Access Control Records

Last modified
<< PrevNext >>

The ‘access control records’ page allows you to configure access control records, which are containers of initiator parameters that, when mapped to a volume, specify which initiators are able to access that volume.  When an initiator attempts to connect to a volume, your appliance checks the access control records assigned to that volume to see if the initiator’s parameters match one of the entries contained within an access control record mapped to that volume. 

This page can be accessed by navigating to Configure → Security Settings → Access Control Records. The access control record configuration page is shown below. 

AccessControlRecords1S.png

 

This page lists in a tabular view the name of the access control record, CHAP user associated with it and the iSCSI Qualified Name (IQN) of the initiator that is trying to access the volume. The various operations involved with the access control records are discussed in the following sections -

UpArrow.png

Creating an Access Control Record

Each access control record can contain CHAP credentials and an IQN.  Perform the following steps to create a new access control record.

AccessControlRecords1S.png

 
  1. Click the ‘Add New Record’ button found at the bottom of the table as shown above.  The tabular view will change to edit mode.
  2. Supply a name for the record.  Access Control Record names should be unique. 
  3. When you have finished configuring the record name, select a CHAP user from the drop-down list.  If you do not wish to use CHAP, select the ‘Any User’ user from the drop-down. 
  4. Supply an initiator name.  This is a mandatory field and cannot be left blank. If you do not supply an IQN and attempt to save the record, you will receive the following error:

AccessControlRecords3S.png

 

  1. Once you have an access control record defined and configured, click the check icon Green_Check_20X18.png to save the access control record, or click the ‘delete’ icon Red_Cross_20X20.png to discard it.

 

AccessControlRecords2S.png

 

Note that all configured values for an access control record member must be satisfied before the initiator will be allowed to access the volume.  For instance, if you specify a CHAP user and IQN, all of those parameters must match before the initiator will be allowed to access the volume. 

 

File:User:AlpaK/StorSimple_Web_UI_User_Guide/image009.jpg Note: If there are more than one network paths to the server, the ACRs should be inclusive of all the paths. For details, refer to the KB article regarding IQN-based Configuration of Access Control Records.

File:User:AlpaK/StorSimple_Web_UI_User_Guide/image009.jpg Note: An initiator can only be a member of a single access control record (ACR). If a server is referenced by its IQN in one ACR, its IQN cannot be referenced in another ACR. Therefore, it is recommended that each ACR represent a unique server in scenarios where there may be overlap.

UpArrow.png

Editing an Access Control Record

Clicking the ‘edit’ icon Edit_Pencil_20X19.png, allows you to change the configuration of the access control record.

UpArrow.png

Deleting an Access Control Record

Deleting a configured access control record can be accomplished by clicking the ‘delete’ icon Red_Cross_20X20.png found near the left end of the row.

UpArrow.png

ACRs for Dynamic Cluster Scenario

For a dynamic cluster scenario (where nodes can be added/removed without prior knowledge of IQNs), a user can follow the guidelines below to create ACRs.

  • Configure two CHAP users, one for the cluster and another for non-cluster.
    • For example, create CHAP User 1 - NonCluster.
    • Create CHAP User 2 - Cluster.
    • Assign respective passwords to above CHAP users.
  • Configure ACRs based on CHAP configurations.
    • Create first ACR,  Name 1 = ClusterACR, CHAP = Cluster, IQN Name = Wildcard(*)
    • Create second ACR, Name 2 = NonClusterACR, CHAP = NonCluster, IQN Name = IQN name of Initiator 1
    • Create a third ACR, Name 3 = NonClusterACR, CHAP = NonCluster, IQN Name = IQN name of initiator 2
    • Keep creating ACRs based on the number of initiators. A maximum of 512 initiators is supported.
  • All the clustered nodes should login with CHAP User 2 - Cluster credentials. And the non-clustered nodes should login with CHAP User 1 - NonCluster credentials.

The above approach can be extended for multiple cluster environment by having a separate CHAP user for each cluster.

UpArrow.png

 

Page statistics
2959 view(s) and 39 edit(s)
Social share
Share this page?

Tags

This page has no classifications.

Comments

You must to post a comment.

Attachments