Access Control
You can use GUI or CLI to access the OceanStor Dorado V6 series storage system and control the access to management and service resources, thereby ensuring security of the storage system and service data.
Management Resource Access Control
- Accessible IP addresses
When security restrictions are enabled, only users in the accessible IP address list can access the storage system.
- User permission control
To prevent mis-operations from compromising storage system stability and service data security, you can define user roles to control user permissions.
The storage system provides both built-in and user-defined roles.
- Built-in roles are preset in the storage system with certain permission, as shown in Table 3-1.
- User-defined roles allow users to configure the scope of permission as required. For details, see the administrator guide.
Table 3-1 Built-in rolesBuilt-in Role
Permissions Owned by a Role
Super administrator
All permissions
Administrator
All permissions except user management, security configuration, batch configuration and high-risk maintenance operations
Security administrator
System security configuration permissions, including management of security rules, certificates, KMC, and data destruction
SAN resource administrator
SAN resource management permissions, including management of storage pools, LUNs, mapping views, hosts, ports, and background configuration tasks
Data protection administrator
Data protection management permissions, including management of LUNs, local data protection, remote data protection, HyperMetro, and background configuration tasks
Remote device administrator
Cross-device data protection management permissions, including management of remote replication, HyperMetro, 3DC, LUNs, and mapping views. This role is used for remote authentication in cross-device data protection scenarios.
Monitor
Routine O&M permissions, such as information collection, performance collection, and inspection. This role does not have permission to manage SAN resources, data protection, and security configuration.
Non-privileged administrator
Basic system permissions, including querying information about the system, users, and roles. This role can be queried or used only on the CLI. On the CLI, this role is Empty role.
The super administrator can lock other users and get these users offline. In some conditions, the super administrator can manually restrict access activities of related accounts. Table 3-2 lists the management operations that can be performed by the super administrator.
Management Operation |
Description |
---|---|
Creating |
Adds a user and sets its information including the permission, user name, password, and role. Adds local users, LDAP users, and LDAP user groups. |
Modifying |
Modifies information about a permission-assigned user, such as the user role, password, and description. |
Deleting |
Deletes a user that no longer needs operation permission, ensuring system security and stability. |
Getting a user account offline |
Forcibly gets users offline during a device upgrade or troubleshooting to prevent interference from these users. This function is available to the super administrator only. |
Locking |
Locks a user account to freeze its operation permissions. This function is available to the super administrator only. |
Unlocking |
Unlocks a user account that has been locked to restore its operation permissions. This function is available to the super administrator only. |
Initializing password |
When a non–super forgets the password or the password is maliciously tampered with, the super administrator can reset the password. The initial password is required at next login. |
Changing the password upon the next login |
If a non–super administrator account encounters suspected security issues, the super administrator can force the account user to change the password upon the next login. Otherwise, the account user cannot log in to the storage system. |
Service Resource Access Control
- Block service access controlDeviceManager provides various simple and flexible methods for you to create the following mappings:
- Mapping between LUNs and a host
You can directly map one or more LUNs to a host in a simple application scenario or when no LUN groups are required.
- Mapping between a LUN group and a host
If an application requires multiple LUNs, you can use a LUN group to manage these LUNs. In this case, create a mapping between the LUN group and the host.
- Mapping between a LUN group and a host group
If an application has its data stored on multiple LUNs and is deployed on a cluster consisting of multiple hosts, you can use a LUN group to manage the LUNs and a host group to manage the hosts. In this case, create a mapping between the LUN group and the host group.
- Mapping between LUNs and a host
- File service access control
- The storage system uses authorization and access control list (ACL) to control the access to file services that use the CIFS sharing. First, the storage system checks the validity of a user to determine whether the user can access it based on authorization. Then the storage system employs the ACL to manage the user's access permission to file services and allocates different access permissions to different users.
- For file services that employ the NFS sharing, the storage system uses IP addresses or IP address segments to control the permission to access NFS shares, that is, users residing in a specific IP address or IP address segment have the rights to access NFS shares.