Date: Wed, 22 Oct 2014 12:58:04 +0200 From: Edward Tomasz =?utf-8?Q?Napiera=C5=82a?= <trasz@FreeBSD.org> To: Harald Schmalzbauer <h.schmalzbauer@omnilan.de> Cc: FreeBSD Stable <freebsd-stable@freebsd.org> Subject: Re: ctld(8), multiple 'portal-group' on same socket (individual 'discovery-auth-group' restrictions) Message-ID: <20141022105804.GB5415@brick.home> In-Reply-To: <5446988B.5020509@omnilan.de> References: <5444C94C.4050705@omnilan.de> <20141021104308.GA5990@brick.home> <54464405.4090207@omnilan.de> <20141021134516.GA89872@brick.home> <5446988B.5020509@omnilan.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1021T1931, Harald Schmalzbauer wrote: > Bezüglich Edward Tomasz Napierała's Nachricht vom 21.10.2014 15:45 > (localtime): > > … > >> In my "real world" case, I dispense backup disks to win7 clients via iSCSI. > >> I liked the possibility to limit target-discovery-results, because > >> curious people, garnated such extra resources, weren't able to see who > >> else was granted this extra resource (by definition, there's no private > >> data on the clients which use that backup-strategy, so no need for > >> qualified identity checks or encryption needed). Even with any security > >> mechanisms active, two consumers (some dozen in my case) of the same > >> portal know about the other. That's one example where this feature was > >> useful for me. > > So basically, each target has a different user/password pair, and > > during discovery the target only returns those targets that can actually > > be accessed using that user/password? > > In general, yes, that's what I did with istgt. But I omitted chap > authentication, intead I'm just checking initiator-name/adress. > So speaking in ctl.conf, I would love to see an extension in the target > Context, which influences discovering results, maybe like > > target iqn.2012-06.com.example:target0 { > SendTarget on-discover | access-granted # access-granted only has > effect on assigned portal-group(s), which have 'target-filter' enabled. > … } > > I guess that would need quiet a lot of extra checks added to existing > discovery-response functions, so maybe it would make sense to > selectively enable/disbale this extra check at portal-group Context in > the first place, maybe like > > portal-group lan0 { > target-filter on | off > … } I think I like the second one better. Except I'm not sure about "target-filter" name. "authorized-targets-only" perhaps? > I just had a look at rfc3721, to find a suitable name for the > 'SendTarget' config option I suggested here > (http://www.ietf.org/rfc/rfc3721.txt, Page 12, 3.b). > > Quote of the first sentence in chapter 3, describing the iSCSI discovery: > »The goal of iSCSI discovery is to allow an initiator to find the > targets to which it has access, …« > > “… to which it has access” sounds to me like the filtered SendTarget > behaviuor should be default, but I haven't read the complete docuemtn > nor am I native english speaker... Thought about this as default too. Question is, wouldn't it confuse users? On the other hand, _not_ doing it by default could be confusing too, just in another way. I kind of have a prototype for this. Could you test patches against 11-CURRENT, when I have them ready? > >> Another one actually is (since not implemented in ctld, yet?) with > >> virtual DVDs. If you provide 50 DVDs at one portal, it's confusing if > >> any initiator needs to select from the complete list. > > In this case do the returned targets depend on authentication, or something > > else, eg. a static list defined in config? > > The returned targets are still access restricted, by authentication or > any initiator-match rule (name, address, both). Ok. > >> I'd like to point to two options I'm missing: > >> option RPM > >> option FormFactor > >> And another one I don't know/understand: > >> option scsiname > >> > >> Missing resp. wrong reported option RPM leads to identification as SSD > >> with ESXi initiators. I don't remember what defines a SSD vs. HDD, I > >> think it was a threshold of something about 400? Or was it 0? I think I > >> read the former… Don't have docs handy. > >> The FormFactor was more cosmetic, but in bigger environments I guess it > >> can be useful if you have multiple targets available, choosing the > >> better fitting backend-pool e.g. > > Hm, ok. > > Thanks for your attention again! > > > >> If someone could point me to the meaning of option iscsiname? > > That's an istgt option, right? > > Sorry, haven't made clear: ctl.conf(5) references ctladm(8) for possible > "name value" pairs for the "option" option in the target Context. > In ctladm's OPTIONS section, I can find most options I ever used (and in > my case mandatory options like "product") besides to above mentioned two > (RPM and FormFactor), and also some additional I haven't used. > There's "scsiname" listed. I don't even understand the meaning of that :-( Ah. AFAIK it's just a "device name", at SCSI level. Basically, there are several kinds of identifiers a SCSI device (accessed over iSCSI or some other transport) can return when asked. There is NAA, EUI, and just text, which I believe is the "scsiname". > Hope you don't mind if I add another question: > > In ctl.conf(5), section "portal-group Context", under the description > for 'discovery-auth-group', one can read: > »By default, portal groups that do not specify their own auth > settings, using clauses such as chap or initiator-name, are assigned > predefined auth-group "default",…« > I tried to define 'initiator-name' under portal-group Context, but that > didn't work. I think I got an error message and config-reload was rejected. Hm, yeah, it's a documentation error. You can only use discovery-auth-group. > The reason I tried to not use a predefined auth-froup was, that I get a > warning it I define a auth-group and don't assign it to any target, > instead using it as 'discovery-auth-group' only. Not really a problem, > prpbably not even worth a PR/bugzilla report, but wanted to mention it > here :-) _Every_ problem is worth reporting. I've just fixed the spurious warning, btw. ;-) > And, not enough yet, I'd like to suggest a extension to the examples > section of ctl.conf(5): > > --- /tmp/ctl.conf.sample.orig 2014-10-21 19:11:46.000000000 +0200 > +++ /tmp/ctl.conf.sample 2014-10-21 19:25:28.000000000 +0200 > @@ -1,5 +1,16 @@ > pidfile /var/run/ctld.pid > > + # buitlin special > + #auth-group default { auth-type deny } > + #auth-group no-authentication { auth-type none} What is the above for? > + > + auth-group example1 { > + auth-type none > + initiator-name "iqn.2012-06.com.example:initiatorhost1" > + initiator-name "iqn.2012-06.com.example:initiatorhost2" > + initiator-portal 192.0.2.0/24 > + } This is to show ohw "auth-type none" should be used, right? I like it. > + > auth-group example2 { > chap-mutual "user" "secret" "mutualuser" "mutualsecret" > chap-mutual "user2" "secret2" "mutualuser" "mutualsecret" > @@ -41,3 +52,13 @@ > option foo bar > } > } > + > + target iqn.2012-06.com.example:target1 { > + auth-type none > + initiator-name "iqn.2012-06.com.example:initiatorhostname0" > + initiator-portal [2001:DB8::de:ef] > + portal-group example2 > + lun 0 { > + path /dev/zvol/example_1 > + } > + } This one, however, looks a little redundant.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20141022105804.GB5415>