Storage systems organize data in terms of logical volumes that are presented to external hosts as logical units within a logical storage space. Logical units are identified by a logical unit number (LUNs). While a storage system can be connected to many hosts, it is often desirable to restrict the access of hosts to the logical storage space according to different criterions, such as specific LUNs.
Indeed, the problems of access control to storage resources have been recognized in the past and various systems and methods have been developed to provide a solution. References considered to be relevant as background to the presently disclosed subject matter are listed below. Acknowledgement of the references herein is not to be inferred as meaning that these are in any way relevant to the patentability of the presently disclosed subject matter.
U.S. Pat. No. 5,860,137 (Raz et al.) discloses a method of operating a data storage system that includes a plurality of host connections for connecting host processors to the data storage system. The data storage system includes digital storage that is partitioned into a plurality of volumes. The method includes the steps of mapping the plurality of volumes to the plurality of host connections so that each of the host connections has associated therewith a corresponding subset of the volumes and wherein a host processor connected to any given one of the host connections is able to access only the volumes that are mapped to that host connection. In the data storage system, supporting connect and disconnect commands. The connect command enables a host processor to map a designated one of the volumes to a designated one of the host connections; and the disconnect command enables a host processor to unmap a designated one of the volumes from a designated one of the host connections.
U.S. Pat. No. 7,051,147 (Hoese et al.) discloses a storage router and storage network providing virtual local storage on remote storage devices to Fiber Channel devices. A plurality of Fiber Channel devices is connected to a Fiber Channel transport medium, and a plurality of storage devices is connected to a second Fiber Channel transport medium. The storage router interfaces between the Fiber Channel transport media. The storage router maps between the workstations and the storage devices and implements access controls for storage space on the storage devices. The storage router then allows access from the workstations to the storage devices using native low level, block protocol in accordance with the mapping and the access controls.
U.S. Pat. No. 7,130,900 (Shiga et al.) discloses storage management method in a computer system having a storage device, switches and hosts respectively connected by a network, in accordance with an ID of a logical volume of the storage device and an IP address of a host. Access control configuration of the logical volume is performed relative to the storage device, the IP address of the host is converted into a MAC address, the MAC address of the host is converted into a port ID of the switch connected to the host, and addition of the port to virtual local area network (VLAN) is performed for the switch. Logical unit number (LUN) masking and VLAN configuration essential for security countermeasure of IP-SAN (Internet protocol-storage area network) can be managed collectively by a system administrator so that the running cost of IP-SAN can be lowered.
U.S. Pat. No. 7,350,022 (Mizuno et al.) discloses a storage management method in a computer system which includes a storage device and a disk control device that controls data transfer between the storage device and a host computer. For purpose of enhancement a security of storage medium making up the storage device, the storage system is provided with a password management table, that manages a password for the entire storage device, for each storage medium or for each logical device, and also with a function of setting and unlocking the password for the entire storage device, for each storage medium or for each logical device.
U.S. Pat. No. 7,353,542 (Shiga et al.) discloses a storage management method in a computer system in which one or more computers on which one or more initiators operate and a storage device on which one or more targets operate are connected with each other through a network. An authentication table for authenticating validity of a user of a computer is associated with an authorization table for authorizing access of an initiator to a certain target, to limit such accesses.
U.S. Pat. No. 7,523,201 (Lee et al.) discloses a system and method for optimizing LUN masking of a storage appliance. Upon login, an initiator data structure containing a LUN map is created and associated with each initiator connected to the storage system. When an initiator sends a message directed to a LUN associated with the storage system, the storage system maps the LUN sent by the initiator to a physical LUN associated with the storage system using the LUN map. If the LUN map contains an appropriate entry, then the LUN has been successfully exported and/or masked to the given initiator.
U.S. Pat. No. 7,763,455 (Hall) discloses a computer system having at least two processing nodes and a shared data storage system comprising a number of storage units. Each storage unit has a logical unit number (LUN). A first of the processing nodes stores a maximum LUN value in non-volatile storage, and is arranged to perform, on boot-up, a device discovery procedure in which it scans the shared data storage system to find storage units with LUNs not greater than the maximum LUN value. A second of the processing nodes stores a start LUN value in non-volatile storage, and is arranged to perform, on boot-up, a device discovery procedure in which it scans the shared data storage system to find storage units with LUNs not less than the start LUN value. This allows LUN masking to be achieved relatively inexpensively with only minimal modification to the operating systems of the processing nodes, using existing device discovery features of the operating system.
US Patent Application 2008022120 (Factor et al.) discloses a method for accessing a storage device, the method includes: receiving, by storage device, a block based storage access command and cryptographically secured access control information; wherein the block based storage access command and the cryptographically secured access control information are associated with at least one fixed size block of data and with a client; processing at least a portion of the cryptographically secured access control information by using a secret key accessible to the storage device and to a security entity; and selectively executing the block based storage access command in response to a result of the processing.