| We have four access permissions: full access, Virtual
Write, read-only and refuse.
Full Access: Client has both read and write rights, it
treats the target as local disk.
Virtual Write: Allows the writing in read-only disks, but
the writing results only take effect for the user himself.
Read-Only: Client only has the read right, it can not
write any data to disk.
Refuse: The Logging on to the target is forbidden.
There are four authorization modes: Anonymous, CHAP , IP Filter and
Mixed.
Anonymous: All initiators will get full access permission
without any authorization required.
CHAP: All initiators need to specify a CHAP user and
secret to connect to the target. KernSafe iSCSI SAN has a built-in user called
“Guest”, which is used for initiators without CHAP secret specified.
IP Filter: All initiators will be authorized by the incoming IP
address defined by IP Filter roles.
Mixed: Security policy is determined by both CHAP and IP
Filters.
If you check "Inherit security roles from global settings",
all client security roles are form global settings, otherwise, each client will
has it's own permission.
Notes:
• The Anonymous mode initiators will have full access permission.
• The client has the guest user's permission when it's anonymous log
on to the target with CHAP authorization mode, if the guest user is deleted, the client will be refused to log on.
• Guest user has the Virtual Write permission on a target which has
enabled Virtual
Write feature by default, otherwise, it has the read-only permission.
• When guest user belong to a group, it has the same permission as the
group.
• When we add any address to IP Filter, All initiators will
gain the same permission as we set.
• Access permission is upgradable, that means, if a initiator meet more than
one roles, it will upgrade the access permission to highest, permission
order: Refused < Read-only < Virtual-Write < Full-Access.
|
