Here is the relevant paragraph from Appendix D of RFC 3270:
A system that contains targets MUST support discovery sessions on
each of its iSCSI IP address-port pairs, and MUST support the
SendTargets command on the discovery session. In a discovery
session, a target MUST return all path information (target name and
IP address-port pairs and portal group tags) for the targets on the
target network entity which the requesting initiator is authorized to
access.
As Mike says, the COMSTAR model is that all initiators are implicitly
"authorized to access" all targets. TPGs can be used to restrict which
IP portals each target is accessible over, but do not restrict which
initiator nodes can connect via those IP portals. COMSTAR Views are
used to restrict and define which LUNs are visible to which initiators
via each target node, but once again do not restrict which initiators
can connect to the targets node itself.
There has been a request that COMSTAR add the ability to do
initiator-based access control. This request is being tracked in the
following RFE:
http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6878539 .
Peter
Mike La Spina wrote:
Hi Steffen,
I understand now. What you are experiencing is the correct behavior based of
RFC3270. The iSCSI text cmd SendTargets=All is required to send all targets
that all defined on the serving host regardless of the Target Portal Group IP
list. Target Portals do not control access, the define what interfaces will
participate in the I_T nexus session on the target side.
The only thing I can suggest is that you use a static mapping instead of a
dynamic discovery for establishing an I_T session.
Regards,
Mike
_______________________________________________
storage-discuss mailing list
storage-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/storage-discuss
