Namespace security

Provisioning Guide for VSP One Block

Version
10.2.x
Audience
anonymous
Part Number
MK-23VSP1B012-00

To use namespace security functions, you must enable the namespace security setting on the NVM subsystem. You do not need to configure the LUN security setting for a Fibre Channel port and an iSCSI port.

When namespace security is enabled, a logical volume that the host can access is determined by the host NQN settings for the NVM subsystem and the namespace. The host can only access a logical volume assigned to the NVM subsystem and the namespace for which the host NQN is set.

The following table lists the differences between LUN security and namespace security in user operations and access from the host.

Item LUN security (FC-SCSI, iSCSI) Namespace security (NVMe-oF, NVMe/TCP)
What is the security set for? Each port Each NVM subsystem
Default setting Disabled Enabled*
Host access control for logical volumes
  • FC-SCSI:

    Set a host bus adapter (HBA) WWN for a host group.

  • iSCSI:

    Set a host iSCSI name for an iSCSI port.

Set a host NQN defined by the host system for the NVM subsystem. In addition, set an access path (host-namespace path) between the namespace and the host NQN.
Security operations
  • FC-SCSI:
    • When the LUN security is disabled, any host can connect (log in) to the Fibre Channel port. The host can only recognize and access a logical volume of the LU for which the path is defined in the default host group (host group 0) belonging to the port.
    • When the LUN security is enabled, the host can only recognize and access a logical volume of the LU defined in a host group with a WWN set.
  • iSCSI:
    • When the LUN security is disabled, any host can connect (log in) to the iSCSI port.
    • When the LUN security is enabled, only the host with a host iSCSI name set for the iSCSI port can recognize and access a logical volume of the LU defined for the iSCSI port.
  • When the namespace security is disabled, any host can establish the NVMe connection (connect) to the NVMe subsystem. The host can recognize and access the logical volumes of all namespaces defined on the NVM subsystem.
  • When the namespace security for the NVM subsystem is enabled, the host can only recognize and access the namespace for which the host-namespace path is set between the namespace and the host NQN.
  • When the namespace security for the NVM subsystem is enabled, the host can only recognize the NVM subsystem for which the host NQN is set.
* Namespace security is enabled by default if the namespace security setting is not specified when the NVM subsystem is created.

For example, the following figure shows logical volumes that the host can access when namespace security is set. The security is enabled on NVM subsystems 101 and ID 102. Host server 1 can access NVM subsystem 101, but not NVM subsystem 102. In addition, namespace ID (NSID) 1 and NSID 2 in NVM subsystem 101 can be recognized, and therefore the logical volumes assigned to those namespaces can be accessed. The logical volume assigned to NSID 3 in NVM subsystem 101 cannot be recognized. The namespace in NVM subsystem 102 cannot be recognized, because the NVMe connection (connect) cannot be established to NVM subsystem ID 102.


Namespace security example