Managing resource groups
You can divide a provisioned storage system into resource groups that allow you to manage the storage system as multiple virtual private storage systems. Configuring resource groups involves creating resource groups, moving storage system resources into the resource groups, and assigning resource groups to user groups.
For information on creating user groups and adding users, see Managing users and user groups.
About resource groups
A storage system can connect to multiple hosts and be shared by multiple divisions in a company or by multiple companies. Many storage administrators from different organizations can access the storage system. Managing the entire storage system can become complex and difficult. Potential problems are that private data might be accessed by other users, or a volume in one organization might be accidentally destroyed by a storage administrator in another organization.
To avoid such problems, use Hitachi Resource Partition Manager software to set up resource groups that allow you to manage one storage system as multiple virtual private storage systems. The storage administrator in each resource group can access only their assigned resources. Resource groups prevent the risk of data leakage or data destruction by another storage administrator in another resource group.
The following resources can be assigned to resource groups.
- LDEV IDs
- Parity groups
- External volumes
- Ports
Before you create LDEVs, you can reserve the desired number of LDEV IDs and assign them to a resource group for future use.
The meta_resource group is the resource group consisting of the resources that exist on the storage system (other than external volumes) before Resource Partition Manager is installed. By default, all existing resources initially belong to the meta_resource group to ensure compatibility with older software when a system is upgraded to include Resource Partition Manager.
When a task is being processed on a resource, all of the resource groups assigned to the logged-on user are locked for exclusive access. When a resource is locked, a status indicator appears on the
Device Manager - Storage Navigator status bar. To view information about the locked resource, click
Resource Locked.
Examples
The following examples illustrate how you can configure resource groups on your storage system.
Resource groups sharing a port
If you have a limited number of ports, you can still operate a storage system effectively by sharing ports using resource groups.
The following example shows the system configuration of an in-house division providing virtual private storage system for two divisions. Divisions A and B each use their own assigned parity group, but share a port between the two divisions. The shared port is managed by the system division.
The Security Administrator in the system division creates resource groups for each division in the storage system and assigns them to the respective divisions. The Storage Administrator in Division A can manage the resource groups for Division A but cannot access the resource groups for Division B. In the same manner, the Storage Administrator in Division B can manage the resource groups for Division B but cannot access the resource groups for Division A.
The Security Administrator creates a resource group for managing the common resources, and the Storage Administrator in the system division manages the port that is shared between Divisions A and B. The Storage Administrators in Divisions A and B cannot manage the shared port belonging to the resource group for common resources management.
- The system division forms a plan about the resource group creation and assignment of the resources.
- The Security Administrator creates the resource groups.
- The Security Administrator creates the user groups.
- The Security Administrator assigns the resource groups to the user groups.
- The Storage Administrator in the system division sets a port.
- The Security Administrator assigns resources to the resource groups.
- The Security Administrator assigns the Storage Administrators to the appropriate user groups.
After the above procedures, the Storage Administrators in Divisions A and B can manage the resource groups assigned to their own division.
Resource groups not sharing ports
If you assign ports to each resource group without sharing, performance can be maintained on a different port even if the bulk of I/O is issued from one side port.
The following shows a system configuration example of an in-house system division providing the virtual private storage system for two divisions. Divisions A and B each use individual assigned ports and parity groups. In this example, they do not share a port.
The Security Administrator in the system division creates resource groups for each division in the storage system and assigns them to the respective divisions. The Storage Administrator in Division A can manage the resource groups for Division A but cannot access the resource groups for Division B. In the same manner, the Storage Administrator in Division B can manage the resource groups for Division B but cannot access the resource groups for Division A.
- The system division forms a plan about creating resource groups and the assigning resources to the groups.
- The Security Administrator creates the resource groups.
- The Security Administrator creates the user groups.
- The Security Administrator assigns the resource groups to user groups.
- The Storage Administrator in the system division sets ports.
- The Security Administrator assigns resources to the resource groups.
- The Security Administrator assigns each Storage Administrator to each user group.
After the above procedures, the Storage Administrators in Divisions A and B can access the resource groups allocated to their own division.
Resource group assignments
All resource groups are normally assigned to the Security Administrator and the Audit Log Administrator.
Each resource group has a designated Storage Administrator who can access only their assigned resources and cannot access other resources.
All resource groups to which all resources in the storage system belong can be assigned to a user group. Configure this in Device Manager - Storage Navigator by setting All Resource Groups Assigned to Yes.
A user who has All Resource Groups Assigned set to Yes can access all resources in the storage system. For example, if a user is a Security Administrator (with View & Modify privileges) and a Storage Administrator (with View and Modify privileges) and All Resource Groups Assigned is Yes on that user account, the user can edit the storage for all the resources.
If allowing this access becomes a problem with security on the storage system, then register the following two user accounts and use these different accounts for different purposes.
- A user account for a Security Administrator where All Resource Groups Assigned is set to Yes.
- A user account for a Storage Administrator who does not have all resource groups assigned and has only some of the resource groups assigned.
Resource group rules, restrictions, and guidelines
- The maximum number of resource groups that can be created on a storage system is 1023.
If you are providing a virtual private storage system to different companies, you should not share parity groups, external volumes, or pools if you want to limit the capacity that can be used by each user. When parity groups, external volumes, or pools are shared between multiple users, and if one user uses too much capacity of the shared resource, the other users might not be able to create an LDEV.
Creating resource groups
When you create a resource group, you enter a name and assign the desired resources (parity groups, LDEVs, ports, host groups, and iSCSI targets) to the new group. You can create more than one resource group at a time.
Before you begin
You must have Security Administrator (View & Modify) role to perform this task.
Procedure
In the Explorer pane, expand the Storage Systems tree, click the Administration tab, and then select Resource Groups.
Click Create Resource Groups.
In the Create Resource Groups window, enter the name for the new group, select the desired resources for the new group, and click Add to add the new group to list of resource groups to be added.
Naming guidelines:
- A resource group name can use alphanumeric characters, spaces, and the following symbols: ! # $ % & ' ( ) + - . = @ [ ] ^ _ ` { } ~
- The characters in a resource group name are case-sensitive.
- Duplicate occurrences of the same name are not allowed.
-
You cannot use the following names:
meta_resource
Repeat the previous step for each new resource group to be added. If you need to remove a group from the list of resource groups to be added, select the group, and click Remove.
NoteThe maximum number of resource groups that can be created on a storage system is 1023.When you are finished configuring new resource groups in the Create Resource Groups window, click Next.
Enter a task name or accept the default, and then click Submit.
If you select View task status, the Tasks & Alerts tab opens.
Adding resources to a resource group
You can add resources to, remove resources from, and rename existing resource groups.
Note the following restrictions for editing resource groups:
- Only resources allocated to meta_resource can be added to resource groups.
- Resources removed from a resource group are returned to meta_resource.
- No resource can be added to or removed from meta_resource.
- The name of the meta_resource group cannot be changed or used for any resource group other than the meta_resource group.
- The system does not allow duplicate names.
- LDEVs with the same pool ID or journal ID cannot be added to multiple resource groups or partially removed from a resource group. For example, if two LDEVs belong to the same pool, you must allocate both to the same resource group. You cannot allocate them separately.
You cannot partially remove LDEVs with the same pool ID or journal ID from a resource group. If LDEV1 and LDEV2 belong to the same pool, you cannot remove LDEV1 leave only LDEV2 in the resource group.
Use the sort function to sort the LDEVs by pool ID or journal ID. Then select the IDs and add or remove them all at once.
- Host groups that belong to the initiator port cannot be added to a resource group.
-
To add or delete DP pool volumes, you must first add or delete DP pools.
Before you begin
You must have Security Administrator (View & Modify) role to perform this task.
Procedure
In the Explorer pane, click the Administration tab, and then select Resource Groups.
Select the desired resource group (check the box next to the name of the resource group) to display the resource information for the resource group.
- To change the name of the selected resource group, click Edit Resource Group, and enter the new name.
- To add resources to the selected resource group, select the Parity Groups, LDEVs, Ports, or Host Groups / iSCSI Targets tab, click Add Resources, and follow the instructions on the Add Resources window.
- To remove resources from the selected resource group, select the Parity Groups, LDEVs, Ports, or Host Groups / iSCSI Targets tab, select the resources to be removed, and then click Remove Resources.
Enter a task name or accept the default, and then click Submit.
If you select View task status, the Tasks & Alerts tab opens.
Deleting resource groups
You can delete a resource group only when the resource group does not contain any resources and is not assigned to any user groups.
The following resource groups cannot be deleted:
meta_resource- A resource group that is assigned to a user group
- A resource group that has resources assigned to it
- Resource groups included in different resource groups cannot be removed at the same time.
Before you begin
The Security Administrator (View & Modify) role is required to perform this task.
Procedure
In the Explorer pane, expand the Storage Systems tree, click the Administration tab, select Resource Groups.
Click the check box of a Resource Group Name.
Click Delete Resource Groups.
Enter a task name or accept the default, and then click Submit.
If you select View task status, the Tasks & Alerts tab opens.