ISCSI Target&Lun 的访问控制调查

Target&Lun Access Control Investigation

With iSCSI you can access storage over an IP-based network.
The exported storage entity is the target and the importing entity is the initiator. There are different modules available to set up the target:

• The SCSI Target Framework (STGT/TGT) was the standard before linux 2.6.38.
• The iSCSI Enterprise Target (IET) is an old implementation and SCSI Target Subsystem (SCST) is the successor of IET and was a possible candidate for kernel inclusion before the decision fell for LIO.
• The current standard is the LIO target.

SCST

SCST Architecture

• SCST core processes SCSI commands and routes these between target drivers and storage drivers.
• Target drivers implement a SCSI protocol and communicate with the initiator system.
• Storage drivers present local storage to the SCST core as a SCSI device. This can be a SCSI device, block device, file, or RAID controller.
• scst_user driver allows to implement a SCSI storage device in a user space process.

SCST supports two modes of access control

1. Target-oriented. In this mode you define for each target a default set of LUNs, which are accessible to all initiators, connected to that target. This is a regular access control mode, which people usually mean thinking about access control in general. For instance, in IET this is the only supported mode.

2. Initiator-oriented. In this mode you define which LUNs are accessible for each initiator. In this mode you should create for each set of one or more initiators, which should access to the same set of devices with the same LUNs, a separate security group, then add to it devices and names of allowed initiator(s).

iSCSI SCST target driver for access control

ISCSI-SCST is a deeply reworked fork of iSCSI Enterprise Target (IET)(http://iscsitarget.sourceforge.net). Reasons of the fork were:

• To be able to use full power of SCST core.
• To fix all the problems, corner cases issues and iSCSI standard violations which IET has.

ISCSI-SCST allows you to optionally control visibility and accessibility of your target and its portals (IP addresses) to remote initiators. This control includes both the target’s portals SendTargets discovery as well as regular LUNs access.

This facility supersedes the obsolete initiators.[allow,deny] method, which is going to be removed in one of the future versions.

This facility is available only in the sysfs build of iSCSI-SCST.

LIO

Create a Backstore

First, create the underlying backstore device, here my_disk on the physical SCSI disk device /dev/vdd.

And you also can create the second block.
/backstores/block create my_disk2 /dev/vde

Created target

Exec /iscsi create ,it will create an target.
You also can assign the target id.

Targetcli creates the TPG, automatically assigns the next default TPG tag ‘1’,and Created default portal listening on all IPs (0.0.0.0), port 3260.
You can Assign an IP address (IPv4) to the TPG, to make it accessible to iSCSI initiators.

Define Access Control

Configure access control. Typically, this involves setting up ACLswith individual login information for each initiator.For a simple demo setup, allow access to all initiatorswithout any authentication:

Created the second TPG in the same target

Create LUN for the new tpg2

Define Access Control for tpg2

Here ,Enable secure sessions for the initiator with the IQN .After set portals:

Initiator

Discovery

node

Lsscsi