Filter
Top Products
Chapter 7: Volume Exposure and Security 119
Changing the Default Identity
If you are working in
a V-Switch cluster,
the default access
rights must be
disabled on both V-
Switches.
In the event of a
failover, if the default
access rights are not
modified on both V-
Switches, all volumes
attached to the target
will be read-write
accessible to all
iSCSI initiators.
When a target is created, a default access control identity is automatically
assigned to its position 0. The default identity allows all hosts read-write
access to the target and its underlying volume(s).
If you want to specify other access rights, you must change the general
read-write access. Use the CLI command acl set to modify a target’s
access rights and identity position.
If you add or modify identities on a target after its volumes have been
exposed, the access rights will take effect only at the next login for each
iSCSI initiator. Therefore, it is recommended to modify the default access
rights for a target first before creating new identities to insure that it will
not inadvertently be exposed to all iSCSI initiators in the beginning.
acl set
You need to define four parameters to modify an identity:
SWITCH PARAMETER DEFINITION STATUS EXAMPLE
-ta
TARGET ALIAS OF TARGET
TO CONNECT WITH
ACL IDNETITY
MANDATORY
finance
-id
IDENTITY ACL IDENTITY MANDATORY
DEF_ALL
-acc
ACCESS ACCESS RIGHTS TO
TARGET:
DEFAULT=RW
RW =READ-WRITE
RO = READ-ONLY
NA =NOT
ACCESSIBLE
OPTIONAL
na
-pos
POSITION IDENTITY RANK IN
ACCESS RIGHT
EVALUATION SCAN
DEFAULT=NEXT
HIGHEST AVAILABLE
NUMBER
OPTIONAL
0
Example
The default access rights for the target finance are changed to not accessible
meaning a non-specific host is not allowed access to the target finance.
acl set –ta finance –id def_all –acc na