To provide data access security, ABS offers an allowlist mechanism for iSCSI targets. You can specify the IP addresses and IQN permitted to access each iSCSI target. When handling access requests, the access layer will verify client permissions and reject requests that do not match the rules in the allowlist.
An IQN allowlist can be set individually for each iSCSI target and for each LUN under it to isolate client access and prevent unauthorized clients from tampering with the data. For volumes intended for use by a single compute end, a single access point control mode is also provided to ensure that, in scenarios such as HA failover of the compute virtual machine, data conflicts or errors caused by multiple write points are prevented.
The iSCSI service supports using CHAP (Challenge-Handshake Authentication Protocol) for access control, with support for both one-way and mutual authentication. One-way authentication allows the iSCSI target to authenticate the username and password provided by the initiator. Built on one-way authentication, mutual authentication also requires the initiator to authenticate the iSCSI target.
