Managing access control lists
An access control list (ACL) limits access to chosen LUNs for specific initiators. Initiators not on the list have access to all LUNs in iSCSI target groups.
Prerequisites
- A target group is created, as described in Creating target groups.
To add an initiator to a target group’s ACL
Admin panel
- Open Storage services > Block storage > Target groups, and then click the desired target group in the list (anywhere except the group’s name).
-
On the group right pane, open the Access control tab, and then click the pencil icon.
-
In the Access control window, select ACL, and then click Add.
-
In the Add ACL window, specify the initiator’s IQN, enter an alias, select the LUNs that it will be able to access, and then click Add. The initiator will appear in the ACL.
- Having populated the ACL with initiators, click Save.
Command-line interface
-
Add an initiator to the ACL of the target group:
vinfra service block-storage target-group acl add [--alias <alias>] [--lun <lun>] <target-group> <wwn>
--alias <alias>
- Initiator name
--lun <lun>
- LUN ID
<target-group>
- Target group name or ID
<wwn>
- World wide name (WWN) of the target, that is, IQN
For example, to add the initiator
initiator1
to the ACL of the target grouptg1
, run:# vinfra service block-storage target-group acl add --lun 0 --alias initiator1 tg1 iqn.2014-06.com.vstorage:target1
-
Enable ACL for the target group:
vinfra service block-storage target-group set --enable-acl <target-group>
--enable-acl
- Enable ACL
<target-group>
- Target group name or ID
For example, to enable ACL for the target group
tg1
, run:# vinfra service block-storage target-group set --enable-acl tg1
To edit an initiator in the ACL
Admin panel
- On the target group right pane, open the Access control tab, and then click the pencil icon.
- In the Access control window, click the pencil icon of the desired initiator, and then click Edit.
- Having changed the ACL, click Save.
Command-line interface
Use the following command:
vinfra service block-storage target-group acl set (--lun <lun> | --no-luns) <target-group> <wwn>
--lun <lun>
- LUN ID
--no-luns
- No LUNs
<target-group>
- Target group name or ID
<wwn>
- World wide name (WWN) of the target, that is, IQN
For example, to change the LUN ID to 1 for the ACL of the target group tg1
, run:
# vinfra service block-storage target-group acl set --lun 1 tg1 iqn.2014-06.com.vstorage:target1
To disable the ACL for a target group
Admin panel
Command-line interface
Use the following command:
vinfra service block-storage target-group set --disable-acl <target-group>
--disable-acl
- Disable ACL
<target-group>
- Target group name or ID
For example, to disable the ACL for the target group tg1
, run:
# vinfra service block-storage target-group set --disable-acl tg1
To delete an initiator from the ACL
Admin panel
- On the target group right pane, open the Access control tab, and then click the pencil icon in the ACL section.
- In the Access control window, click the pencil icon of the desired initiator, and then click Delete.
- Click Save to apply the changes.
Command-line interface
Use the following command:
vinfra service block-storage target-group acl delete <target-group> <wwn>
<target-group>
- Target group name or ID
<wwn>
- World wide name (WWN) of the target, that is, IQN
For example, to remove the initiator from the ACL of the target group tg1
, run:
# vinfra service block-storage target-group acl delete tg1 iqn.2014-06.com.vstorage:target1