Re: IPS: iSCSI MIB last call

[Paul Koning <ni1d@arrl.net>]

>>>>> "Mark" == Mark Bakke <mbakke@cisco.com> writes:

 Mark> Since I haven't seen any other last call comments on the iSCSI
 Mark> MIB yet, I have one (technical) comment:

 Mark> The iscsiTgtAuthAttributesTable is used to match up iSCSI
 Mark> targets with lists of identities in the Auth MIB to which the
 Mark> target will allow access.  Currently, any identity in the list
 Mark> for a target will be authorized to have presumable full access
 Mark> to the iSCSI target, other than anything that may be enforced
 Mark> at higher layers (SCSI).  One thing we might want to consider
 Mark> is to allow these entries to specify whether the identity will
 Mark> be given read-only or read-write access to the target, perhaps
 Mark> something like:

 Mark> iscsiTgtAuthReadWrite OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS
 Mark> read-write STATUS current DESCRIPTION "A truth value that
 Mark> specifies whether the referenced AuthIdentity will be allowed
 Mark> write access to the target.  False (=No) indicates that only
 Mark> read operations may be performed.  True (=Yes) indicates that
 Mark> all access is allowed."  DEFVAL { true } ::= {
 Mark> iscsiNodeAttributesEntry 13 }

 Mark> Thoughts?

I brought this up around here a while ago, and the reaction was that
this isn't all that useful.  The argument is that per-initiator access
control is for controlling shared access to a target.  As a rule,
operating systems support multiple readers, or (in things like
clusters) multiple initiators with full access, but not a mix of
readers and writers.

	paul