The present invention relates generally to data processing networks and data storage subsystems, and more particularly to a data processing network in which a large number of hosts can access volumes of data storage in a data storage subsystem.
Due to advances in computer technology, there has been an ever increasing need for data storage in data processing networks. In a typical data processing network, there has been an increase in the number of volumes of data storage and an increase in the number of hosts needing access to the volumes. This has been especially true for networks of workstations. Not only have a greater number of workstations been added to the typical network, but also the increase in data processing capabilities of a typical workstation has required more data storage per workstation for enhanced graphics and video applications.
The increased demand for data storage in a network is typically met by using more storage servers in the network or by using storage servers of increased storage capacity and data transmission bandwidth. From the standpoint of cost of storage, either of these solutions appears to be satisfactory. However, a greater number of storage servers in a network substantially increases the cost of managing the storage. This increased cost of management often appears some time after installation, when one of the servers reaches its capacity and some of its volumes must be reassigned to less heavily loaded servers. Network administrators aware of the cost of storage management realize that network storage should be consolidated to the minimum possible number of servers. The management problem is reduced by reducing the number of objects to be managed.
Due to the storage needs of present networks and the desire to consolidate servers, it is practical to provide a single storage subsystem with up to 20 terabytes (TB) storage, or approximately 4000 logical volumes. It may be possible for any host to have access to any volume in a data storage subsystem to which the host has access. However, it may be desirable to restrict the set of volumes that can be seen by any one host. Restricted access is desirable for security of private data. For example, private volumes should be assigned to each host for storage of private data, and other hosts should not be permitted to see or modify the private volumes of other hosts. Moreover, the xe2x80x9cbootxe2x80x9d process for a host is slowed down by searching for and reporting all the volumes to which the host has access. Certain operating systems are limited by the number of storage devices that they can manage at a given period of time, and for a host running such an operating system, it is not only desirable but also necessary to limit the number of volumes that the host can access.
It is possible to restrict access of a host to a limited set of logical volumes in the data storage subsystem by restricting the set of logical volumes accessible through a particular port adapter of the storage subsystem and linking the host to only that particular port adapter. For convenience, however, there should not be any restrictions on which logical storage volumes are accessible from each port adapter. Otherwise, during a reconfiguration of the data processing system, it may be necessary to physically switch the links that are connected to the network ports of the hosts or the port adapters, for example by manually disconnecting and reconnecting the links to the ports. Even in the case where the data network has a fabric for automatically establishing a link between any of the hosts and any of the port adapters, the physical possibility of any port adapter to access any logical storage volume provides alternative data paths that could be used in case of port adapter failure or port adapter congestion. For example, if a host sends a data access request to a port adapter and receives a busy response from the port adapter, then the host can send the data access request to another port adapter. Port adapter congestion is likely, for example, if the storage subsystem is a continuous media server, in which video data is often streamed through a single port adapter to a host for a relatively long period of time.
In open network systems, it is known to use authentication and authorization protocols in order to authenticate that a request for access to a specified file originates from a particular host, and once the request for access is authenticated, to check whether the host is authorized to access the specified file. For example, a network server authenticates the request by checking whether a password in the request matches the hosts"" password stored in a client directory, and the network server authorizes the request by checking a file directory to determine whether the host is listed in the file directory as having access rights to the specified file. However, the use of high-level authentication and authorization procedures for discriminating among all access requests by the hosts to the logical storage volumes would unduly burden the host and the storage subsystem. What is desired is a method that may be transparent to any high-level file system procedures that may be used by the hosts for managing access to files stored in the logical volumes to which a host is permitted to access. The method should restrict the logical storage volumes seen by the host during a boot operation, and seen by the operating system when the operating system determines what logical volumes are accessible to the host.
In accordance with one aspect of the invention, there is provided a method of operating a storage controller for controlling access to data storage. The storage controller has at least one data port for connecting the storage controller into a data network for data transmission between the data storage and host processors in the data network. The method includes storing in memory a respective specification for each host processor of a respective subset of the data storage to which access by the host processor is restricted, and storing associated information identifying each host processor in association with the respective specification for the host processor. The method further includes receiving at the data port a request for storage access from one of the host processors. The request from the host processor contains an identification of the host processor and a specification of a portion of the data storage to access. The storage controller responds to the request for storage access by: (i) decoding from the request for storage access the identification of the host processor contained in the request for storage access; (ii) searching the memory to find associated information identifying the host processor identified by the identification decoded from the request for storage access, and (iii) upon finding associated information identifying the host processor identified by the identification decoded from the request for storage access, accessing in the memory the respective specification which is associated with the associated information identifying the host processor identified by the identification decoded from the request for storage access, in order to determine whether or not the portion of the data storage specified by the request for storage access is contained in the respective subset of the data storage specified by the respective specification which is associated with the associated information identifying the host processor identified by the identification decoded from the request for storage access, and (iv) accessing the specified portion of the data storage upon finding that the portion of the data storage specified by the request for storage access is contained in the respective subset of the data storage specified by the respective specification which is associated with the associated information identifying the host processor identified by the identification decoded from the request for storage access.
In accordance with another aspect, the invention provides a method of operating a storage controller for controlling access to data storage. The storage controller has at least one data port for connecting the storage controller into a data network for data transmission between the data storage and host processors in the data network. The method includes storing in memory a respective specification for each host processor of a respective subset of the data storage to which access by the host processor is restricted, and storing associated information identifying the host processor in association with the respective specification for the host processor. The data network assigns temporary addresses to each host processor, and each host processor also has a relatively permanent identifier. The identification of the host processor stored in memory includes the relatively permanent identifier and any temporary address currently assigned to the host processor. The method further includes receiving at the data port a request for storage access from one of the host processors. The request for storage access from one of the host processors contains the temporary address of the host processor and a specification of a portion of the data storage to access. The storage controller responds to the request for storage access by decoding from the request for storage access the temporary address of the host processor contained in the request for storage access, and using the temporary address decoded from the request for storage access in order to access the memory to determine whether or not the specified portion of the data storage to access is contained in the respective subset of the data storage to which access is permitted by the host processor having the temporary address decoded from the request for storage access. When the specified portion of the data storage to access is determined to be contained in the respective subset, the specified portion of the data storage is accessed.
In accordance with yet another aspect, the invention provides a data storage subsystem including data storage; and a storage controller coupled to the data storage for controlling access to the data storage. The storage controller has a memory and at least one data port for connecting the storage controller into a data network for data transmission between the data storage and host processors in the data network. The storage controller is programmed for storing in memory a respective specification for each host processor of a respective subset of the data storage to which access by the host processor is restricted, and storing associated information identifying each host processor in association with the respective specification for the host processor. The storage controller is further programmed for receiving at the data port a request for storage access from one of the host processors. The request from the host processor contains an identification of the host processor and a specification of a portion of the data storage to access. The storage controller is programmed for responding to the request for storage access by: (i) decoding from the request for storage access the identification of the host processor contained in the request for storage access; (ii) searching the memory to find associated information identifying the host processor identified by the identification decoded from the request for storage access, and (iii) upon finding associated information identifying the host processor identified by the identification decoded from the request for storage access, accessing in the memory the respective specification which is associated with the associated information identifying the host processor identified by the identification decoded from the request for storage access, in order to determine whether or not the portion of the data storage specified by the request for storage access is contained in the respective subset of the data storage specified by the respective specification which is associated with the associated information identifying the host processor identified by the identification decoded from the request for storage access, and (iv) accessing the specified portion of the data storage upon finding that the portion of the data storage specified by the request for storage access is contained in the respective subset of the data storage specified by the respective specification which is associated with the associated information identifying the host processor identified by the identification decoded from the request for storage access.
In accordance with another aspect, the invention provides a data storage subsystem including data storage; and a storage controller coupled to the data storage for controlling access to the data storage. The storage controller has a memory and at least one data port for connecting the storage controller into a data network for data transmission between the data storage and host processors in the data network. The storage controller is programmed for storing in memory a respective specification for each host processor of a respective subset of the data storage to which access by the host processor is restricted, and storing associated information identifying the host processor in association with the respective specification for the host processor. The data network assigns temporary addresses to each host processor, and each host processor also has a relatively permanent identifier. The identification of the host processor stored in memory includes the relatively permanent identifier and any temporary address currently assigned to the host processor. The storage controller is further programmed for receiving at the data port a request for storage access from one of the host processors. The request for storage access from the host processor contains the temporary address of the host processor and a specification of a portion of the data storage to access. The storage controller is programmed for responding to the request for storage access by decoding from the request for storage access the temporary address of the host processor contained in the request for storage access, and using the temporary address decoded from the request for storage access in order to access the memory to determine whether or not the specified portion of the data storage to access is contained in the respective subset of the data storage to which access is permitted by the host processor having the temporary address decoded from the request for storage access. When the specified portion of the data storage to access is determined to be contained in the respective subset, the specified portion of the data storage is accessed.
In accordance with still another aspect, the invention provides a machine readable program storage device for execution by a storage controller to control access to data storage. The storage controller has a memory and at least one data port for connecting the storage controller into a data network for data transmission between the data storage arid host processors in the data network. The program is executable by the storage controller for storing in memory a respective specification for each host processor of a respective subset of the data storage to which access by the host processor is restricted, and for storing associated information identifying each host processor in association with the respective specification for the host processor. The program is further executable by the storage controller for receiving at the data port a request for storage access from one of the host processors. The request from the host processor contains an identification of the host processor and a specification of a portion of the data storage to access. The program is executable by the storage controller for responding to the request for storage access by: (i) decoding from the request for storage access the identification of the host processor contained in the request for storage access; (ii) searching the memory to find associated information identifying the host processor identified by the identification decoded from the request for storage access, and (iii) upon finding associated information identifying the host processor identified by the identification decoded from the request for storage access, accessing in the memory the respective specification which is associated with the associated information identifying the host processor identified by the identification decoded from the request for storage access, in order to determine whether or not the portion of the data storage specified by the request for storage access is contained in the respective subset of the data storage specified by the respective specification which is associated with the associated information identifying the host processor identified by the identification decoded from the request for storage access, and (iv) accessing the specified portion of the data storage upon finding that the portion of the data storage specified by the request for storage access is contained in the respective subset of the data storage specified by the respective specification which is associated with the associated information identifying the host processor identified by the identification decoded from the request for storage access.
In accordance with a final aspect, the invention provides a machine readable program storage device for execution by a storage controller to control access to data storage. The storage controller has a memory and at least one data port for connecting the storage controller into a data network for data transmission between the data storage and host processors in the data network. The program is executable by the storage controller for storing in memory a respective specification for each host processor of a respective subset of the data storage to which access by the host processor is restricted, and storing associated information identifying the host processor in association with the respective specification for the host processor. The data network assigns temporary addresses to each host processor, and each host processor also has a relatively permanent identifier. The identification of the host processor stored in memory includes the relatively permanent identifier and any temporary address currently assigned to the host processor. The program is further executable by the storage controller for receiving at the data port a request for storage access from one of the host processors. The request for storage access from the host processor contains the temporary address of the host processor and a specification of a portion of the data storage to access. The program is executable by the storage controller for responding to the request for storage access by decoding from the request for storage access the temporary address of the host processor contained in the request for storage access, and using the temporary address decoded from the request for storage access in order to access the memory to determine whether or not the specified portion of the data storage to access is contained in the respective subset of the data storage to which access is permitted by the host processor having the temporary address decoded from the request for storage access. When the specified portion of the data storage to access is determined to be contained in the respective subset, the specified portion of the data storage is accessed.