|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] iSCSI: Authorization Model for the iSCSI MIBOne of the open items for the iSCSI MIB was to be able to display and configure information about the various authorization schemes available in the iSCSI protocol. An iSCSI target can allow access to an iSCSI initiator based on several things: - iSCSI initiator name - iSCSI initiator address - SRP or CHAP username - Kerberos - Public key certificates The iSCSI MIB team has developed a UML model of the additions to the iSCSI MIB that will support these things. This model defines a "user" (meaning a host, cluster, application, whatever counts as the "user" of iSCSI) identity, which is composed of initiator names, address ranges, credentials (user names), and accepted certificates. The model allows the user identity to consist of a reasonable set of these attributes, without getting too complicated and dragging us into the policy swamp. Instead of including initiator names in the current access list entries, we would add a RowPointer attribute that would point to the user identity that the target would accept. This way, user identities do not live under targets, and can be used by more than one target. This model is best understood by way of examples, which are included. Page 1 of the drawing is the current iSCSI MIB. Page 2 includes the iscsiInstance and iscsiTarget objects from the iSCSI MIB, with the remainder of the objects added for this authorization model. As usual, the last page includes a key for those who have not been exposed to the slightly simplified version of UML that we are using. The best way to look at this model (on page 2) is: 1. Read the use case on the lower left. 2. Look at the UML. 3. Read the solution to the use case on the lower right. 4. Look at the UML again. Note that specific attributes to handle SRP, public keys, and Kerberos have not yet been fully defined; we wanted to make sure the model was structurally sound first. This model will serve in place of an internet-draft with the MIB changes for the interim meeting, since at this point, the discussion of the model is more important than the discussion of the individual MIB attributes. The model (pdf) is available at: ftp://ftpeng.cisco.com/mbakke/ips/iscsi-mib/Visio-ietf-iscsi-uml-model-03-access.pdf The next steps are to look at whether the same model, or a generalization thereof, can or should be used to configure an iSCSI initiator, and how far to take this model in terms of allowing configuration via SNMP. Enjoy, -- Mark A. Bakke Cisco Systems mbakke@cisco.com 763.398.1054
Home Last updated: Tue Jan 22 17:17:57 2002 8431 messages in chronological order |