1. Filed of the Invention
This invention relates to a storage subsystem to be accessed from a computer. More particularly, this invention relates to an access to a logical unit inside a storage subsystem.
2. Description of the Related Art
Fiber Channel protocol has been standardized in recent years and SAN (Storage Area Network) environment using this protocol as the infrastructure has become complicated and diversified. As a result, the number of computers connected to the storage subsystem and their kinds, or a kind of OS (Operation System), and the number of logical units required for the storage subsystem have drastically increased. Further, an environment in which various protocols other than the Fiber Channel such as SCCI, ESCON, TCP/IP, iSCSI, etc, can be simultaneously used has been set up. Here, the term “computer” represents those electronic appliances having electronic circuits that can be connected to a network.
Such an environment means that various kinds of computers gain access to one storage subsystem. The term “computer” includes so-called large-scale host computers and compact personal computers. When these various computers gain access to the storage subsystem, the expression such as “host gains access” and “host gains access” is used herein appropriately.
Under such circumstances, the security function to the storage subsystem resources that relies on OS, middleware and application software on the host side according to the prior art technology is not sufficient in some cases, and the necessity for a higher LUN security function for preventing an illegal access to logical units (hereinafter abbreviated as “LU” from time to time) has increased rapidly. Incidentally, the term “LUN” represents the logical unit number inside the storage subsystem.
JP2000276406 is one of the references that describe means for accomplishing the security function to the storage subsystem resources (logical units). The method of this reference accomplishes the security function as to access approval/rejection to LUN inside the storage subsystem but cannot cope with diversified computers that gain access to a single port. In the practical operation, therefore, the method limits the kind of host computers that can be managed under the single port to only one kind. This limitation in the practical operation cannot follow drastic expansion of the SAN environment described above.
To provide the logical units inside the storage subsystem to computers with the LUN security function, it is necessary to define a greater number of logical units than before under the single port of the storage subsystem and to give the logical units to host computers having a plurality of OS, a plurality of computers having mutually different kinds of OS, and other computers.
Nonetheless, the LUN security function in the existing storage subsystems is not free from the limitation that the kind of OS must be the same even when a large number of computers that can be managed under the single port exist. Furthermore, such a function generally has another limitation that setting of connection interface for the host computers that can be set to the single port must be one. A method for solving these problems would be the one that simply defines a large number of logical units under the single port of the storage subsystem, and divides and gives the logical units as such to a plurality of kinds of OS that gain access to this port.
However, various OS of existing computers have a specification such that when access cannot be made to a logical unit zero (LU0) of a storage subsystem, inquiry is not at all made thereafter for subsequent LU of the same system after LU1 next to LU0. Incidentally, according to the SCSI-2 standard, one system includes 8 LU, and LU0 to LU7 belong to the same system.
Therefore, when the logical unit number (LUN) inside the storage subsystem is as such given to the host computer, the computer cannot correctly recognize the logical unit as expected on the setting side of the logical units.
Various OS of existing computers mostly set the upper limit of logical unit numbers recognizable under the single port to 256. In other words, even when 257 or more of logical unit number are disposed, the computers cannot recognize the logical units, and this also renders the problem when the logical units inside the storage subsystem are given to the computer under the single port.
On the other hand, when a strong LUN security function is provided in storage subsystems, the most reliable method would be the one that serially checks access approval/rejection of the object LU whenever computers transmit commands. However, this creates the problem of performance because the processing time in the storage subsystem (overhead for security check) becomes greater.
It is therefore a first object of the invention to provide a storage subsystem that groups computers in accordance with OS or into an arbitrary kind without changing existing processing, limitation and other functions of the computers, limits logical units to which the computers so grouped can gain access, and makes it possible to set them on interface in the group unit and to provide a LUN security function under a single port of the storage subsystem.
It is a second object of the invention to provide the security function described above with high-speed access judgment logic of the storage subsystem.