This invention relates generally to the field of information storage devices and more particularly to a method and apparatus for managing access to data stored in a backup storage device.
Computer systems generally include one or more host processors and a storage system for storing data accessed by the host processor. The storage system may include one or more storage devices (e.g., disk drives, tape drives) to service the storage needs of the host processor. The disk drives and tape drives include a recording media, such as a magnetic recording medium or an optical recording medium.
A computer system may also include a backup storage, separate from data storage, for storing backup copies of data that may be needed to restore lost or damaged programs and files. Because backup storage is used far less than the regular data storage, slower, but large (e.g.,  greater than 1 terabit), tape libraries are generally used, for example, as an archival storage.
Using a network (e.g., a Fibre channel network), multiple hosts are able to share access to a single storage system. One problem with coupling multiple hosts to a shared storage system is the management of data access at the storage system. Because multiple hosts have access to the common storage system, each host may physically be able to access information that may be proprietary to the other host processors. Various techniques have been implemented to manage access to data at the storage system. For example, certain portions or zones of memory at the storage system may be dedicated to one or more of the hosts. Each host is xe2x80x9ctrustedxe2x80x9d to access only those portions of memory for which it has privileges. However, such an approach is vulnerable to the individual actions of each of the hosts. As a result, such a data management method may not be sufficient to protect data from unprivileged accesses. The problem of data management extends as well to the backup storage. In particular, it may be desirable to limit access to certain portions of the backup storage to particular ones of the multiple hosts connected to the network.
The invention features a data storage configured to manage access between a backup storage system coupled to a network and hosts connected to the network.
In one aspect of the invention, the data storage includes a storage device partitioned into a number of volumes for storing data; a first database including first configuration data for identifying which of a number of hosts coupled to the data storage have authorized access to the volumes of the storage device; a backup system having a backup storage device for storing at least a portion of data stored on the storage device; and a second database including second configuration data for identifying which of the hosts have access to the backup storage device.
Among other advantages, the second database serves as a separate and independent database for identifying to the backup system those hosts that it is able to communicate with. Thus, access to the backup storage can be managed to prevent access by unauthorized host computers. In this way, security is increased and the risk of overwriting of the backup storage is virtually eliminated. Moreover, the primary data storage (i.e., non-backup storage) is managed separately using the first database without fear of corruption from the external backup storage. This feature is particularly advantageous in applications where the data storage is fully partitioned for use with the hosts and does not require modification to accommodate use with the external backup storage.
Embodiments of this aspect of the invention may include one or more of the following features.
The storage device, the first database, and the second database are part of an enterprise data storage system. Although the external backup storage is configured such that it plays no role in managing the primary data storage, the opposite is not true. By including the second database with the first database and its associated storage device, the data storage and backup storage are both centrally managed. Thus, a particular host computer (e.g., acting as a management console) has access to both the first and second databases. In this way, the particular host can be used to remotely establish the accessibility of the other hosts to both the data storage and backup storage.
In a particular embodiment, the data storage includes a first adapter, responsive to the first configuration data, which selectively forwards to the storage device, requests from the hosts, for access to the volumes. The data storage also includes a second adapter, responsive to the second configuration data, which similarly and selectively forwards to the backup system, requests from the hosts, for access to the backup storage device. The first and second adapters serve as bridges or directors for the various volumes (e.g., disk drives) in the storage device and the various backup storage devices (e.g., tape libraries) of the backup storage, respectively.
The first configuration data is stored in a configuration table including records, each of the records having an identifier and information indicating which of the volumes are available to a host associated with the corresponding identifier. The request includes a source identifier identifying the host that initiated the request and an address to one of the plurality of volumes in the storage system.
In one application, the hosts are coupled to the data storage by a Fibre Channel network with a request for access by one of the hosts being in a Fibre Channel protocol. On the other hand, the backup storage operates under a SCSI protocol. For example, the backup storage is a legacy device, such as a tape storage drive having a number of tape libraries. In this case, the second adapter serves as a translator to convert data passing between the backup tape storage (under SCSI protocol) and the data storage (under Fibre Channel protocol).
With this arrangement, tape storage units and other legacy devices of the type whose resources are fixed and cannot be dynamically configured can be coupled to a network supported by a different protocol, such as Fibre Channel. For example, in one network architecture, an enterprise data storage system includes a number of shared storage devices (e.g., disk drives) accessible by a number of different host computers through a Fibre Channel network. The second adapter allows the tape storage, as well as other legacy operating using a different older protocol (e.g., SCSI) to be connected to the Fibre Channel network.
Another aspect of the invention is directed to a method for managing access hosts and a backup system, which is part of a data storage including a data storage device partitioned into volumes and a first database. The first database is used by the hosts to determine which hosts have authorized access to the volumes. The method includes the following steps. A request from one of the hosts for accessing data stored on the backup system is received by the data storage. In response to configuration data, the host requesting access is authorized to access the portion of data stored on the backup system. Determining whether to service the request is performed in response to a portion of the configuration data associated with the source identifier and the address of the one of the backup storage devices.
In applications where the hosts, data storage, and backup system are coupled by a Fibre Channel network, the method further includes forwarding the request using a Fibre Channel protocol for access to a portion of data stored on the backup system over the Fibre Channel network.
Other advantages and features will become apparent from the following description and from the claims.