iscsi: Replace "ALL" by "ANY" for access control

In the accessibility control of iSCSI target, "ALL" is used to allow
ANY IP address-port pair or iSCSI name of initiators. However iSCSI
targets cannot know ALL initiators beforehand.

Hence "ANY" will be better than "ALL" and will avoid misunderstanding.

Comments and iscsi_tgt test code are also changed and UT code is added.

Change-Id: Id004d819df6e9ee89f6c1db2e4b4c149be062733
Signed-off-by: Shuhei Matsumoto <shuhei.matsumoto.xt@hitachi.com>
Reviewed-on: https://review.gerrithub.io/385168
Tested-by: SPDK Automated Test System <sys_sgsw@intel.com>
Reviewed-by: Ben Walker <benjamin.walker@intel.com>
Reviewed-by: Jim Harris <james.r.harris@intel.com>
Reviewed-by: Daniel Verkamp <daniel.verkamp@intel.com>
This commit is contained in:
Shuhei Matsumoto 2017-11-29 14:51:23 +09:00 committed by Jim Harris
parent 42e0a6531f
commit eee268fea8
18 changed files with 109 additions and 20 deletions

View File

@ -76,7 +76,7 @@
# Netmask 192.168.1.20 <== single IP address # Netmask 192.168.1.20 <== single IP address
# Netmask 192.168.1.0/24 <== IP range 192.168.1.* # Netmask 192.168.1.0/24 <== IP range 192.168.1.*
[InitiatorGroup1] [InitiatorGroup1]
InitiatorName ALL InitiatorName ANY
Netmask 192.168.2.0/24 Netmask 192.168.2.0/24
# NVMe configuration options # NVMe configuration options

View File

@ -84,6 +84,7 @@ static int
spdk_iscsi_init_grp_add_initiator(struct spdk_iscsi_init_grp *ig, char *name) spdk_iscsi_init_grp_add_initiator(struct spdk_iscsi_init_grp *ig, char *name)
{ {
struct spdk_iscsi_initiator_name *iname; struct spdk_iscsi_initiator_name *iname;
char *p;
if (ig->ninitiators >= MAX_INITIATOR) { if (ig->ninitiators >= MAX_INITIATOR) {
SPDK_ERRLOG("> MAX_INITIATOR(=%d) is not allowed\n", MAX_INITIATOR); SPDK_ERRLOG("> MAX_INITIATOR(=%d) is not allowed\n", MAX_INITIATOR);
@ -106,6 +107,14 @@ spdk_iscsi_init_grp_add_initiator(struct spdk_iscsi_init_grp *ig, char *name)
return -ENOMEM; return -ENOMEM;
} }
/* Replace "ALL" by "ANY" if set */
p = strstr(iname->name, "ALL");
if (p != NULL) {
SPDK_WARNLOG("Please use \"%s\" instead of \"%s\"\n", "ANY", "ALL");
SPDK_WARNLOG("Converting \"%s\" to \"%s\" automatically\n", "ALL", "ANY");
strncpy(p, "ANY", 3);
}
TAILQ_INSERT_TAIL(&ig->initiator_head, iname, tailq); TAILQ_INSERT_TAIL(&ig->initiator_head, iname, tailq);
ig->ninitiators++; ig->ninitiators++;
@ -181,6 +190,7 @@ static int
spdk_iscsi_init_grp_add_netmask(struct spdk_iscsi_init_grp *ig, char *mask) spdk_iscsi_init_grp_add_netmask(struct spdk_iscsi_init_grp *ig, char *mask)
{ {
struct spdk_iscsi_initiator_netmask *imask; struct spdk_iscsi_initiator_netmask *imask;
char *p;
if (ig->nnetmasks >= MAX_NETMASK) { if (ig->nnetmasks >= MAX_NETMASK) {
SPDK_ERRLOG("> MAX_NETMASK(=%d) is not allowed\n", MAX_NETMASK); SPDK_ERRLOG("> MAX_NETMASK(=%d) is not allowed\n", MAX_NETMASK);
@ -203,6 +213,14 @@ spdk_iscsi_init_grp_add_netmask(struct spdk_iscsi_init_grp *ig, char *mask)
return -ENOMEM; return -ENOMEM;
} }
/* Replace "ALL" by "ANY" if set */
p = strstr(imask->mask, "ALL");
if (p != NULL) {
SPDK_WARNLOG("Please use \"%s\" instead of \"%s\"\n", "ANY", "ALL");
SPDK_WARNLOG("Converting \"%s\" to \"%s\" automatically\n", "ALL", "ANY");
strncpy(p, "ANY", 3);
}
TAILQ_INSERT_TAIL(&ig->netmask_head, imask, tailq); TAILQ_INSERT_TAIL(&ig->netmask_head, imask, tailq);
ig->nnetmasks++; ig->nnetmasks++;

View File

@ -198,12 +198,12 @@ spdk_iscsi_tgt_node_access(struct spdk_iscsi_conn *conn,
TAILQ_FOREACH(iname, &igp->initiator_head, tailq) { TAILQ_FOREACH(iname, &igp->initiator_head, tailq) {
/* denied if iqn is matched */ /* denied if iqn is matched */
if ((iname->name[0] == '!') if ((iname->name[0] == '!')
&& (strcasecmp(&iname->name[1], "ALL") == 0 && (strcasecmp(&iname->name[1], "ANY") == 0
|| strcasecmp(&iname->name[1], iqn) == 0)) { || strcasecmp(&iname->name[1], iqn) == 0)) {
goto denied; goto denied;
} }
/* allowed if iqn is matched */ /* allowed if iqn is matched */
if (strcasecmp(iname->name, "ALL") == 0 if (strcasecmp(iname->name, "ANY") == 0
|| strcasecmp(iname->name, iqn) == 0) { || strcasecmp(iname->name, iqn) == 0) {
/* iqn is allowed, then check netmask */ /* iqn is allowed, then check netmask */
TAILQ_FOREACH(imask, &igp->netmask_head, tailq) { TAILQ_FOREACH(imask, &igp->netmask_head, tailq) {
@ -240,11 +240,11 @@ spdk_iscsi_tgt_node_visible(struct spdk_iscsi_tgt_node *target, const char *iqn)
igp = target->map[i].ig; igp = target->map[i].ig;
TAILQ_FOREACH(iname, &igp->initiator_head, tailq) { TAILQ_FOREACH(iname, &igp->initiator_head, tailq) {
if ((iname->name[0] == '!') if ((iname->name[0] == '!')
&& (strcasecmp(&iname->name[1], "ALL") == 0 && (strcasecmp(&iname->name[1], "ANY") == 0
|| strcasecmp(&iname->name[1], iqn) == 0)) { || strcasecmp(&iname->name[1], iqn) == 0)) {
return false; return false;
} }
if (strcasecmp(iname->name, "ALL") == 0 if (strcasecmp(iname->name, "ANY") == 0
|| strcasecmp(iname->name, iqn) == 0) { || strcasecmp(iname->name, iqn) == 0) {
return true; return true;
} }

View File

@ -447,7 +447,7 @@ def add_initiator_group(args):
p = subparsers.add_parser('add_initiator_group', help='Add an initiator group') p = subparsers.add_parser('add_initiator_group', help='Add an initiator group')
p.add_argument('tag', help='Initiator group tag (unique, integer > 0)', type=int) p.add_argument('tag', help='Initiator group tag (unique, integer > 0)', type=int)
p.add_argument('initiator_list', help="""Whitespace-separated list of initiator hostnames or IP addresses, p.add_argument('initiator_list', help="""Whitespace-separated list of initiator hostnames or IP addresses,
enclosed in quotes. Example: 'ALL' or '127.0.0.1 192.168.200.100'""") enclosed in quotes. Example: 'ANY' or '127.0.0.1 192.168.200.100'""")
p.add_argument('netmask_list', help="""Whitespace-separated list of initiator netmasks enclosed in quotes. p.add_argument('netmask_list', help="""Whitespace-separated list of initiator netmasks enclosed in quotes.
Example: '255.255.0.0 255.248.0.0' etc""") Example: '255.255.0.0 255.248.0.0' etc""")
p.set_defaults(func=add_initiator_group) p.set_defaults(func=add_initiator_group)

View File

@ -14,7 +14,7 @@ timing_enter calsoft
# iSCSI target configuration # iSCSI target configuration
PORT=3260 PORT=3260
INITIATOR_TAG=2 INITIATOR_TAG=2
INITIATOR_NAME=ALL INITIATOR_NAME=ANY
NETMASK=$INITIATOR_IP/32 NETMASK=$INITIATOR_IP/32
MALLOC_BDEV_SIZE=64 MALLOC_BDEV_SIZE=64
MALLOC_BLOCK_SIZE=512 MALLOC_BLOCK_SIZE=512

View File

@ -17,7 +17,7 @@ $rootdir/scripts/gen_nvme.sh >> $testdir/iscsi.conf
# iSCSI target configuration # iSCSI target configuration
PORT=3260 PORT=3260
INITIATOR_TAG=2 INITIATOR_TAG=2
INITIATOR_NAME=ALL INITIATOR_NAME=ANY
NETMASK=$INITIATOR_IP/32 NETMASK=$INITIATOR_IP/32
rpc_py="python $rootdir/scripts/rpc.py" rpc_py="python $rootdir/scripts/rpc.py"

View File

@ -10,7 +10,7 @@ timing_enter filesystem
# iSCSI target configuration # iSCSI target configuration
PORT=3260 PORT=3260
INITIATOR_TAG=2 INITIATOR_TAG=2
INITIATOR_NAME=ALL INITIATOR_NAME=ANY
NETMASK=$INITIATOR_IP/32 NETMASK=$INITIATOR_IP/32
MALLOC_BDEV_SIZE=256 MALLOC_BDEV_SIZE=256
MALLOC_BLOCK_SIZE=512 MALLOC_BLOCK_SIZE=512

View File

@ -49,7 +49,7 @@ cp $testdir/iscsi.conf.in $testdir/iscsi.conf
# iSCSI target configuration # iSCSI target configuration
PORT=3260 PORT=3260
INITIATOR_TAG=2 INITIATOR_TAG=2
INITIATOR_NAME=ALL INITIATOR_NAME=ANY
NETMASK=$INITIATOR_IP/32 NETMASK=$INITIATOR_IP/32
MALLOC_BDEV_SIZE=64 MALLOC_BDEV_SIZE=64
MALLOC_BLOCK_SIZE=4096 MALLOC_BLOCK_SIZE=4096

View File

@ -5,7 +5,7 @@ rootdir=$(readlink -f $(dirname $0))/../../..
rpc_py=$rootdir/scripts/rpc.py rpc_py=$rootdir/scripts/rpc.py
"$rpc_py" add_initiator_group 1 "ALL" "127.0.0.1/32" "$rpc_py" add_initiator_group 1 "ANY" "127.0.0.1/32"
"$rpc_py" add_portal_group 1 '127.0.0.1:3260' "$rpc_py" add_portal_group 1 '127.0.0.1:3260'
for i in $(seq 0 15); do for i in $(seq 0 15); do

View File

@ -23,7 +23,7 @@ function kill_all_iscsi_target() {
function rpc_config() { function rpc_config() {
# $1 = RPC server address # $1 = RPC server address
# $2 = Netmask # $2 = Netmask
$rpc_py -s $1 add_initiator_group 1 ALL $2 $rpc_py -s $1 add_initiator_group 1 ANY $2
$rpc_py -s $1 construct_malloc_bdev 64 512 $rpc_py -s $1 construct_malloc_bdev 64 512
} }
function rpc_add_ip() { function rpc_add_ip() {

View File

@ -13,7 +13,7 @@ timing_enter iscsi_lvol
# iSCSI target configuration # iSCSI target configuration
PORT=3260 PORT=3260
INITIATOR_TAG=2 INITIATOR_TAG=2
INITIATOR_NAME=ALL INITIATOR_NAME=ANY
NETMASK=$INITIATOR_IP/32 NETMASK=$INITIATOR_IP/32
MALLOC_BDEV_SIZE=128 MALLOC_BDEV_SIZE=128
MALLOC_BLOCK_SIZE=512 MALLOC_BLOCK_SIZE=512

View File

@ -55,7 +55,7 @@ timing_exit start_iscsi_tgt
echo "Creating an iSCSI target node." echo "Creating an iSCSI target node."
$rpc_py -s "$iscsi_rpc_addr" add_portal_group 1 $TARGET_IP:$ISCSI_PORT $rpc_py -s "$iscsi_rpc_addr" add_portal_group 1 $TARGET_IP:$ISCSI_PORT
$rpc_py -s "$iscsi_rpc_addr" add_initiator_group 1 ALL $INITIATOR_IP/32 $rpc_py -s "$iscsi_rpc_addr" add_initiator_group 1 ANY $INITIATOR_IP/32
if [ $1 -eq 0 ]; then if [ $1 -eq 0 ]; then
$rpc_py -s "$iscsi_rpc_addr" construct_nvme_bdev -b "Nvme0" -t "rdma" -f "ipv4" -a $NVMF_FIRST_TARGET_IP -s $NVMF_PORT -n nqn.2016-06.io.spdk:cnode1 $rpc_py -s "$iscsi_rpc_addr" construct_nvme_bdev -b "Nvme0" -t "rdma" -f "ipv4" -a $NVMF_FIRST_TARGET_IP -s $NVMF_PORT -n nqn.2016-06.io.spdk:cnode1
fi fi

View File

@ -14,7 +14,7 @@ RUNTIME=$2
PMEM_BDEVS="" PMEM_BDEVS=""
PORT=3260 PORT=3260
INITIATOR_TAG=2 INITIATOR_TAG=2
INITIATOR_NAME=ALL INITIATOR_NAME=ANY
NETMASK=$INITIATOR_IP/32 NETMASK=$INITIATOR_IP/32
PMEM_SIZE=128 PMEM_SIZE=128
PMEM_BLOCK_SIZE=512 PMEM_BLOCK_SIZE=512

View File

@ -15,7 +15,7 @@ timing_enter rbd
# iSCSI target configuration # iSCSI target configuration
PORT=3260 PORT=3260
INITIATOR_TAG=2 INITIATOR_TAG=2
INITIATOR_NAME=ALL INITIATOR_NAME=ANY
NETMASK=$INITIATOR_IP/32 NETMASK=$INITIATOR_IP/32
rpc_py="python $rootdir/scripts/rpc.py" rpc_py="python $rootdir/scripts/rpc.py"

View File

@ -12,7 +12,7 @@ timing_enter reset
# iSCSI target configuration # iSCSI target configuration
PORT=3260 PORT=3260
INITIATOR_TAG=2 INITIATOR_TAG=2
INITIATOR_NAME=ALL INITIATOR_NAME=ANY
NETMASK=$INITIATOR_IP/32 NETMASK=$INITIATOR_IP/32
MALLOC_BDEV_SIZE=64 MALLOC_BDEV_SIZE=64
MALLOC_BLOCK_SIZE=512 MALLOC_BLOCK_SIZE=512

View File

@ -14,7 +14,7 @@ netmask = ('127.0.0.1', '127.0.0.0')
rpc_param = { rpc_param = {
'target_ip': '127.0.0.1', 'target_ip': '127.0.0.1',
'port': 3260, 'port': 3260,
'initiator_name': 'ALL', 'initiator_name': 'ANY',
'netmask': netmask, 'netmask': netmask,
'lun_total': 3, 'lun_total': 3,
'malloc_bdev_size': 64, 'malloc_bdev_size': 64,

View File

@ -10,7 +10,7 @@ timing_enter rpc_config
# iSCSI target configuration # iSCSI target configuration
PORT=3260 PORT=3260
INITIATOR_TAG=2 INITIATOR_TAG=2
INITIATOR_NAME=ALL INITIATOR_NAME=ANY
NETMASK=$INITIATOR_IP/32 NETMASK=$INITIATOR_IP/32
MALLOC_BDEV_SIZE=64 MALLOC_BDEV_SIZE=64

View File

@ -377,6 +377,74 @@ delete_all_netmasks_success_case(void)
spdk_iscsi_init_grp_destroy(ig); spdk_iscsi_init_grp_destroy(ig);
} }
static void
initiator_name_overwrite_all_to_any_case(void)
{
int rc;
struct spdk_iscsi_init_grp *ig;
struct spdk_iscsi_initiator_name *iname;
char *all = "ALL";
char *any = "ANY";
char *all_not = "!ALL";
char *any_not = "!ANY";
ig = spdk_iscsi_init_grp_create(1);
CU_ASSERT(ig != NULL);
rc = spdk_iscsi_init_grp_add_initiator(ig, all);
CU_ASSERT(rc == 0);
iname = spdk_iscsi_init_grp_find_initiator(ig, all);
CU_ASSERT(iname == NULL);
iname = spdk_iscsi_init_grp_find_initiator(ig, any);
CU_ASSERT(iname != NULL);
rc = spdk_iscsi_init_grp_delete_initiator(ig, any);
CU_ASSERT(rc == 0);
rc = spdk_iscsi_init_grp_add_initiator(ig, all_not);
CU_ASSERT(rc == 0);
iname = spdk_iscsi_init_grp_find_initiator(ig, all_not);
CU_ASSERT(iname == NULL);
iname = spdk_iscsi_init_grp_find_initiator(ig, any_not);
CU_ASSERT(iname != NULL);
rc = spdk_iscsi_init_grp_delete_initiator(ig, any_not);
CU_ASSERT(rc == 0);
spdk_iscsi_init_grp_destroy(ig);
}
static void
netmask_overwrite_all_to_any_case(void)
{
int rc;
struct spdk_iscsi_init_grp *ig;
struct spdk_iscsi_initiator_netmask *imask;
char *all = "ALL";
char *any = "ANY";
ig = spdk_iscsi_init_grp_create(1);
CU_ASSERT(ig != NULL);
rc = spdk_iscsi_init_grp_add_netmask(ig, all);
CU_ASSERT(rc == 0);
imask = spdk_iscsi_init_grp_find_netmask(ig, all);
CU_ASSERT(imask == NULL);
imask = spdk_iscsi_init_grp_find_netmask(ig, any);
CU_ASSERT(imask != NULL);
rc = spdk_iscsi_init_grp_delete_netmask(ig, any);
CU_ASSERT(rc == 0);
spdk_iscsi_init_grp_destroy(ig);
}
int int
main(int argc, char **argv) main(int argc, char **argv)
{ {
@ -421,7 +489,10 @@ main(int argc, char **argv)
add_netmask_fail_case) == NULL add_netmask_fail_case) == NULL
|| CU_add_test(suite, "delete all initiator netmasks success case", || CU_add_test(suite, "delete all initiator netmasks success case",
delete_all_netmasks_success_case) == NULL delete_all_netmasks_success_case) == NULL
|| CU_add_test(suite, "overwrite all to any for name case",
initiator_name_overwrite_all_to_any_case) == NULL
|| CU_add_test(suite, "overwrite all to any for netmask case",
netmask_overwrite_all_to_any_case) == NULL
) { ) {
CU_cleanup_registry(); CU_cleanup_registry();
return CU_get_error(); return CU_get_error();