Managing access control lists

An access control list (ACL) limits access to chosen LUNs for specific initiators. Initiators not on the list have access to all LUNs in iSCSI target groups.

Prerequisites

To add an initiator to a target group’s ACL

Admin panel

  1. Open Storage services > Block storage > Target groups, and then click the desired target group in the list (anywhere except the group’s name).
  2. On the group right pane, open the Access control tab, and then click the pencil icon.

  3. In the Access control window, select ACL, and then click Add.

  4. In the Add ACL window, specify the initiator’s IQN, enter an alias, select the LUNs that it will be able to access, and then click Add. The initiator will appear in the ACL.

  5. Having populated the ACL with initiators, click Save.

Command-line interface

  1. Add an initiator to the ACL of the target group:

    vinfra service block-storage target-group acl add [--alias <alias>] [--lun <lun>] <target-group> <wwn>
    --alias <alias>
    Initiator name
    --lun <lun>
    LUN ID
    <target-group>
    Target group name or ID
    <wwn>
    World wide name (WWN) of the target, that is, IQN

    For example, to add the initiator initiator1 to the ACL of the target group tg1, run:

    # vinfra service block-storage target-group acl add --lun 0 --alias initiator1 tg1 iqn.2014-06.com.vstorage:target1
  2. Enable ACL for the target group:

    vinfra service block-storage target-group set --enable-acl <target-group>
    --enable-acl
    Enable ACL
    <target-group>
    Target group name or ID

    For example, to enable ACL for the target group tg1, run:

    # vinfra service block-storage target-group set --enable-acl tg1

To edit an initiator in the ACL

Admin panel

  1. On the target group right pane, open the Access control tab, and then click the pencil icon.
  2. In the Access control window, click the pencil icon of the desired initiator, and then click Edit.
  3. Having changed the ACL, click Save.

Command-line interface

Use the following command:

vinfra service block-storage target-group acl set (--lun <lun> | --no-luns) <target-group> <wwn>
--lun <lun>
LUN ID
--no-luns
No LUNs
<target-group>
Target group name or ID
<wwn>
World wide name (WWN) of the target, that is, IQN

For example, to change the LUN ID to 1 for the ACL of the target group tg1, run:

# vinfra service block-storage target-group acl set --lun 1 tg1 iqn.2014-06.com.vstorage:target1

To disable the ACL for a target group

Admin panel

  1. On the target group right pane, open the Access control tab, and then click the pencil icon in the ACL section.
  2. In the Access control window, clear ACL, and then click Save.

Command-line interface

Use the following command:

vinfra service block-storage target-group set --disable-acl <target-group>
--disable-acl
Disable ACL
<target-group>
Target group name or ID

For example, to disable the ACL for the target group tg1, run:

# vinfra service block-storage target-group set --disable-acl tg1

To delete an initiator from the ACL

Admin panel

  1. On the target group right pane, open the Access control tab, and then click the pencil icon in the ACL section.
  2. In the Access control window, click the pencil icon of the desired initiator, and then click Delete.
  3. Click Save to apply the changes.

Command-line interface

Use the following command:

vinfra service block-storage target-group acl delete <target-group> <wwn>
<target-group>
Target group name or ID
<wwn>
World wide name (WWN) of the target, that is, IQN

For example, to remove the initiator from the ACL of the target group tg1, run:

# vinfra service block-storage target-group acl delete tg1 iqn.2014-06.com.vstorage:target1