The present invention relates to a guard technique of volume in an information processing system in which plural storage systems are connected by a network.
In the information processing system including a host computer (hereinafter called a business host) and a storage system, it is important to realize the following two functions so as to guard data written into the storage system.
(1) Access except for the permitted business host is denied.
(2) An erroneous operation of an administrator of the storage system is prevented and it is prohibited that the administrator of the storage system having an evil intention rewrites data.
The above functions are collectively called a volume guard function.
There is an access guard technique as one of techniques for realizing the function of (1). The access guard technique is a technique for determining the accessible business host in advance with respect to each of logical devices (hereinafter called logical volumes) constructed from a physical disk arranged in the storage system, and denying access to its area from a host except for the determined business host.
The storage system holds a port ID of the business host giving access permission with respect to each logical volume as information for managing each logical volume. When the storage system receives an access request with respect to the logical volume, the storage system checks whether the port ID of a required business host conforms to the port ID of the business host giving the access permission. The storage system permits the access only when these port IDs conform to each other.
At this time, plural business hosts are classified into groups, and the permission and denial of the access to each logical volume may be also set every group. Hereinafter, this group is called a host group.
There is a volume property guard technique as one of techniques for realizing the system of (2). Here, in this specification, the volume property is a preset mode of prohibition and permission of the access such as read and write with respect to each logical volume. Concretely, there are Read/Write for permitting both read and write, Read Only for permitting only read, Protect for prohibiting both read and write, etc.
The volume property guard technique is a technique for controlling the access to the logical volume in accordance with the volume property set in advance to each logical volume. Concretely, the above volume property is set in advance with respect to each logical volume. When the access is gotten to the logical volume, a control operation is performed such that the set property is confirmed and the read and/or the write is permitted and denied in accordance with this property (e.g., see JP-A-2000-112822, hereinafter called patent literature 1). In accordance with the method disclosed in patent literature 1, a disk controller connected to the business host and controlling the input and output of data with respect to the logical volume is arranged. Information relating to the property of each logical volume is held in the disk controller. The business host gets access to the storage system through the disk controller.
Here, in the information processing system including the business host and the plural storage systems, there is a technique in which one storage system provides the volume of another storage system connected to this one storage system as the volume of the self storage system as a method for providing the logical volume of the storage system to the business host (e.g., see JP-A-2004-220450, hereafter called patent literature 2). The connection of another storage system made so as to provide the volume of another storage system as the volume of the self storage system is hereinafter called external connection.
The storage system of a connecting source externally connected to another storage system provides a virtual logical volume called a virtual logical volume corresponding to the logical volume within the another storage system to the business host. Hereinafter, the storage system externally connected to the storage system providing the virtual logical volume to the business host is called an external storage system. When an access request is received from the business host to the virtual logical volume, the storage system providing the virtual logical volume to the business host gets access to the logical volume within the external storage system corresponding to this virtual logical volume, and returns its result to the business host.