|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] iSCSI MIB - comments on iscsiAccessListI have some questions/suggestions regarding iscsiAccessList in draft-ietf-ips-iscsi-mib-03.txt. > 6.9. iscsiAccessList > > The iscsiAccessListAttributesTable contains an entry for each > initiator that is allowed to access the target under which it > appears. If a target allows access to any initiator, an > AccessListAttributesEntry with the initiator's iSCSI name should be > used. I think the last sentence is a) confusing (do you mean "any initiator" ?) and b) may not always be true - with a wildcard mechanism ("iscsi" in the next paragaph), an initiator's name does not have to be in the table, right ? > This table does not cover all possible access control schemes that a > vendor could implement. If access to an initiator cannot be > determined just by its iSCSI name, an implementation may either > include a single entry per target with the initiator name "iscsi", or > may choose to place no entries in this table. Does no entries in the table allow any initiator access, or does it deny access to all initiators ? > iscsiAccessListAttributesTable OBJECT-TYPE > SYNTAX SEQUENCE OF IscsiAccessListAttributesEntry > MAX-ACCESS not-accessible > STATUS current > DESCRIPTION > "A list of iSCSI initiators which will be granted access > to iSCSI resources through targets within the iSCSI > instance." Can you say explicitly: - what does no entries in the table mean, and - how does the wildcard entry (an entry with name="iscsi") work. > ... > > iscsiALInitiatorName OBJECT-TYPE > SYNTAX SnmpAdminString > MAX-ACCESS read-only > STATUS current > DESCRIPTION > "An octet string that defines an initiator identified > by the <InitiatorName> key of the Login Command which will > be granted access. If this string has the value of 'iscsi', > then any initiator may access this target." > ::= { iscsiAccessListAttributesEntry 2 } If you intend that an entry of "iscsi" means that "any initiator name is allowed", then I think it's a little strange that a special meaning applies to a name that an administrator might just happen to use without realising it. Here are three alternatives which I think are better: 1. have a column in the iscsiTargetAttributesTable which enables/disables the use of the access-list. (Then, disabling has the same function as "icsci" entry.) 2. have the zero-length name allow access to any name; (this is a special case of #3 below.) 3. have an additional column, iscsiALInitiatorMatchType, which is an INTEGER { exact(1), prefix(2) } where 'exact' is the type you currently have, and 'prefix' says that longer initiator names will match if they can be truncated to the value of iscsiALInitiatorName. Keith.
Home Last updated: Thu Nov 01 14:17:33 2001 7512 messages in chronological order |