUN access management information and using the WWN,the processor being adapted to send a second frame to the at least one computer of the plurality of computers according to said fibre channel protocol in consideration of whether or not an entry of the virtual LUN is in the LUN access management information,wherein, if the first frame is received from a first computer and includes a first virtual LUN, which corresponds to a first LUN identifying a first LU which is accessible by the first computer, the storage system is adapted to send the second frame including first information, wherein the first virtual LUN is 0, and the first information indicates that the first LU, related to the first virtual LUN is installed in the storage system,wherein, if the first frame is received from a second computer of the plurality of computers, other than the first computer, and includes a second virtual LUN, which does not relate to any LU that is accessible by the second computer, the storage system is adapted to send the second frame including second information, the second information indicates that the second LU, related to the second virtual LUN, is not installed in the storage system,wherein, if the first frame is received from a third computer, other than the first and second computers, and includes a third virtual LUN, which corresponds to a third LUN, different from the first LUN, identifying a third LU which is accessible by the third computer, the storage system is adapted to send the second frame including third information, andwherein third virtual LUN is 0, and the third information indicates that the third LU, related to the third virtual LUN, is installed in the storage system.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to the present invention, techniques for performing security functions in computer storage subsystems in order to prevent illegal access by the host computers according to logical unit (LU) identity are provided. In representative embodiments management tables can be used to disclose the Logical Unit in the storage subsystem to the host computers in accordance with the users operational needs. In a specific embodiment, accessibility to a storage subsystem resource can be decided when an Inquiry Command is received, providing systems and apparatus wherein there is no further need to repeatedly determine accessibility for subsequent accesses to the Logical Unit. Many such embodiments can maintain relatively high performance, while providing robust security for each LU.

107 Citations

39 Claims

1. A storage system, comprising:
- a memory storing WWN and S_ID conversion information, which includes a WWN and an S_ID, and a logical unit number (LUN) access management information which includes the WWN, a virtual LUN and a LUN;
  
  a processor which, in response to receiving a first frame including a request, which is used to inquire about the status of a logical unit (LU), and being received from at least one computer of a plurality of computers according to a fibre channel protocol, is configured to;
  
  obtain an S_ID from the first frame,search for a WWN by referring to the WWN and S_ID conversion information and using the S_ID, andsearch for a virtual LUN by referring to the LUN access management information and using the WWN,the processor being adapted to send a second frame to the at least one computer of the plurality of computers according to said fibre channel protocol in consideration of whether or not an entry of the virtual LUN is in the LUN access management information,wherein, if the first frame is received from a first computer and includes a first virtual LUN, which corresponds to a first LUN identifying a first LU which is accessible by the first computer, the storage system is adapted to send the second frame including first information, wherein the first virtual LUN is 0, and the first information indicates that the first LU, related to the first virtual LUN is installed in the storage system,wherein, if the first frame is received from a second computer of the plurality of computers, other than the first computer, and includes a second virtual LUN, which does not relate to any LU that is accessible by the second computer, the storage system is adapted to send the second frame including second information, the second information indicates that the second LU, related to the second virtual LUN, is not installed in the storage system,wherein, if the first frame is received from a third computer, other than the first and second computers, and includes a third virtual LUN, which corresponds to a third LUN, different from the first LUN, identifying a third LU which is accessible by the third computer, the storage system is adapted to send the second frame including third information, andwherein third virtual LUN is 0, and the third information indicates that the third LU, related to the third virtual LUN, is installed in the storage system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A storage system according to claim 1, wherein,the first frame includes an S_ID of the first computer, the second computer or the third computer of the plurality of computers;
    - the second frame including first information is adapted to be sent based on data relating the first virtual LUN to a first S_ID of the first computer.
  - 3. A storage system according to claim 1,wherein the storage system is adapted to use the S_ID included in the first frame for obtaining the WWN, corresponding to the S_ID included in the first frame, and corresponding to the S_ID included in the first frame.
  - 4. A storage system according to claim 1, wherein:
    - the first information identifies that the first LU related to the first virtual LUN included in the first frame is accessible by an I/O command, andthe second information identifies that the first LU related to the first virtual LUN included in the first frame is not accessible by an I/O command.
  - 5. A storage system according to claim 1, wherein:
    - the storage system is adapted to continue to receive I/O requests to the first virtual LUN after sending the second frame.
  - 6. A storage system according to claim 1, wherein:
    - the storage system is adapted to continue to receive I/O requests to the first virtual LUN without checking the accessibility of the first LU after sending the second frame.
  - 7. A storage system according to claim 1, wherein:
    - the first frame includes a command that is supported in a SCSI command set.
  - 8. A storage system according to claim 1, wherein:
    - the first identifier addresses a port of the first computer.

9. A storage system, comprising:
- a memory storing WWN and S_ID conversion information, which includes a WWN and an S_ID, and a logical unit number (LUN) access management information which includes the WWN, a virtual LUN and a LUN; and
  
  a processor which, in response to receiving a first frame including a request, which is used to inquire about the status of a logical unit (LU), and being received from at least one computer of a plurality of computers according to a fibre channel protocol, is configured to;
  
  obtain an S_ID from the first frame,search for a WWN by referring to the WWN and S_ID conversion information and using the S_ID, andsearch for a virtual LUN by referring to the LUN access management information and using the WWN,the processor being adapted to send a second frame to the at least one computer of the plurality of computers according to said fibre channel protocol in consideration of whether or not an entry of the virtual LUN is in the LUN access management information,the processor controlling to;
  
  receive the first frame, which is used to inquire about the status of an (LU), and received from a port of one of a plurality of computers according to a fibre channel protocol, the first frame including a virtual LUN for a LUN identifying the logical unit, andin response to receiving the first frame, send the second frame including first information to the port of the one of the plurality of computers, wherein the first information indicate that the LU related to the LUN is installed in the storage system,wherein the second frame includes a code of Qualifier, and wherein the code of Qualifier differs based on whether or not the port of the one of the plurality of computers is permitted to access the LU related to the virtual LUN, andwherein a first virtual LUN, for a first LUN identifying a first LU that is permitted to be accessed by a first port of one of the plurality of computers, is 0, and wherein a second virtual LUN, for a second LUN that is different from the first LUN and identifies a second LU which is permitted to be accessed by a second port of one of the plurality of computers, is also 0.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 10. A storage system according to claim 9, further comprising:
    - the memory being adapted to store the first information, indicating whether or not the port of the one of the plurality of computers is permitted to access the LU related to the virtual LUN, before receiving the first frame.
  - 11. A storage system according to claim 9, wherein:
    - the processor controls to send, if the port of the one of the plurality of computers is permitted to access the LU related to the virtual LUN, the code of Qualifier identifying that the LU related to the virtual LUN is installed in the storage system, andthe processor controls to send, if the port of the one of the plurality of computers is not permitted to access the LU related to the virtual LUN, the code of Qualifier identifying that the LU related to the virtual LUN is not installed in the storage system.
  - 12. A storage system according to claim 11, wherein:
    - the first frame includes an S_ID of the port of the one of the plurality of computers.
  - 13. A storage system according to claim 12, wherein:
    - the processor controls to use the S_ID included in the first frame for obtaining the WWN corresponding to the S_ID included in the first frame; and
      
      the processor controls to use the obtained WWN and the virtual LUN included in the first frame for creating the code of Qualifier.
  - 14. A storage system according to claim 9, wherein:
    - the processor controls to send, if the port of the one of the plurality of computers is permitted to access the LU related to the virtual LUN, the code of Qualifier identifying that the virtual LUN included in the first frame is accessible by an I/O command.
  - 15. A storage system according to claim 14, wherein:
    - the processor controls to send, if the port of the one of the plurality of computers is not permitted to access the LU related to the virtual LUN, the code of Qualifier identifying that the virtual LUN included in the first frame is not accessible by an I/O command.
  - 16. A storage system according to claim 9, wherein:
    - the processor controls to continue to receive I/O requests to the virtual LUN after sending the second frame, if the code of Qualifier identifies that the virtual LUN included in the first frame is accessible by I/O requests.
  - 17. A storage system according to claim 9, wherein:
    - the processor controls to continue to receive I/O requests to the LUN without checking the accessibility of the LU related to the virtual LUN after sending the second frame, if the code of Qualifier identifies that the LU related to the virtual LUN is installed in the storage system.
  - 18. A storage system according to claim 9, wherein:
    - the first frame includes a command that is supported in a SCSI command set.
  - 19. A method of controlling a storage system according to claim 9, wherein:
    - the first frame includes a command that is supported in a SCSI command set.

20. A method of controlling a storage system having a memory storing WWN and S_ID conversion information, which includes a WWN and an S_ID, and a logical unit number (LUN) access management information which includes the WWN, a virtual LUN and a LUN and a processor which, in response to receiving a first frame including a request, which is used to inquire about the status of a logical unit (LU), and being received from at least one computer of a plurality of computers according to a fibre channel protocol, configured to:
- obtain an S_ID from the first frame,search for a WWN by referring to the WWN and S_ID conversion information and using the S_ID, andsearch for a virtual LUN by referring to the LUN access management information and using the WWN,the processor being adapted to send a second frame to the at least one computer of the plurality of computers according to said fibre channel protocol in consideration of whether or not an entry of the virtual LUN is in the LUN access management information,the method comprising;
  
  a step for receiving the first frame, which is used to inquire about the status of an LU, from a port of one of a plurality of computers according to a fibre channel protocol, the first frame including a LUN corresponding to a logical unit identifier, the logical unit identifier identifying the LU in the storage system; and
  
  a step for sending the second frame to the port according to said fibre channel protocol in response to the first frame;
  
  wherein a code of Qualifier included in the second frame differs based on whether or not the port of the one of the plurality of computers is permitted to access the LU related to the LUN, andwherein a first LUN, corresponding to a first logical unit identifier identifying a first LU that is permitted to be accessed by a first port of one of the plurality of computers, is 0, and wherein a second LUN, different from the first LUN and corresponding to a second logical unit identifier identifying a second LU that is permitted to be accessed by a second port of one of the plurality of computers, is also 0.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28)
- - 21. A method of controlling a storage system according to claim 20, further comprising:
    - a step for storing a first information, indicating whether or not the port of the one of the plurality of computers is permitted to access the LU related the LUN, before receiving the first frame.
  - 22. A method of controlling a storage system according to claim 20, wherein:
    - if the port of the one of the plurality of computers is permitted to access the LU related to the LUN, the code of Qualifier identifies that the LU related to the LUN included in the first frame is installed in the storage system, andif the port of the one of the plurality of computers is not permitted to access the LU related to the LUN, the code of Qualifier identifies that the LU related to the LUN included in the first frame is not installed in the storage system.
  - 23. A method of controlling a storage system according to claim 22:
    - wherein the first frame includes an S_ID of the port of the one of the plurality of computers.
  - 24. A method of controlling a storage system according to claim 23, further comprising:
    - a step for using the S_ID included in the first frame,a step for obtaining the WWN corresponding to the S_ID included in the first frame; and
      
      a step for using the obtained WWN and the LUN included in the first frame for preparing the code of Qualifier.
  - 25. A method of controlling a storage system according to claim 20, wherein:
    - if the port of the one of the plurality of computers is permitted to access the LU related to the LUN, the code of Qualifier identifies that the LUN included in the first frame is accessible.
  - 26. A method of controlling a storage system according to claim 25, wherein:
    - if the port of the one of the plurality of computers is not permitted to access the LU related to the LUN, the code of the Qualifier identifies that the LUN included in the first frame is not accessible by an I/O command.
  - 27. A method of controlling a storage system according to claim 20, further comprising:
    - a step for continuing to receive I/O requests to the LUN after sending the second frame, if the code of the Qualifier identifies that the LUN included in the first frame is accessible by I/O requests.
  - 28. A method of controlling a storage system according to claim 20, further comprising:
    - a step for continuing to receive I/O requests to the LUN without checking the accessibility of the LU related to the LUN after sending the second frame, if the code of the Qualifier identifies that the LU related to the LUN is installed in the storage system.

29. A non-transitory computer readable storage medium in a storage system having a memory unit into which a data object is to be stored and a processing unit, the memory unit storing WWN and S_ID conversion information, which includes a WWN and an S_ID, and a logical unit number (LUN) access management information which includes the WWN, a virtual LUN and a LUN and the processing unit which, in response to receiving a first frame including a request, which is used to inquire about the status of a logical unit (LU), and being received from at least one computer of a plurality of computers according to a fibre channel protocol, is configured to:
- obtain an S_ID from the first frame,search for a WWN by referring to the WWN and S_ID conversion information and using the S_ID, andsearch for a virtual LUN by referring to the LUN access management information and using the WWN,the processor being adapted to send a second frame to the at least one computer of the plurality of computers according to said fibre channel protocol in consideration of whether or not an entry of the virtual LUN is in the LUN access management information,the non-transitory data computer readable storage medium comprising;
  
  a code for receiving the first frame, which is used to inquire about the status of an LU, from a port of one of a plurality of computers according to a fibre channel protocol, the first frame including an LUN, which corresponds to a logical unit identifier identifying the LU; and
  
  a code for sending the second frame including second information to the port according to said fibre channel protocol in response to the first frame;
  
  wherein a Qualifier information in the second frame differs based on whether or not the port is permitted to access the logical unit related to the LUN, andwherein a first LUN, corresponding to a first logical unit identifier identifying a first LU that is permitted to be accessed by a first port of one of the plurality of computers, is 0, and wherein a second LUN, different from the first LUN and corresponding to a second logical unit identifier identifying a second LU that is permitted to be accessed by a second port of one of the plurality of computers, is also 0.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 30. A non-transitory computer readable storage medium according to claim 29, further comprising:
    - a code for storing a first data linking an LUN, a logical unit identifier and a World Wide Name (WWN) of a port of one of the plurality of computers before receiving the first frame, the first data being used for preparing the second frame.
  - 31. A non-transitory computer readable storage medium according to claim 30:
    - wherein the first frame includes an S_ID of the port of one of the plurality of computers;
      
      the non-transitory data object further comprising;
      
      a code for storing a second data linking a first S_ID of the first port and the first WWN;
      
      a code for sending, if the first frame is received from the first port, the second frame including the first information based on the first data and the second data.
  - 32. A non-transitory computer readable storage medium according to claim 31, the non-transitory data object further comprising:
    - a code for searching the second data using the S_ID included in the first frame,a code for obtaining the WWN corresponding to the S_ID included in the first frame based on the second data; and
      
      a code for searching the first data using the obtained WWN and the first LUN included in the first frame.
  - 33. A non-transitory data computer readable storage medium according to claim 32, further comprising:
    - a code for making a judgment whether or not a LUN, corresponding to the obtained WWN and being in the first data, is the LUN included in the first frame in order to send the second frame.
  - 34. A non-transitory computer readable storage medium according to claim 29:
    - the non-transitory data object further comprising;
      
      a code for sending, if the first frame is received from the first port, the second frame including first information, the first information identifying that the first logical unit related to the first LUN included in the first frame is installed in the storage system,a code for sending, if the first frame is received from the second port, the second frame including a second information, the second information identifying that the second logical unit related to the second LUN included in the first frame is installed in the storage system, anda code for sending, if the first frame is received from a third port of one of the plurality of computers which is not permitted to access the first logical unit related to the first LUN, the second frame including a third information, the third information identifying that the first logical unit related to the first LUN included in the first frame is not installed in the storage system.
  - 35. A non-transitory computer readable storage medium according to claim 29:
    - the non-transitory data object further comprising;
      
      a code for sending, if the first frame is received from the first port, the second frame including a first information, the first information identifying that the first logical unit related to the first LUN included in the first frame is accessible, anda code for sending, if the first frame is received from the second port, the second frame including a second information, the second information identifying that the second logical unit related to the second LUN included in the first frame is accessible.
  - 36. A non-transitory data computer readable storage medium according to claim 35, further comprising:
    - a code for sending, if the first frame is received from a third port of one of the plurality of computers which is not permitted to access the first logical unit related to the first LUN, the second frame including a third information, the third information identifying that the first logical unit related to the first LUN included in the first frame is not accessible.
  - 37. A non-transitory computer readable storage medium according to claim 29, further comprising:
    - a code for continuing to receive I/O requests to the first LUN after sending the second frame including a first information, the first information identifying that the first logical unit related to the first LUN included in the first frame is accessible.
  - 38. A non-transitory computer readable storage medium according to claim 29, further comprising:
    - a code for continuing to receive I/O requests to the first LUN without checking the accessibility of the first logical unit after sending the second frame including a first information, the first information identifying that the first logical unit related to the first LUN included in the first frame is accessible.
  - 39. A non-transitory computer readable storage medium according to claim 29, wherein:
    - the first frame includes a command that is supported in a SCSI command set.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hitachi, Ltd.
Original Assignee
Hitachi, Ltd.
Inventors
Ito, Ryusuke, Okami, Yoshinori
Primary Examiner(s)
Btit, Jacob F
Assistant Examiner(s)
WILLIS, AMANDA LYNN

Application Number

US12/558,929
Publication Number

US 20100005101A1
Time in Patent Office

1,674 Days
Field of Search

707/706, 707/707, 707/705, 709/236, 726/3
US Class Current

707/705
CPC Class Codes

G06F 2003/0697   device management, e.g. han...

G06F 21/62   Protecting access to data v...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 3/0601   Interfaces specially adapte...

G06F 3/0622   in relation to access

G06F 3/0635   by changing the path, e.g. ...

G06F 3/0637   Permissions

G06F 3/0659   Command handling arrangemen...

G06F 3/067   Distributed or networked st...

H04L 61/103   across network layers, e.g....

H04L 67/1097   for distributed storage of ...

Y10S 707/954   Relational

Y10S 707/99933   Query processing, i.e. sear...

Y10S 707/99939   Privileged access

Security method and system for storage subsystem

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

107 Citations

39 Claims

Specification

Use Cases

Quick Links

Others

Security method and system for storage subsystem

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

107 Citations

39 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others