Re: ISCSI: User authentication vs. Machine Authentication for iSC SI

[Stephen Bailey <steph@cs.uchicago.edu>]

> I believe this is the "iSCSI Name" (formerly WWUI).

I guess I was unclear.  I consider the iSCSI name to BE the `user
name' in this discussion.

I was not suggesting that we introduce any additional identities.  I
was only suggesting it might be a mistake to slavishly equate identity
with OS instance.  I don't THINK we're in any risk of doing that.
Somebody please shout if they think we are, or if they think we should
be.

If a user process wants to initiate its own iSCSI connection to a
target, there are two options:
  1) the host OS gives the process ITS identity (& credentials)
  2) the user process uses its own unique identity (obtained through
     some mechanism we're not describing or discussing, e.g. from the
     storage domain administrator).

1) would be the case if you were using SCSI passthru to an iSCSI
driver.  In this situation, it's still really the OS that's doing the
interaction as a proxy for the user.  The OS can ensure (or not) that
its identity isn't being abused.  The OS could also give its identity
to a user-mode iSCSI sockets client through a securable interface.
The OS should never completely freely give away its identity (e.g. to
an untrusted user process), unless it doesn't care how it's used.

2) would be the case if jane helpful-programmer (or joe script-kiddy)
wrote a user-mode iSCSI initiator using sockets for whatever purpose.

Perhaps I'm covering old ground that was already worked out at the
interim meeting.  If so, I apologize.

Steph