Hello I see there is an existing RFE to control which targets an iscsi initiator gets to see. I have decided to write code to resolve the issue at least in our environment. The code is an iscsi portal which answers to initiators's SendTargets=All command and responds only with those targets the initiator should see. The iscsi portal is not involed in the actual iscsi data traffic. I understand it would have probably made more sense to modify the kernel code, however at this stage, I don't understand all the details of the solaris kernel to make such changes. However, having said that, I would think someone who is working on the RFE could use the algorithm of this code as starting point. Have a look at the following URL: https://www3.amherst.edu/~swplotner/comstar/ There is a README document explaining the details. Configure etc/config.pm with the listen port of the portal and target port and IP of comstar's iscsi target. Launch the itportal.plx via the command line switches below. ./itportal.plx [-h] [-v] [-d] -i iqn | -f | -b | -k -h help no command line options queries 127.0.0.1:860 SendTargets=All -i initiator target query (computes the effective SendTargets=All for initiator) -b run the iscsi portal in the background (daemon) -f run the iscsi portal in the foreground -k kill background daemon -v verbose -d debug PDUs
If you have questions/ideas, feel free to let me know. Steffen _______________________________________________________________________________________________ Steffen Plotner Amherst College Tel (413) 542-2348 Systems/Network Administrator/Programmer PO BOX 5000 Fax (413) 542-2626 Systems & Networking Amherst, MA 01002-5000 swplot...@amherst.edu <mailto:swplot...@amherst.edu> ________________________________ From: storage-discuss-boun...@opensolaris.org on behalf of Peter Cudhea Sent: Sun 11/29/2009 8:57 AM To: Mike La Spina Cc: storage-discuss@opensolaris.org Subject: Re: [storage-discuss] comstar iscsi sendtargets vlans As Mike says, the COMSTAR model is that all initiators are implicitly "authorized to access" all targets. TPGs can be used to restrict which IP portals each target is accessible over, but do not restrict which initiator nodes can connect via those IP portals. COMSTAR Views are used to restrict and define which LUNs are visible to which initiators via each target node, but once again do not restrict which initiators can connect to the targets node itself. There has been a request that COMSTAR add the ability to do initiator-based access control. This request is being tracked in the following RFE: http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6878539 . Peter
_______________________________________________ storage-discuss mailing list storage-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/storage-discuss
