On Sat, 2013-09-14 at 10:54 +0200, Thomas Glanzmann wrote: > Hello Nab, > > > So while when discovery authentication is disabled, any initiator can > > obtain the list of targets through sendtargets discovery, but default, > > they are *not* allowed to login to any target endpoint without an > > explicit NodeACL, nor without per NodeACL CHAP authentication > > credentials. > > I have the same problem as Ben. I don't want to enable discovery > authentication but at the same time I want that only targets are > discovered that are either in demo mode or have at least one LUN with a > node acl presented. Are you willing to add such a feature to the code, > if so would you prefer to write a patch by yourself or should I do a > proposal? > I'm open to accepting a patch for this.. However, I'd prefer to keep the default action of being able to perform sendtargets discovery of all TargetNames, regardless of these changes. So that said, I'm thinking the patch should include a new TPG attribute that allows the endpoint to be hidden from sendtargets discovery unless a valid NodeACL exists for the connected InitiatorName. This TPG attribute will be disabled by default, and can be enabled by admin on a endpoint by endpoint basis. If enabled + generate_node_acls=0 (eg: demo mode dislabed), the discovery logic should walk through the list of NodeACLs for a given TargetName+TargetPortalGroupTag endpoint, looking for match. If a match is found then TargetName + Portals will be returned. FYI, iscsit_build_sendtargets_response() is already a bit convoluted as is, so I'll expect a patch to add this type of functionality to pretty up the existing code as well. --nab -- To unsubscribe from this list: send the line "unsubscribe target-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
