Exemplo n.º 1
0
/*
 * Find the portal for a given portal group
 */
static isns_object_t *
__isns_pg_find_portal(isns_db_t *db, isns_object_t *pg,
                      const isns_object_list_t *extra_objs)
{
    isns_attr_list_t key_attrs = ISNS_ATTR_LIST_INIT;
    isns_object_t	*obj = NULL;

    /* FIXME: ISNS_TAG_PG_PORTAL_IP_ADDR -> ...ADDRESS */
    if (!__isns_object_translate_attr(pg,
                                      ISNS_TAG_PG_PORTAL_IP_ADDR,
                                      ISNS_TAG_PORTAL_IP_ADDRESS,
                                      &key_attrs))
        goto out;
    if (!__isns_object_translate_attr(pg,
                                      ISNS_TAG_PG_PORTAL_TCP_UDP_PORT,
                                      ISNS_TAG_PORTAL_TCP_UDP_PORT,
                                      &key_attrs))
        goto out;

    obj = isns_db_lookup(db, &isns_portal_template, &key_attrs);
    if (!obj && extra_objs)
        obj = isns_object_list_lookup(extra_objs,
                                      &isns_portal_template, &key_attrs);

out:
    isns_attr_list_destroy(&key_attrs);
    return obj;
}
Exemplo n.º 2
0
/*
 * Get the next object identified by the operating attrs.
 */
static int
isns_deregistration_get_next_object(isns_db_t *db,
				struct isns_attr_list_scanner *st,
				isns_object_list_t *result)
{
	isns_object_t	*current;
	int		status;

	status = isns_attr_list_scanner_next(st);
	if (status)
		return status;

	/*
	 * 5.6.5.4.
	 * Valid Operating Attributes for DevDereg
	 * ---------------------------------------
	 *    Entity Identifier
	 *    Portal IP-Address & Portal TCP/UDP Port
	 *    Portal Index
	 *    iSCSI Name
	 *    iSCSI Index
	 *    FC Port Name WWPN
	 *    FC Node Name WWNN
	 *
	 * In other words, deregistration is restricted to Entity,
	 * portal, and node
	 */
	if (st->tmpl != &isns_entity_template
	 && st->tmpl != &isns_iscsi_node_template
	 && st->tmpl != &isns_portal_template)
		return ISNS_INVALID_DEREGISTRATION;

	/* Only key attrs allowed */
	if (st->attrs.ial_count) {
		/* MS Initiators send the Entity protocol along
		 * with the Entity Identifier. */
		isns_debug_protocol("Client included invalid operating attrs "
				"with %s:\n", st->tmpl->iot_name);
		isns_attr_list_print(&st->attrs, isns_debug_protocol);
		/* return ISNS_INVALID_DEREGISTRATION; */
	}

	/*
	 * 5.6.5.4
	 * Attempted deregistration of non-existing entries SHALL not
	 * be considered an isns_error.
	 */
	current = isns_db_lookup(db, st->tmpl, &st->keys);
	if (current != NULL) {
		isns_object_list_append(result, current);
		isns_object_release(current);
	}

	return ISNS_SUCCESS;
}
Exemplo n.º 3
0
/*
 * Look up the policy object given its SPI
 */
isns_object_t *
__isns_db_keystore_lookup(isns_db_keystore_t *store,
		const char *name, size_t namelen)
{
	isns_attr_list_t keys = ISNS_ATTR_LIST_INIT;
	char		namebuf[256];

	if (namelen >= sizeof(namebuf))
		return NULL;
	memcpy(namebuf, name, namelen);
	namebuf[namelen] = '\0';

	isns_attr_list_append_string(&keys,
			OPENISNS_TAG_POLICY_SPI,
			namebuf);
	return isns_db_lookup(store->sd_db, NULL, &keys);
}
Exemplo n.º 4
0
/*
 * Find the node for a given portal group
 */
static isns_object_t *
__isns_pg_find_node(isns_db_t *db, isns_object_t *pg,
                    const isns_object_list_t *extra_objs)
{
    isns_attr_list_t key_attrs = ISNS_ATTR_LIST_INIT;
    isns_object_t	*obj = NULL;

    if (!__isns_object_translate_attr(pg,
                                      ISNS_TAG_PG_ISCSI_NAME,
                                      ISNS_TAG_ISCSI_NAME,
                                      &key_attrs))
        goto out;

    obj = isns_db_lookup(db, &isns_iscsi_node_template, &key_attrs);
    if (!obj && extra_objs)
        obj = isns_object_list_lookup(extra_objs,
                                      &isns_iscsi_node_template, &key_attrs);

out:
    isns_attr_list_destroy(&key_attrs);
    return obj;
}
Exemplo n.º 5
0
static int
isns_registration_get_next_object(isns_db_t *db,
				struct isns_attr_list_scanner *st,
				isns_object_list_t *result)
{
	isns_object_t	*current;
	int		status, esi = 0;

	status = isns_attr_list_scanner_next(st);
	/* We get here if the registration has a trailing PGT */
	if (status == ISNS_NO_SUCH_ENTRY)
		return ISNS_SUCCESS;
	if (status)
		return status;

	/*
	 * Validate the attrlist.
	 * This makes sure the client does not include
	 * duplicate attributes, readonly attributes
	 * such as Registration Timestamp, Index and Next Index,
	 * or privileged data (such as marking a storage node as
	 * control node).
	 */
	status = isns_attr_list_validate(&st->attrs,
			st->policy,
			ISNS_DEVICE_ATTRIBUTE_REGISTER);
	if (status) {
		isns_debug_protocol("invalid attr in message\n");
		return status;
	}

	/*
	 * 6.3.4.  Entity Status Inquiry Interval
	 *
	 * If the iSNS server is unable to support ESI messages
	 * or the ESI Interval requested, it SHALL [...] reject
	 * the ESI request by returning an "ESI Not Available"
	 * Status Code [...]
	 *
	 * Implementer's note: In section 5.7.5.1, the RFC talks
	 * about modifying the requested ESI interval; so it seems
	 * it's okay to be liberal about the ESI intervals we accept,
	 * and update them quietly.
	 */
	if (isns_attr_list_contains(&st->attrs, ISNS_TAG_ESI_PORT)) {
		if (!isns_esi_enabled) {
			isns_debug_esi("Refusing to accept portal "
					"registration with ESI port\n");
			return ISNS_ESI_NOT_AVAILABLE;
		}
		esi = 1;
	}

	/*
	 * Override any registration period specified by the client.
	 */
	if (isns_attr_list_contains(&st->attrs, ISNS_TAG_REGISTRATION_PERIOD)) {
		isns_value_t value = ISNS_VALUE_INIT(uint32,
					isns_config.ic_registration_period);

		isns_attr_list_update_value(&st->attrs,
				ISNS_TAG_REGISTRATION_PERIOD, NULL,
				&value);
	}

	if (st->tmpl == &isns_entity_template) {
		/*
		 * 5.6.5.1.
		 * A maximum of one Network Entity object can be
		 * created or updated with a single DevAttrReg
		 * message.  Consequently, the Operating Attributes
		 * MUST NOT contain more than one Network Entity
		 * object.
		 */
		if (st->entities++) {
			isns_debug_protocol("More than one entity in DevAttrReg msg\n");
			return ISNS_INVALID_REGISTRATION;
		}

		/* This should be the key object.
		 * The EID specified by by the client may be
		 * empty, so don't overwrite the value we
		 * assigned with something else.
		 */
		if (!isns_object_match(st->key_obj, &st->keys)) {
			isns_debug_protocol("Entity mismatch in message vs. operating attrs\n");
			return ISNS_INVALID_REGISTRATION;
		}
		current = isns_object_get(st->key_obj);
	} else
	if (st->tmpl == &isns_dd_template || st->tmpl == &isns_ddset_template) {
		isns_debug_protocol("DevAttrReg of type %s not allowed\n",
				st->tmpl->iot_name);
		return ISNS_INVALID_REGISTRATION;
	} else {
		/* This will also catch objects in limbo. */
		current = isns_db_lookup(db, st->tmpl, &st->keys);
	}

	if (current != NULL) {
		/* 
		 * If the replace bit is not set, then the message updates
		 * the attributes of the object identified by the Message Key
		 * and its subordinate objects.  Existing object containment
		 * relationships MUST NOT be changed.  For existing objects,
		 * key attributes MUST NOT be modified, but new subordinate
		 * objects MAY be added.
		 */

		/*
		 * [...]
		 * If the Node identified by the Source Attribute is
		 * not a Control Node, then the objects in the operating
		 * attributes MUST be members of the same Network Entity
		 * as the Source Node.
		 */
		if (!isns_policy_validate_object_update(st->policy,
					st->source, current, &st->attrs,
					ISNS_DEVICE_ATTRIBUTE_REGISTER)) {
			isns_object_release(current);
			return ISNS_SOURCE_UNAUTHORIZED;
		}

		/* We shouldn't allow messages affecting one Entity
		 * to modify objects owned by a different Entity.
		 *
		 * However, there may be orphan objects (created
		 * while populating discovery domains). These will
		 * not be associated with any Network Entity, so
		 * they're up for grabs.
		 */
		if (st->key_obj == current
		 || st->key_obj == current->ie_container) {
			/* All is well. The current object is the
			 * key object itself, or a direct descendant of the
			 * key object. */
			/* FIXME: with FC we can get deeper nesting;
			 * this needs work. */
		} else
		if (!isns_object_is_valid_container(st->key_obj, st->tmpl)) {
			isns_error("Client attempts to add %s object to a %s - tsk tsk.\n",
					st->tmpl->iot_name,
					st->key_obj->ie_template->iot_name);
			goto invalid_registration;
		} else if (current->ie_container) {
			/* We shouldn't get here in authenticated mode,
			 * but in insecure mode we still may. */
			isns_error("Client attempts to move %s %u to a different %s\n",
					current->ie_template->iot_name,
					current->ie_index,
					st->key_obj->ie_template->iot_name);
			goto invalid_registration;
		}
	} else {
		if (!isns_object_is_valid_container(st->key_obj, st->tmpl)) {
			isns_error("Client attempts to add %s object to a %s - tsk tsk.\n",
					st->tmpl->iot_name,
					st->key_obj->ie_template->iot_name);
			goto invalid_registration;
		}

		if (!isns_policy_validate_object_creation(st->policy,
					st->source, st->tmpl,
					&st->keys, &st->attrs,
					ISNS_DEVICE_ATTRIBUTE_REGISTER)) {
			return ISNS_SOURCE_UNAUTHORIZED;
		}
		current = isns_create_object(st->tmpl, &st->keys,
				isns_object_get_entity(st->key_obj));

		/* We do not insert the new object into the database yet.
		 * That happens after we're done with parsing *all*
		 * objects. */
	}

	if (!isns_object_set_attrlist(current, &st->attrs)) {
		isns_debug_state("Error updating object's attrlist\n");
		isns_object_release(current);
		return ISNS_INTERNAL_ERROR;
	}

	/* If the client specifies an ESI port, make sure the
	 * ESI interval is set and within bounds. */
	if (esi) {
		uint32_t	esi_interval;

		if (!isns_object_get_uint32(current,
					ISNS_TAG_ESI_INTERVAL, &esi_interval)) {
			esi_interval = isns_config.ic_esi_min_interval;
		} else
		if (esi_interval < isns_config.ic_esi_min_interval) {
			esi_interval = isns_config.ic_esi_min_interval;
		} else
		if (esi_interval > isns_config.ic_esi_max_interval) {
			esi_interval = isns_config.ic_esi_max_interval;
		} else {
			esi_interval = 0;
		}

		if (esi_interval)
			isns_object_set_uint32(current,
					ISNS_TAG_ESI_INTERVAL, esi_interval);
	}

	/* Append it to the result list.
	 * We do not return the key object, otherwise
	 * we end up putting it into the response twice.
	 */
	if (current != st->key_obj)
		isns_object_list_append(result, current);

	/*
	 * When a Portal is registered, the Portal attributes MAY immediately be
	 * followed by a PGT attribute. 
	 * [...]
	 * When an iSCSI Storage Node is registered, the Storage Node attributes
	 * MAY immediately be followed by a PGT attribute.
	 */
	if (st->tmpl == &isns_portal_template
	 || st->tmpl == &isns_iscsi_node_template) {
		st->pgt_next_attr = ISNS_TAG_PG_TAG;
		st->pgt_base_object = current;
	} else if (st->tmpl != &isns_iscsi_pg_template) {
		st->pgt_next_attr = 0;
		st->pgt_base_object = NULL;
	}

	isns_object_release(current);
	return ISNS_SUCCESS;

invalid_registration:
	if (current)
		isns_object_release(current);
	return ISNS_INVALID_REGISTRATION;
}
Exemplo n.º 6
0
/*
 * Get the key object given in this message
 *
 * It doesn't say anywhere explicitly in the RFC, but
 * the message key can contain both key and non-key
 * attributes. For instance, you can search by
 * Portal Group Index (section 3.4).
 */
static int
isns_registration_get_key(isns_simple_t *reg, isns_db_t *db, isns_object_t **key_obj)
{
	isns_attr_list_t *keys = &reg->is_message_attrs;
	isns_attr_list_t dummy_keys = ISNS_ATTR_LIST_INIT;
	isns_attr_t	*attr;
	isns_object_t	*obj = NULL;
	const char	*eid = NULL;
	char		eidbuf[128];
	int		status = ISNS_SUCCESS;
	int		obj_must_exist = 0;

	/*
	 * 5.6.5.1
	 * If the Message Key is not present, then the DevAttrReg message
	 * implicitly registers a new Network Entity.  In this case,
	 * the replace bit SHALL be ignored; a new Network Entity SHALL
	 * be created.
	 *
	 * Note that some clients seem to leave the message key
	 * empty, but hide the entity identifier in the operating
	 * attrs.
	 */
	if (keys->ial_count != 0) {
		attr = keys->ial_data[0];

		/*
		 * 5.6.5.1
		 * If the Message Key does not contain an EID, and no
		 * pre-existing objects match the Message Key, then the
		 * DevAttrReg message SHALL be rejected with a status
		 * code of 3 (Invalid Registration).
		 */
		if (keys->ial_count != 1
		 || attr->ia_tag_id != ISNS_TAG_ENTITY_IDENTIFIER)
			obj_must_exist = 1;
	} else {
		/* Empty message key. But the client may have hidden
		 * the EID in the operating attrs :-/
		 */
		if (reg->is_operating_attrs.ial_count == 0)
			goto create_entity;

		attr = reg->is_operating_attrs.ial_data[0];
		if (attr->ia_tag_id != ISNS_TAG_ENTITY_IDENTIFIER)
			goto create_entity;

		isns_attr_list_append_attr(&dummy_keys, attr);
		keys = &dummy_keys;
	}

	/* If the caller specifies an EID, extract it while
	 * we know what we're doing :-) */
	if (attr->ia_tag_id == ISNS_TAG_ENTITY_IDENTIFIER
	 && ISNS_ATTR_IS_STRING(attr))
		eid = attr->ia_value.iv_string;

	/* Look up the object identified by the keys.
	 * We do not scope the lookup, as the client
	 * may want to add nodes to an entity that's
	 * currently empty - and hence not visible to
	 * any DD. */
	if (!ISNS_ATTR_IS_NIL(attr))
		obj = isns_db_lookup(db, NULL, keys);

	if (obj == NULL && obj_must_exist)
		goto err_invalid;

	if (obj != NULL) {
		/*
		 * Policy: verify that the client is permitted
		 * to access this object.
		 *
		 * This includes
		 *  -	the client node must be the object owner,
		 *	or a control node.
		 *  -	the policy must allow modification of
		 *	this object type.
		 */
		if (!isns_policy_validate_object_access(reg->is_policy,
					reg->is_source,
					obj, reg->is_function))
			goto err_unauthorized;

found_object:
		if (reg->is_replace) {
			isns_object_t *container = NULL;

			if (!ISNS_IS_ENTITY(obj)) {
				container = isns_object_get_entity(obj);
				if (container == NULL) {
					isns_error("Trying to replace %s (id %u) "
						   "which has no container\n",
						obj->ie_template->iot_name,
						obj->ie_index);
					goto err_invalid;
				}
			}

			isns_debug_state("Replacing %s (id %u)\n",
				obj->ie_template->iot_name,
				obj->ie_index);
			isns_db_remove(db, obj);
			isns_object_release(obj);

			/* Purge the deleted objects from the database now */
			isns_db_purge(db);

			/* We need to flush pending SCNs because the
			 * objects may be resurrected from limbo,
			 * and we might be looking at stale data. */
			isns_scn_transmit_all();

			/* It's an entity. Nuke it and create
			 * a new one. */
			if (container == NULL) {
				isns_source_set_entity(reg->is_source, NULL);
				goto create_entity;
			}

			obj = isns_object_get(container);
		}

		goto out;
	}

	/*
	 * If the Message Key contains an EID and no pre-existing objects
	 * match the Message Key, then the DevAttrReg message SHALL create a
	 * new Entity with the specified EID and any new object(s) specified
	 * by the Operating Attributes.  The replace bit SHALL be ignored.
	 *
	 * Implementer's note: the EID attribute may be empty, in which case
	 * we also create a new entity.
	 */

create_entity:
	if (!isns_policy_validate_object_creation(reg->is_policy,
				reg->is_source,
				&isns_entity_template, keys, NULL,
				reg->is_function))
		goto err_unauthorized;

	/*
	 * 5.6.5.1
	 * A registration message that creates a new Network Entity object
	 * MUST contain at least one Portal or one Storage Node.  If the
	 * message does not, then it SHALL be considered invalid and result
	 * in a response with Status Code of 3 (Invalid Registration).
	 */
	/* FIXME: Implement this check */

	/* We try to play nice with lazy clients and attempt to
	 * look up the network entity given the source name.
	 * But we don't do this if a non-NULL EID was given,
	 * because the client may explicitly want to specify more
	 * than one Network Entity.
	 */
	if (eid == NULL) {
		obj = reg->is_source->is_entity;
		if (obj != NULL) {
			isns_object_get(obj);
			goto found_object;
		}

		/* The policy may define a default entity name.
		 * If that is the case, use it.
		 */
		eid = isns_policy_default_entity(reg->is_policy);
		if (eid) {
			obj = isns_db_vlookup(db, &isns_entity_template,
					ISNS_TAG_ENTITY_IDENTIFIER, eid,
					0);
			if (obj) {
				reg->is_source->is_entity = isns_object_get(obj);
				goto found_object;
			}
		}
	}

	/*
	 * 5.6.5.1
	 * If the Message Key and Operating Attributes do not contain
	 * an EID attribute, or if the EID attribute has a length of 0,
	 * then a new Network Entity object SHALL be created and the iSNS
	 * server SHALL supply a unique EID value for it.
	 */
	if (eid == NULL)
		eid = isns_db_generate_eid(db, eidbuf, sizeof(eidbuf));

	/*
	 * 6.2.2.  Entity Protocol
	 *
	 * This attribute is required during initial registration of
	 * the Network Entity.
	 *
	 * Implementer's note: we don't rely on this. Instead, the
	 * Entity Protocol is selected based on the source type.
	 * If the client specifies the protocol, the auto-selected
	 * value is overwritten.
	 */
	obj = isns_create_entity_for_source(reg->is_source, eid);
	if (obj == NULL)
		goto err_invalid;

	isns_source_set_entity(reg->is_source, obj);

	/*
	 * 6.2.6
	 * If a Registration Period is not requested by the iSNS
	 * client and Entity Status Inquiry (ESI) messages are not
	 * enabled for that client, then the Registration Period
	 * SHALL be set to a non-zero value by the iSNS server.
	 * This implementation-specific value for the Registration
	 * Period SHALL be returned in the registration response to the
	 * iSNS client.  The Registration Period may be set to zero,
	 * indicating its non-use, only if ESI messages are enabled for
	 * that Network Entity.
	 *
	 * Implementer's note: we diverge from this in two ways:
	 *  -	the admin may choose to disable registration timeout,
	 *	by setting RegistrationPeriod=0 in the config file
	 *
	 *  -	When a new entity is created, we always set the
	 *	registration interval because we cannot know yet
	 *	whether the client will subsequently enable ESI or
	 *	not.
	 *
	 *  -	The control entity (holding policy objects) will
	 *	not expire.
	 */
	if (isns_config.ic_registration_period
	 && strcasecmp(eid, ISNS_ENTITY_CONTROL)) {
		isns_object_set_uint32(obj,
				ISNS_TAG_REGISTRATION_PERIOD,
				isns_config.ic_registration_period);
		isns_object_set_uint64(obj,
				ISNS_TAG_TIMESTAMP,
				time(NULL));
	}

	/* Insert into database, and set the object's owner */
	isns_db_insert(db, obj);

	reg->is_replace = 0;

out:
	*key_obj = obj;
	isns_attr_list_destroy(&dummy_keys);
	return ISNS_SUCCESS;

error:
	if (obj)
		isns_object_release(obj);
	isns_attr_list_destroy(&dummy_keys);
	return status;

err_unauthorized:
	status = ISNS_SOURCE_UNAUTHORIZED;
	goto error;

err_invalid:
	status = ISNS_INVALID_REGISTRATION;
	goto error;
}
Exemplo n.º 7
0
/*
 * Process a SCNDereg message
 */
int
isns_process_scn_deregistration(isns_server_t *srv, isns_simple_t *call, isns_simple_t **result)
{
	isns_attr_list_t *keys = &call->is_message_attrs;
	isns_db_t	*db = srv->is_db;
	isns_attr_t	*attr;
	isns_object_t	*node = NULL;
	int		status = ISNS_SUCCESS;

	/*
	 * 5.6.5.6
	 * The SCNDereg request message PDU Payload contains a Source Attribute
	 * and Message Key Attribute(s).  Valid Message Key Attributes for a
	 * SCNDereg are shown below:
	 *
	 *	  Valid Message Key Attributes for SCNDereg
	 *	  -----------------------------------------
	 *	   iSCSI Name
	 *	   FC Port Name WWPN
	 *
	 * There are no Operating Attributes in the SCNDereg message.
	 */

	if (keys->ial_count != 1)
		return ISNS_SCN_REGISTRATION_REJECTED;

	attr = keys->ial_data[0];
	if (attr->ia_tag_id != ISNS_TAG_ISCSI_NAME &&
	    attr->ia_tag_id != ISNS_TAG_FC_PORT_NAME_WWPN)
		return ISNS_SCN_REGISTRATION_REJECTED;

	/* Look up the storage node for this source. If it does
	 * not exist, reject the message. */
	node = isns_db_lookup(db, NULL, keys);
	if (node == NULL)
		return ISNS_SUCCESS;

	/*
	 * Policy: verify that the client is permitted
	 * to access this entity.
	 *
	 * This includes
	 *  -	the client node must be the object owner,
	 *	or a control node.
	 *  -	the policy must allow monitoring of
	 *	this object type.
	 */
	if (!isns_policy_validate_object_access(call->is_policy,
				call->is_source,
				node, call->is_function))
		goto unauthorized;

	isns_object_set_scn_mask(node, 0);
	isns_scn_delete_scn(node);

	*result = isns_simple_create(ISNS_SCN_DEREGISTER, srv->is_source, NULL);
	status = ISNS_SUCCESS;

out:
	if (node)
		isns_object_release(node);

	return status;

unauthorized:
	status = ISNS_SOURCE_UNAUTHORIZED;
	goto out;
}
Exemplo n.º 8
0
/*
 * Process a SCN registration
 */
int
isns_process_scn_register(isns_server_t *srv, isns_simple_t *call, isns_simple_t **result)
{
	isns_attr_list_t *keys = &call->is_message_attrs;
	isns_attr_list_t *attrs = &call->is_operating_attrs;
	isns_db_t	*db = srv->is_db;
	isns_attr_t	*attr;
	isns_object_t	*node = NULL;
	uint32_t	scn_bitmap;
	isns_scn_t	*scn;
	int		status = ISNS_SUCCESS;

	/*
	 * 5.6.5.5
	 * The SCNReg request PDU Payload contains a Source Attribute, a Message
	 * Key Attribute, and an Operating Attribute.  Valid Message Key
	 * Attributes for a SCNReg are shown below:
	 *
	 * Valid Message Key Attributes for SCNReg
	 * ---------------------------------------
	 *  iSCSI Name
	 *  FC Port Name WWPN
	 */
	if (keys->ial_count != 1 || attrs->ial_count != 1)
		return ISNS_SCN_REGISTRATION_REJECTED;

	attr = keys->ial_data[0];
	if (attr->ia_tag_id != ISNS_TAG_ISCSI_NAME &&
	    attr->ia_tag_id != ISNS_TAG_FC_PORT_NAME_WWPN)
		return ISNS_SCN_REGISTRATION_REJECTED;

	/* Look up the storage node for this source. If it does
	 * not exist, reject the message. */
	node = isns_db_lookup(db, NULL, keys);
	if (node == NULL)
		return ISNS_SOURCE_UNKNOWN;

	/*
	 * Policy: verify that the client is permitted
	 * to access this entity.
	 *
	 * This includes
	 *  -	the client node must be the object owner,
	 *	or a control node.
	 *  -	the policy must allow monitoring of
	 *	this object type.
	 */
	if (!isns_policy_validate_object_access(call->is_policy,
				call->is_source,
				node, call->is_function))
		goto unauthorized;

	/*
	 * 5.6.5.5
	 * The SCN Bitmap is the only operating attribute of this message
	 * [...]
	 * Control Nodes MAY conduct registrations for management SCNs;
	 * iSNS clients that are not supporting Control Nodes MUST NOT
	 * conduct registrations for management SCNs.
	 *
	 * Implementer's note: for iFCP sources, we should check for
	 * ISNS_TAG_IFCP_SCN_BITMAP.
	 */
	attr = attrs->ial_data[0];
	if (attr->ia_tag_id != ISNS_TAG_ISCSI_SCN_BITMAP
	 || !ISNS_ATTR_IS_UINT32(attr))
		goto rejected;

	scn_bitmap = attr->ia_value.iv_uint32;
	if (!isns_policy_validate_scn_bitmap(call->is_policy, scn_bitmap))
		goto unauthorized;

	/*
	 * 5.6.5.5
	 * If no SCN Port fields of any Portals of the Storage Node are
	 * registered to receive SCN messages, then the SCNReg message SHALL
	 * be rejected with Status Code 17 (SCN Registration Rejected).
	 */
	if (!(scn = isns_scn_create_scn(node, scn_bitmap, db)))
		goto rejected;

	*result = isns_simple_create(ISNS_SCN_REGISTER, srv->is_source, NULL);
	status = ISNS_SUCCESS;

out:
	if (node)
		isns_object_release(node);

	return status;

rejected:
	status = ISNS_SCN_REGISTRATION_REJECTED;
	goto out;

unauthorized:
	status = ISNS_SOURCE_UNAUTHORIZED;
	goto out;
}