This document shows you how to configure iSCSI Advanced ACL (access control list) on QNAP Turbo NAS and verify the settings. All x86-based Turbo NAS models (TS-x39, TS-x59, TS-509, and TS-809) support this feature.
In a clustered network environment, multiple iSCSI initiators can be allowed to access the same iSCSI LUN (Logical Unit Number) by cluster aware file system or SCSI fencing mechanism. The cluster aware mechanism provides file locking to avoid file system corruption.
If you do not use iSCSI service in a clustered environment and the iSCSI service is connected by more than two initiators, you will need to prevent multiple accesses to an iSCSI LUN at the same time. QNAP iSCSI Advanced ACL (Access Control List) offers you a safe way to set up your iSCSI environment. You can create LUN masking policy to configure the permission of the iSCSI initiators which attempt to access the LUN mapped to the iSCSI targets on the NAS.
LUN Masking is used to define the LUN access rights for a connected iSCSI initiator. If an initiator is not assigned to any LUN Masking policy, the default policy will be applied (See figure 1). You can set up the following LUN access rights for each connected initiators:
- Read-only: The connected initiator can only read the data from the LUNs.
- Read/Write: The connected initiator has Read and Write permission to the LUNs.
- Deny Access: The LUN is invisible to the connected initiator.
This how-to demonstrates how to configure advanced ACL on QNAP Turbo NAS. The test environment is set as Table 1. Host 1 and Host 2 connect to the same iSCSI target which has 3 LUNs. The file system format of the LUNs is NTFS. The default policy is deny access from all initiators. The LUN permission for the two initiators is listed in Table 2.
Note:If some iSCSI initiators have connected to the iSCSI targets when you are modifying the ACL settings, all modifications will take effect only after those connected initiators disconnect and reconnect to the iSCSI targets.
Figure 1: Flowchart of Advanced ACL
OS: Windows 2008
Initiator IQN: iqn.1991-05.com.microsoft:host1
OS: Windows 2008
Initiator IQN: iqn.1991-05.com.microsoft:host2
iSCSI target IQN: iqn.2004-04.com.qnap:ts-439proii:iscsi.test.be23e6
LUN 1 name: lun-1, size: 10GB
LUN 2 name: lun-2, size: 20GB
LUN 3 name: lun-3, size: 30GB
Table 1: Test Environment
|Host 1||Host 2|
|LUN 1||Deny||Read Only|
|LUN 2||Read Only||Read/Write|
Table 2: LUN Masking Settings
iSCSI configuration on QNAP NAS
Default Policy Settings
Login the web administration interface of the NAS as an administrator. Go to "Disk Management" > "iSCSI" > "ADVANCED ACL". Click to edit the default policy.
Figure 2: Default Policy
Select "Deny Access" to deny the access from all LUN. Click "APPLY".
Figure 3: Default Policy Configuration
Configure LUN masking for Host 1:
- Click "Add a Policy".
- Enter "host1-policy" in the "Policy Name".
- Enter "iqn.1991-05.com.microsoft:host1" in the "Initiator IQN".
- Set the LUN permission according to Table 2: LUN Masking Settings.
- Click "APPLY".
Repeat the above steps to configure the LUN permission for Host 2.
Figure 4: Add a New Policy
Figure 5: Configure New Policy for Host 1
Figure 6: Configure New Policy for Host 2
Hint: How do I find the initiator IQN?
On Host 1 and Host 2, start Microsoft iSCSI initiator and click "General". You can find the IQN of the initiator as shown below.
Verify the settings
To verify the configuration, we can connect to this iSCSI target on Host 1 and Host 2.
Verification on Host 1:
- Connect to the iSCSI service. (Refer Connect to iSCSI targets by Microsoft iSCSI initiator on Windows for the details).
- On the Start menu in Windows OS, right click "Computer" > "Manage". On the "Server Manager" window, click "Disk Management".
Host 1 has no access permission to LUN-1 (10 GB). Therefore, only two disks are listed. Disk 1 (20 GB) is read only and Disk 2 (30 GB) is writable.
Verification on the Host 2:
Repeat the same steps when verifying Host 2. Two disks are listed in "Server Manager". Disk 1 (10 GB) is read only and Disk 2 (20 GB) is writable.