[libvirt] [PATCH 06/11] storage: Support "chap" authentication for iscsi pool
John Ferlan
jferlan at redhat.com
Thu Jun 6 16:31:01 UTC 2013
On 05/28/2013 02:39 AM, Osier Yang wrote:
> Though the XML for "chap" authentication with plain "password"
> was introduced long ago, the function was never implemented.
> This patch completes it.
>
> There are two types of CHAP configurations supported for iSCSI
> authentication:
> * Initiator Authentication
> Forward, one-way; The initiator is authenticated by the target.
>
> * Target Authentication
> Reverse, Bi-directional, mutual, two-way; The target is authenticated
> by the initiator; This method also requires Initiator Authentication
>
> This only supports the "Initiator Authentication". (I don't have any
> enterprise iSCSI env for testing, only have a iSCSI target setup with
> tgtd, which doesn't support "Target Authentication").
>
> "Discovery authentication" is not supported by tgt yet too. So this only
> setup the session authentication by executing 3 iscsiadm commands, E.g:
>
> % iscsiadm -m node --target "iqn.2013-05.test:iscsi.foo" --name \
> "node.session.auth.authmethod" -v "CHAP" --op update
>
> % iscsiadm -m node --target "iqn.2013-05.test:iscsi.foo" --name \
> "node.session.auth.username" -v "Jim" --op update
>
> % iscsiadm -m node --target "iqn.2013-05.test:iscsi.foo" --name \
> "node.session.auth.password" -v "Jimsecret" --op update
> ---
> src/storage/storage_backend_iscsi.c | 68 +++++++++++++++++++++++++++++++++++++
> 1 file changed, 68 insertions(+)
>
> diff --git a/src/storage/storage_backend_iscsi.c b/src/storage/storage_backend_iscsi.c
> index ad38ab2..6a17b5a 100644
> --- a/src/storage/storage_backend_iscsi.c
> +++ b/src/storage/storage_backend_iscsi.c
> @@ -713,6 +713,68 @@ virStorageBackendISCSICheckPool(virConnectPtr conn ATTRIBUTE_UNUSED,
> return ret;
> }
>
> +static int
> +virStorageBackendISCSINodeUpdate(const char *portal,
> + const char *target,
> + const char *name,
> + const char *value)
> +{
> + virCommandPtr cmd = NULL;
> + int status;
> + int ret = -1;
> +
> + cmd = virCommandNewArgList(ISCSIADM,
> + "--mode", "node",
> + "--portal", portal,
> + "--target", target,
> + "--op", "update",
> + "--name", name,
> + "--value", value,
> + NULL);
> +
> + if (virCommandRun(cmd, &status) < 0) {
> + virReportError(VIR_ERR_INTERNAL_ERROR,
> + _("Failed to update '%s' of node mode for target '%s'"),
> + name, target);
> + goto cleanup;
> + }
> +
> + ret = 0;
> +cleanup:
> + virCommandFree(cmd);
> + return ret;
> +}
> +
> +static int
> +virStorageBackendISCSISetAuth(virStoragePoolDefPtr def,
> + const char *portal,
[1] Any reason to not pass portal first like other API's? Not that matters..
> + const char *target)
> +{
> + if (def->source.authType == VIR_STORAGE_POOL_AUTH_NONE)
> + return 0;
> +
> + if (def->source.authType != VIR_STORAGE_POOL_AUTH_CHAP) {
> + virReportError(VIR_ERR_XML_ERROR, "%s",
> + _("iscsi pool only supports 'chap' auth type"));
> + return -1;
> + }
> +
> + if (virStorageBackendISCSINodeUpdate(portal,
> + target,
> + "node.session.auth.authmethod",
> + "CHAP") < 0 ||
> + virStorageBackendISCSINodeUpdate(portal,
> + target,
> + "node.session.auth.username",
> + def->source.auth.chap.login) < 0 ||
> + virStorageBackendISCSINodeUpdate(portal,
> + target,
> + "node.session.auth.password",
> + def->source.auth.chap.u.passwd) < 0)
In 04/11, you added def->source.auth.type setting/checking which I don't
see here... Or is there some magic happening where auth.u.secret can
take the place of passwd...
> + return -1;
> +
> + return 0;
> +}
>
> static int
> virStorageBackendISCSIStartPool(virConnectPtr conn ATTRIBUTE_UNUSED,
> @@ -745,6 +807,7 @@ virStorageBackendISCSIStartPool(virConnectPtr conn ATTRIBUTE_UNUSED,
> if ((session = virStorageBackendISCSISession(pool, 1)) == NULL) {
> if ((portal = virStorageBackendISCSIPortal(&pool->def->source)) == NULL)
> goto cleanup;
> +
> /*
> * iscsiadm doesn't let you login to a target, unless you've
> * first issued a 'sendtargets' command to the portal :-(
> @@ -754,6 +817,11 @@ virStorageBackendISCSIStartPool(virConnectPtr conn ATTRIBUTE_UNUSED,
> NULL, NULL) < 0)
> goto cleanup;
>
> + if (virStorageBackendISCSISetAuth(pool->def,
> + portal,
[1] Why not follow other code which passes portal first... Also why pass
pool->def and pool->def->source.devices[0].path - it's not like you
couldn't grab "source.devices[0].path" from the passed pool->def
John
> + pool->def->source.devices[0].path) < 0)
> + goto cleanup;
> +
> if (virStorageBackendISCSIConnection(portal,
> pool->def->source.initiator.iqn,
> pool->def->source.devices[0].path,
>
More information about the libvir-list
mailing list