iscsi&scrpts/rpc: Require to specify CHAP secret file explicitly to load it
Previous patches enabled users to configure CHAP secrets dynamically by RPCs. Subsequent patches will enable users to load CHAP secrets from JSON config file. Loading CHAP secret file is done by default and this will conflict to JSON config file. Hence the path to CHAP secret file is required to specify in the config file or JSON RPC set_iscsi_options explicitly after this patch. Users who have used CHAP secret file are expected to specify it explicitly and this will be no harm for them. Besides, CHAP secret file is not oly for discovery sessions but also for login to iSCSI targets. However there were wrong description to make user misunderstand. Hence remove these wrong description in this patch too. Change-Id: Ic4093cabc0c14b87e26baef4bba6b0d292e40c06 Signed-off-by: Shuhei Matsumoto <shuhei.matsumoto.xt@hitachi.com> Reviewed-on: https://review.gerrithub.io/421467 Tested-by: SPDK CI Jenkins <sys_sgci@intel.com> Chandler-Test-Pool: SPDK Automated Test System <sys_sgsw@intel.com> Reviewed-by: Jim Harris <james.r.harris@intel.com> Reviewed-by: Ben Walker <benjamin.walker@intel.com>
This commit is contained in:
Shuhei Matsumoto
Ben Walker
parent
aca4ba4dd1
commit
ad323b8064
10
CHANGELOG.md
10
CHANGELOG.md
@ -33,10 +33,12 @@ but will be removed in future release.
|
||||
been added to set CHAP authentication for discovery sessions and existing
|
||||
target nodes, respectively.
|
||||
|
||||
CHAP shared secret file is now loaded only once at startup. During run time
|
||||
CHAP shared secrets can be configured by new JSON RPCs `add_iscsi_auth_group`,
|
||||
`delete_iscsi_auth_group`, `add_secret_to_iscsi_auth_group`, and
|
||||
`delete_secret_from_iscsi_auth_group` instead.
|
||||
The SPDK iSCSI target supports an AuthFile which can be used to load CHAP
|
||||
shared secrets when the iSCSI target starts. SPDK previously provided a
|
||||
default location for this file (`/usr/local/etc/spdk/auth.conf`) if none was
|
||||
specified. This default has been removed. Users must now explicitly specify
|
||||
the location of this file to load CHAP shared secrets from a file, or use
|
||||
the related iSCSI RPC methods to add them at runtime.
|
||||
|
||||
## v18.07:
|
||||
|
||||
|
||||
@ -1771,7 +1771,7 @@ This RPC may only be called before SPDK subsystems have been initialized. This R
|
||||
|
||||
Name | Type | Description
|
||||
--------------------------- | --------| -----------
|
||||
auth_file | string | Path to CHAP shared secret file for discovery session (default: "/usr/local/etc/spdk/auth.conf")
|
||||
auth_file | string | Path to CHAP shared secret file (default: "")
|
||||
node_base | string | Prefix of the name of iSCSI target node (default: "iqn.2016-06.io.spdk")
|
||||
nop_timeout | number | Timeout in seconds to nop-in request to the initiator (default: 60)
|
||||
nop_in_interval | number | Time interval in secs between nop-in requests by the target (default: 30)
|
||||
@ -1790,6 +1790,8 @@ error_recovery_level | number | Session specific parameter, ErrorRecover
|
||||
allow_duplicated_isid | boolean | Allow duplicated initiator session ID (default: `false`)
|
||||
min_connections_per_core | number | Allocation unit of connections per core (default: 4)
|
||||
|
||||
To load CHAP shared secret file, its path is required to specify explicitly in the parameter `auth_file`.
|
||||
|
||||
Parameters `disable_chap` and `require_chap` are mutually exclusive. Parameters `no_discovery_auth`, `req_discovery_auth`, `req_discovery_auth_mutual`, and `discovery_auth_group` are still available instead of `disable_chap`, `require_chap`, `mutual_chap`, and `chap_group`, respectivey but will be removed in future releases.
|
||||
|
||||
### Example
|
||||
|
||||
@ -50,7 +50,6 @@
|
||||
|
||||
#define SPDK_ISCSI_BUILD_ETC "/usr/local/etc/spdk"
|
||||
#define SPDK_ISCSI_DEFAULT_CONFIG SPDK_ISCSI_BUILD_ETC "/iscsi.conf"
|
||||
#define SPDK_ISCSI_DEFAULT_AUTHFILE SPDK_ISCSI_BUILD_ETC "/auth.conf"
|
||||
#define SPDK_ISCSI_DEFAULT_NODEBASE "iqn.2016-06.io.spdk"
|
||||
|
||||
#define DEFAULT_MAXR2T 4
|
||||
|
||||
@ -62,7 +62,7 @@ static void *g_fini_cb_arg;
|
||||
" NodeBase \"%s\"\n" \
|
||||
"\n" \
|
||||
" # files\n" \
|
||||
" AuthFile %s\n" \
|
||||
" %s %s\n" \
|
||||
"\n" \
|
||||
" # socket I/O timeout sec. (polling is infinity)\n" \
|
||||
" Timeout %d\n" \
|
||||
@ -109,7 +109,9 @@ spdk_iscsi_globals_config_text(FILE *fp)
|
||||
}
|
||||
|
||||
fprintf(fp, ISCSI_CONFIG_TMPL,
|
||||
g_spdk_iscsi.nodebase, g_spdk_iscsi.authfile,
|
||||
g_spdk_iscsi.nodebase,
|
||||
g_spdk_iscsi.authfile ? "AuthFile" : "",
|
||||
g_spdk_iscsi.authfile ? g_spdk_iscsi.authfile : "",
|
||||
g_spdk_iscsi.timeout, authmethod, authgroup,
|
||||
g_spdk_iscsi.MaxSessions, g_spdk_iscsi.MaxConnectionsPerSession,
|
||||
g_spdk_iscsi.MaxConnections,
|
||||
@ -334,7 +336,8 @@ struct spdk_iscsi_pdu *spdk_get_pdu(void)
|
||||
static void
|
||||
spdk_iscsi_log_globals(void)
|
||||
{
|
||||
SPDK_DEBUGLOG(SPDK_LOG_ISCSI, "AuthFile %s\n", g_spdk_iscsi.authfile);
|
||||
SPDK_DEBUGLOG(SPDK_LOG_ISCSI, "AuthFile %s\n",
|
||||
g_spdk_iscsi.authfile ? g_spdk_iscsi.authfile : "(none)");
|
||||
SPDK_DEBUGLOG(SPDK_LOG_ISCSI, "NodeBase %s\n", g_spdk_iscsi.nodebase);
|
||||
SPDK_DEBUGLOG(SPDK_LOG_ISCSI, "MaxSessions %d\n", g_spdk_iscsi.MaxSessions);
|
||||
SPDK_DEBUGLOG(SPDK_LOG_ISCSI, "MaxConnectionsPerSession %d\n",
|
||||
@ -622,14 +625,6 @@ spdk_iscsi_read_config_file_params(struct spdk_conf_section *sp,
|
||||
static int
|
||||
spdk_iscsi_opts_verify(struct spdk_iscsi_opts *opts)
|
||||
{
|
||||
if (!opts->authfile) {
|
||||
opts->authfile = strdup(SPDK_ISCSI_DEFAULT_AUTHFILE);
|
||||
if (opts->authfile == NULL) {
|
||||
SPDK_ERRLOG("strdup() failed for default authfile\n");
|
||||
return -ENOMEM;
|
||||
}
|
||||
}
|
||||
|
||||
if (!opts->nodebase) {
|
||||
opts->nodebase = strdup(SPDK_ISCSI_DEFAULT_NODEBASE);
|
||||
if (opts->nodebase == NULL) {
|
||||
@ -746,10 +741,12 @@ spdk_iscsi_set_global_params(struct spdk_iscsi_opts *opts)
|
||||
return rc;
|
||||
}
|
||||
|
||||
g_spdk_iscsi.authfile = strdup(opts->authfile);
|
||||
if (!g_spdk_iscsi.authfile) {
|
||||
SPDK_ERRLOG("failed to strdup for auth file %s\n", opts->authfile);
|
||||
return -ENOMEM;
|
||||
if (opts->authfile != NULL) {
|
||||
g_spdk_iscsi.authfile = strdup(opts->authfile);
|
||||
if (!g_spdk_iscsi.authfile) {
|
||||
SPDK_ERRLOG("failed to strdup for auth file %s\n", opts->authfile);
|
||||
return -ENOMEM;
|
||||
}
|
||||
}
|
||||
|
||||
g_spdk_iscsi.nodebase = strdup(opts->nodebase);
|
||||
@ -1260,14 +1257,16 @@ spdk_iscsi_parse_configuration(void *ctx)
|
||||
SPDK_ERRLOG("spdk_iscsi_parse_tgt_nodes() failed\n");
|
||||
}
|
||||
|
||||
if (access(g_spdk_iscsi.authfile, R_OK) == 0) {
|
||||
rc = spdk_iscsi_parse_auth_info();
|
||||
if (rc < 0) {
|
||||
SPDK_ERRLOG("spdk_iscsi_parse_auth_info() failed\n");
|
||||
if (g_spdk_iscsi.authfile != NULL) {
|
||||
if (access(g_spdk_iscsi.authfile, R_OK) == 0) {
|
||||
rc = spdk_iscsi_parse_auth_info();
|
||||
if (rc < 0) {
|
||||
SPDK_ERRLOG("spdk_iscsi_parse_auth_info() failed\n");
|
||||
}
|
||||
} else {
|
||||
SPDK_INFOLOG(SPDK_LOG_ISCSI, "CHAP secret file is not found in the path %s\n",
|
||||
g_spdk_iscsi.authfile);
|
||||
}
|
||||
} else {
|
||||
SPDK_INFOLOG(SPDK_LOG_ISCSI, "CHAP secret file is not found in the path %s\n",
|
||||
g_spdk_iscsi.authfile);
|
||||
}
|
||||
|
||||
end:
|
||||
@ -1389,7 +1388,9 @@ spdk_iscsi_opts_info_json(struct spdk_json_write_ctx *w)
|
||||
{
|
||||
spdk_json_write_object_begin(w);
|
||||
|
||||
spdk_json_write_named_string(w, "auth_file", g_spdk_iscsi.authfile);
|
||||
if (g_spdk_iscsi.authfile != NULL) {
|
||||
spdk_json_write_named_string(w, "auth_file", g_spdk_iscsi.authfile);
|
||||
}
|
||||
spdk_json_write_named_string(w, "node_base", g_spdk_iscsi.nodebase);
|
||||
|
||||
spdk_json_write_named_uint32(w, "max_sessions", g_spdk_iscsi.MaxSessions);
|
||||
|
||||
@ -509,7 +509,7 @@ if __name__ == "__main__":
|
||||
min_connections_per_core=args.min_connections_per_core)
|
||||
|
||||
p = subparsers.add_parser('set_iscsi_options', help="""Set options of iSCSI subsystem""")
|
||||
p.add_argument('-f', '--auth-file', help='Path to CHAP shared secret file for discovery session')
|
||||
p.add_argument('-f', '--auth-file', help='Path to CHAP shared secret file')
|
||||
p.add_argument('-b', '--node-base', help='Prefix of the name of iSCSI target node')
|
||||
p.add_argument('-o', '--nop-timeout', help='Timeout in seconds to nop-in request to the initiator', type=int)
|
||||
p.add_argument('-n', '--nop-in-interval', help='Time interval in secs between nop-in requests by the target', type=int)
|
||||
|
||||
@ -23,7 +23,7 @@ def set_iscsi_options(
|
||||
"""Set iSCSI target options.
|
||||
|
||||
Args:
|
||||
auth_file: Path to CHAP shared secret file for discovery session (optional)
|
||||
auth_file: Path to CHAP shared secret file (optional)
|
||||
node_base: Prefix of the name of iSCSI target node (optional)
|
||||
nop_timeout: Timeout in seconds to nop-in request to the initiator (optional)
|
||||
nop_in_interval: Time interval in secs between nop-in requests by the target (optional)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user