LUN Mapping & Proxies

["John Hufferd/San Jose/IBM" <hufferd@us.ibm.com>]

iSCSI Team, (a fairly long note follows)

In one of Jim Hafner's Notes he talked about the LUN Masking & Mapping
along with Access Controls, and Proxies. He also said that the Access
Controls proposal t10/99-245r9, has now been standardized by T10, and is
approprate to all Transports.  I would recommend that document to the whole
iSCSI Team.

Because I do not believe that you will all read it, I have extracted key
points, so that we do not have to keep trying to invent this stuff.  (If
you do not what to read even these extracts, you may jump to the bottom of
this note, after the extracts,  for my conclutions.)

We know that currently a Target SCSI device has the ability to put forth
various different LUN views to various different Initiators.
The Access Controls Standard extends that process by the following:

[Extracts from t10/99-245r9]

... A client application (what we call the Partition Access Manager or PAM)
has knowledge of all the initiators and target devices on the SAN. PAM may
instruct a given target device to restrict access to some or all of its
logical units by all initiators except those from some small set.  Such a
set might be a single host. Within the set, data integrity, locking, etc.,
is coordinated by existing protocols
(like reservations) via a separate application client operating within the
scope of this group. One might say that such a set is a "shared access
group". Hosts outside this group are denied (most) access to the device. In
particular, these hosts may not preempt a reservation, issue read/write
commands and the like. ....

....There are two new commands with different service actions... There is a
Data-In command typically used to query various status information of the
target with respect to access control functions and a Data-Out command
typically used [by PAM] to configure different kinds of access controls.
... However, use of configuration commands are limited with respect to
application clients or initiators. Initiators with access to a device have
the right to issue proxy rights to other third party initiators without
PAM's direct intervention....

....Hosts (or OS-images) may be identified by a new AccessID ...[which] is
transport independent... The intent of the AccessID is to assign a
permanent identifier to a given host machine (actually OS-image) without
regard to the number of ports/HBAs on that host or any actions that change
the hardware configuration of the machine.  ... [This] implies requirements
on the part of target to maintain associations between the AccessID and a
given host's initiator port or ports....

... LUN Mapping. This has two features. First, it "hides" logical units
that are not accessible to a given initiator. So, to such an initiator
INQUIRY to some logical units will report "no device present" and REPORT
LUNS will only show a set of LUN values representing a subset of the
complete set of logical units on the target device. The second feature of
LUN Mapping is that the LUN values reported in REPORT LUNs are
initiator-specific. That is, for each initiator a given LUN will only be a
pointer to an specific logical unit and that pointer is a function of the
initiator. Thus, the same (shared) logical unit may be addressed by one
initiator at LUN1 and by another initiator at LUN2. A consequence is that
LUN values are no longer global addresses for specific logical units within
a target. ...

... PAM tells the target device to grant access to a particular logical
unit to a given initiator under a specific LUN value (in other words, PAM
instructs the target to create a LUN Map entry of a particular type for the
specified initiator). ...

... An initiator may be identified to the target by either a TransportID
(available at connection time, say, FC-login) or by AccessID (available
only after an enrollment action by the initiator)....

... The Proxy ...[is created by] the result of a single action by the
initiator (ASSIGN PROXY LUN service action); ... An initiator, ... requests
a proxy token from the target for a specific logical unit, passes the token
to the third party, and that third party uses the token to request a LUN
value for that logical unit. ...

... proxy tokens may be forwarded from one third party to another; ...
changes to the EXTENDED COPY target descriptors to include Proxy Tokens as
handles or references to logical units [has been proposed]. ...

... the third party initiator specifies a preferred LUN value when
requesting the access to the logical unit (that is, the initiator asks "may
I have LUN=x for Proxy Token=t?"). ...

[End of Extracts]  (The document is still worth reading.)

As of this date, I am unaware of any implementations of PAM, and but I
would expect some to happen soon.  In any event, since the Proxy Granting
can be done independent of PAM, you may see the implementation of Proxying
even if no PAM is available.  Especially if the Storage Controller vendor
wants to support third party commands.

With this information, you can see how an installation can have a central
location where administration can be done for various Storage Controllers.
(And with iSCSI, almost independent of where they are located.) You can
also see how the Proxy functions work for 3rd party commands.   We can now
bypass all sorts of hallucinations on how this might be done.

.
.
.
John L. Hufferd
Senior Technical Staff Member (STSM)
IBM/SSG San Jose Ca
(408) 256-0403, Tie: 276-0403
Internet address: hufferd@us.ibm.com