1. Field of the Invention
This invention relates to a storage subsystem to be accessed from a computer. More particularly, this invention relates to an access to a logical unit inside a storage subsystem.
2. Description of the Related Art
Fiber Channel protocol has been standardized in recent years and SAN (Storage Area Network) environment using this protocol as the infrastructure has become complicated and diversified. As a result, the number of computers connected to the storage subsystem and their kinds, or a kind of OS (Operation System), and the number of logical units required for the storage subsystem have drastically increased. Further, an environment in which various protocols other than the Fiber Channel such as SCCI, ESCON, TCP/IP, iSCSI, etc, can be simultaneously used has been set up. Here, the term xe2x80x9ccomputerxe2x80x9d represents those electronic appliances having electronic circuits that can be connected to a network.
Such an environment means that various kinds of computers gain access to one storage subsystem. The term xe2x80x9ccomputerxe2x80x9d includes so-called large-scale host computers and compact personal computers. When these various computers gain access to the storage subsystem, the expression such as xe2x80x9chost gains accessxe2x80x9d and xe2x80x9chost gains accessxe2x80x9d is used herein appropriately.
Under such circumstances, the security function to the storage subsystem resources that relies on OS, middleware and application software on the host side according to the prior art technology is not sufficient in some cases, and the necessity for a higher LUN security function for preventing an illegal access to logical units (hereinafter abbreviated as xe2x80x9cLUxe2x80x9d from time to time) has increased rapidly. Incidentally, the term xe2x80x9cLUNxe2x80x9d represents the logical unit number inside the storage subsystem.
JP2000276406 is one of the references that describe means for accomplishing the security function to the storage subsystem resources (logical units). The method of this reference accomplishes the security function as to access approval/rejection to LUN inside the storage subsystem but cannot cope with diversified computers that gain access to a single port. In the practical operation, therefore, the method limits the kind of host computers that can be managed under the single port to only one kind. This limitation in the practical operation cannot follow drastic expansion of the SAN environment described above.
To provide the logical units inside the storage subsystem to computers with the LUN security function, it is necessary to define a greater number of logical units than before under the single port of the storage subsystem and to give the logical units to host computers having a plurality of OS, a plurality of computers having mutually different kinds of OS, and other computers.
Nonetheless, the LUN security function in the existing storage subsystems is not free from the limitation that the kind of OS must be the same even when a large number of computers that can be managed under the single port exist. Furthermore, such a function generally has another limitation that setting of connection interface for the host computers that can be set to the single port must be one. A method for solving these problems would be the one that simply defines a large number of logical units under the single port of the storage subsystem, and divides and gives the logical units as such to a plurality of kinds of OS that gain access to this port.
However, various OS of existing computers have a specification such that when access cannot be made to a logical unit zero (LU0) of a storage subsystem, inquiry is not at all made thereafter for subsequent LU of the same system after LU1 next to LU0. Incidentally, according to the SCSI-2 standard, one system includes 8 LU, and LU0 to LU7 belong to the same system.
Therefore, when the logical unit number (LUN) inside the storage subsystem is as such given to the host computer, the computer cannot correctly recognize the logical unit as expected on the setting side of the logical units.
Various OS of existing computers mostly set the upper limit of logical unit numbers recognizable under the single port to 256. In other words, even when 257 or more of logical unit number are disposed, the computers cannot recognize the logical units, and this also renders the problem when the logical units inside the storage subsystem are given to the computer under the single port.
On the other hand, when a strong LUN security function is provided in storage subsystems, the most reliable method would be the one that serially checks access approval/rejection of the object LU whenever computers transmit commands. However, this creates the problem of performance because the processing time in the storage subsystem (overhead for security check) becomes greater.
It is therefore a first object of the invention to provide a storage subsystem that groups computers in accordance with OS or into an arbitrary kind without changing existing processing, limitation and other functions of the computers, limits logical units to which the computers so grouped can gain access, and makes it possible to set them on interface in the group unit and to provide a LUN security function under a single port of the storage subsystem.
It is a second object of the invention to provide the security function described above with high-speed access judgment logic of the storage subsystem.
A storage subsystem according to the invention includes a management table describing correspondence of information (WWN: WorldWide Name) for primarily identifying each computer (inclusive of host computers), information (GID: Group ID) for identifying a group to which the computer belongs and a logical unit number (LUN) inside the storage subsystem for which access from the computer is permitted; a nonvolatile memory for storing the management table; a management table describing correspondence of a management number (S_ID) dynamically allocated when the computer executes login to the storage subsystem and remaining effective until logout, information (WWN) for primarily identifying the computer and information (GID) for identifying the group to which this host computer belongs; a nonvolatile memory for storing the management table; at least one input terminal for setting these management table; at least one storage device; a storage control unit for controlling write/read of data to and from the storage device; and logical units (LUN) corresponding to storage areas of the storage device.
In this storage subsystem, a user can make setting of accessible LUN and setting on a connection interface in an arbitrary group unit of computers under a single port without changing existing processing, limitation and other functions of the computers. Therefore, this storage subsystem can accomplish an access control function, that is, a LUN security function, for computer groups having a plurality of kinds of OS under a single port.
Since this storage subsystem uses GID as identification information on the basis of S_ID allocated at the time of login in place of host identification information WWN, the time required for judging accessible LUN is shorter than when WWN is used, and a high-speed judgment can be made.
Other objects, features and advantages of the invention will become apparent from the following description of the embodiments of the invention taken in conjunction with the accompanying drawings.