iSCSI: Authorization Model for the iSCSI MIB

To: IPS <ips@ece.cmu.edu>
Subject: iSCSI: Authorization Model for the iSCSI MIB
From: Mark Bakke <mbakke@cisco.com>
Date: Tue, 22 Jan 2002 15:20:21 -0600
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
Sender: owner-ips@ece.cmu.edu


One of the open items for the iSCSI MIB was to be
able to display and configure information about the
various authorization schemes available in the iSCSI
protocol.

An iSCSI target can allow access to an iSCSI initiator
based on several things:

- iSCSI initiator name
- iSCSI initiator address
- SRP or CHAP username
- Kerberos
- Public key certificates

The iSCSI MIB team has developed a UML model of the additions
to the iSCSI MIB that will support these things.

This model defines a "user" (meaning a host, cluster, application,
whatever counts as the "user" of iSCSI) identity, which is
composed of initiator names, address ranges, credentials (user
names), and accepted certificates.  The model allows the user
identity to consist of a reasonable set of these attributes,
without getting too complicated and dragging us into the
policy swamp.

Instead of including initiator names in the current access list
entries, we would add a RowPointer attribute that would point
to the user identity that the target would accept.  This way,
user identities do not live under targets, and can be used
by more than one target.

This model is best understood by way of examples, which are
included.  Page 1 of the drawing is the current iSCSI
MIB.  Page 2 includes the iscsiInstance and iscsiTarget objects
from the iSCSI MIB, with the remainder of the objects added
for this authorization model.  As usual, the last page includes
a key for those who have not been exposed to the slightly
simplified version of UML that we are using.

The best way to look at this model (on page 2) is:

1. Read the use case on the lower left.

2. Look at the UML.

3. Read the solution to the use case on the lower right.

4. Look at the UML again.

Note that specific attributes to handle SRP, public keys, and
Kerberos have not yet been fully defined; we wanted to make
sure the model was structurally sound first.

This model will serve in place of an internet-draft with the
MIB changes for the interim meeting, since at this point, the
discussion of the model is more important than the discussion
of the individual MIB attributes.

The model (pdf) is available at:

ftp://ftpeng.cisco.com/mbakke/ips/iscsi-mib/Visio-ietf-iscsi-uml-model-03-access.pdf

The next steps are to look at whether the same model, or a
generalization thereof, can or should be used to configure
an iSCSI initiator, and how far to take this model in terms
of allowing configuration via SNMP.

Enjoy,

-- 
Mark A. Bakke
Cisco Systems
mbakke@cisco.com
763.398.1054

Prev by Date: Submission of draft-ietf-ips-fcmgmt-mib-00.txt
Next by Date: Multiple listings now on Internet Draft Announcements
Prev by thread: Submission of draft-ietf-ips-fcmgmt-mib-00.txt
Next by thread: Multiple listings now on Internet Draft Announcements
Index(es):
- Date
- Thread

Home

Last updated: Tue Jan 22 17:17:57 2002
8431 messages in chronological order