Target&Lun Access Control Investigation
With iSCSI you can access storage over an IP-based network.
The exported storage entity is the target and the importing entity is the initiator. There are different modules available to set up the target:
- The SCSI Target Framework (STGT/TGT) was the standard before linux 2.6.38.
- The iSCSI Enterprise Target (IET) is an old implementation and SCSI Target Subsystem (SCST) is the successor of IET and was a possible candidate for kernel inclusion before the decision fell for LIO.
- The current standard is the LIO target.
SCST
SCST Architecture
- SCST core processes SCSI commands and routes these between target drivers and storage drivers.
- Target drivers implement a SCSI protocol and communicate with the initiator system.
- Storage drivers present local storage to the SCST core as a SCSI device. This can be a SCSI device, block device, file, or RAID controller.
- scst_user driver allows to implement a SCSI storage device in a user space process.
SCST supports two modes of access control
Target-oriented. In this mode you define for each target a default set of LUNs, which are accessible to all initiators, connected to that target. This is a regular access control mode, which people usually mean thinking about access control in general. For instance, in IET this is the only supported mode.
Initiator-oriented. In this mode you define which LUNs are accessible for each initiator. In this mode you should create for each set of one or more initiators, which should access to the same set of devices with the same LUNs, a separate security group, then add to it devices and names of allowed initiator(s).
iSCSI SCST target driver for access control
ISCSI-SCST is a deeply reworked fork of iSCSI Enterprise Target (IET)(http://iscsitarget.sourceforge.net). Reasons of the fork were:
- To be able to use full power of SCST core.
- To fix all the problems, corner cases issues and iSCSI standard violations which IET has.
ISCSI-SCST allows you to optionally control visibility and accessibility of your target and its portals (IP addresses) to remote initiators. This control includes both the target’s portals SendTargets discovery as well as regular LUNs access.
This facility supersedes the obsolete initiators.[allow,deny] method, which is going to be removed in one of the future versions.
This facility is available only in the sysfs build of iSCSI-SCST.
LIO
Create a Backstore
First, create the underlying backstore device, here my_disk on the physical SCSI disk device /dev/vdd.
And you also can create the second block.
/backstores/block create my_disk2 /dev/vde
Created target
Exec /iscsi create ,it will create an target.
You also can assign the target id.
Targetcli creates the TPG, automatically assigns the next default TPG tag ‘1’,and Created default portal listening on all IPs (0.0.0.0), port 3260.
You can Assign an IP address (IPv4) to the TPG, to make it accessible to iSCSI initiators.
Define Access Control
Configure access control. Typically, this involves setting up ACLswith individual login information for each initiator.For a simple demo setup, allow access to all initiatorswithout any authentication:
Created the second TPG in the same target
Create LUN for the new tpg2
Define Access Control for tpg2
Here ,Enable secure sessions for the initiator with the IQN .After set portals: