To use namespace security functions, you must enable the namespace security setting on the NVM subsystem. You do not need to configure the LUN security setting for a Fibre Channel port and an iSCSI port.
When namespace security is enabled, a logical volume that the host can access is determined by the host NQN settings for the NVM subsystem and the namespace. The host can only access a logical volume assigned to the NVM subsystem and the namespace for which the host NQN is set.
The following table lists the differences between LUN security and namespace security in user operations and access from the host.
Item | LUN security (FC-SCSI, iSCSI) | Namespace security (NVMe-oF, NVMe/TCP) |
---|---|---|
What is the security set for? | Each port | Each NVM subsystem |
Default setting | Disabled | Enabled* |
Host access control for logical volumes |
|
Set a host NQN defined by the host system for the NVM subsystem. In addition, set an access path (host-namespace path) between the namespace and the host NQN. |
Security operations |
|
|
* Namespace security is enabled by default if the namespace security setting is not specified when the NVM subsystem is created. |
For example, the following figure shows logical volumes that the host can access when namespace security is set. The security is enabled on NVM subsystems 101 and ID 102. Host server 1 can access NVM subsystem 101, but not NVM subsystem 102. In addition, namespace ID (NSID) 1 and NSID 2 in NVM subsystem 101 can be recognized, and therefore the logical volumes assigned to those namespaces can be accessed. The logical volume assigned to NSID 3 in NVM subsystem 101 cannot be recognized. The namespace in NVM subsystem 102 cannot be recognized, because the NVMe connection (connect) cannot be established to NVM subsystem ID 102.