4 Replies Latest reply: Sep 20, 2013 12:15 PM by Amirul Islam RSS

    Default iGroup security setting

    Mike Sparkes Newbie

      G'Morning,

       

      Just getting into Nimble - coming NetApp background, playing with a base C220.

       

      Is it possible to set the default iGroup security setting?

       

      Example - out of the box, a NetApp filer when a new Volume is provisioned it automatically exports this via NFS. (our PS will always turn this off..)

       

      I've been testing the Nimble integration tools etc, the datastore I had provisioned via the vCenter Plugin was unrestricted - which was a shock when I came round to testing with a 2008R2 VM and the Datastore was available. Following that any other volume I created manually all we unrestricted - I've got into the habbit of setting this now, but it's a concern I have rolling this out to customers.

       

      Our SE said this wasn't possible, but I was curious if anyone knew of any magic or real world solutions.

       

      Thanks

       

      Sparkles

        • Re: Default iGroup security setting
          Phil Davies Adventurer

          Mike,

           

          RFE is open to change current options, these will be confirmed later but would encourage anyone who thinks "Unrestricted Access" is undesirable as the first fallback option in both GUI/CLI, please add to this thread with your comments.

          Unrestricted access is seen as a desirable troubleshooting option, perhaps it should only be avaialble as an advanced or hidden feature?

          Should default access be "none" or should we force an Initiator Group to be created.  Is forcing an IG always possible if you don't yet know the iqn of a new server etc....  Would a default built in "null" IG Group help here? 


          All comments/suggestions welcome.


          Phil


            • Re: Default iGroup security setting
              Justin Rich Adventurer

              I can see both sides of it... once you know its open and unrestricted then you know to deal with it.. and i guess from a troubleshooting aspect its helpful. but clearly its dangerous

               

              Maybe just slap some big red text that says its open to all?

              • Re: Default iGroup security setting
                John Wagner Wayfarer

                My two cents, I like Justins idea of putting a warning stating that unrestricted is open to all, but i'd also have it default to none.

                • Re: Default iGroup security setting
                  Amirul Islam Adventurer

                  I've seen a few customers who have provisioned via the vCenter plugin also (which sets the volume to unrestricted access) and inadvertently left it as such as they haven't realised or gone into the volume access settings to check.

                   

                  Further to your comments, I think it would be a good idea to provide an option to pick from a list of initiator groups on the system or allow you to create a new one (bearing in mind the points you make regarding knowing the IQN, etc) so in that case even an empty group would be good, which the administrator can populated with the actual IQN later. I think setting the volume to unrestricted access by default is potentially dangerous, therefore better to set the volume with No Access in that instance. I don't believe there is any reason to hide the Unrestricted Access option as it is invaluable for quick troubleshooting.