Access Controls -- "Grant All" and "default LUN Map"

hafner at almaden.ibm.com hafner at almaden.ibm.com
Mon Apr 17 15:11:40 PDT 2000 

* From the T10 Reflector (t10 at t10.org), posted by:
* hafner at almaden.ibm.com
*


Folks,

Some questions arose at the last teleconf (4/12) which I initially
thought would be easy to deal with but have caused me some
consternation when trying to make the revisions.  Here's the first one.

"Grant All" and "default LUN Map":

I had orginally anticipated that PAM could grant an initiator access to
ALL logical units with a default LUN Map with a  simple "Grant All" page
in the MANAGE ACL and PAM could get a report on this (in REPORT ACL)
with "Granted All" page format. Both of these page formats only require
an initiator identifier, as the presumed LUN Map would be pre-determined.
The "ALL logical units" and "default LUN Map" were meant to be all
configured logical units as would be seen by every initiator in the absense
of access controls (i.e., if the target was unconstrained by access
controls).

Then Charles Binford suggested that this might be too generous.
Namely, their might be logical units which aren't accessable even in
the absense of access controls.  So, I said that we could change the
wording from "Grant All" to "Grant Default" or some such.   Now comes
the rub:
    How does PAM determine what logical units would be accessible
   in this "grant all" or "no-access controls state", short of
    a) disabling access controls
    b) doing logical unit discovery
    c) reestablishing the access controls?

One solution is to make the Grant All page for MANAGE ACL optional.
Then it need only be supported if in fact ALL logical units can be seen
in the unconstrained state.

An alternative, is to add a field to the Logical Unit Descriptor format
(table 12
of 99-245r7) of the REPORT LU DESCRIPTORS which would indicate that
the particular logical unit described would appear in the unconstrained
state
(and so also in a Grant Default for some initiator).

Anybody have any thoughts?

Jim Hafner


*
* For T10 Reflector information, send a message with
* 'info t10' (no quotes) in the message body to majordomo at t10.org

More information about the T10 mailing list