iscsi: Replace "ALL" by "ANY" for access control

In the accessibility control of iSCSI target, "ALL" is used to allow
ANY IP address-port pair or iSCSI name of initiators. However iSCSI
targets cannot know ALL initiators beforehand.

Hence "ANY" will be better than "ALL" and will avoid misunderstanding.

Comments and iscsi_tgt test code are also changed and UT code is added.

Change-Id: Id004d819df6e9ee89f6c1db2e4b4c149be062733
Signed-off-by: Shuhei Matsumoto <shuhei.matsumoto.xt@hitachi.com>
Reviewed-on: https://review.gerrithub.io/385168
Tested-by: SPDK Automated Test System <sys_sgsw@intel.com>
Reviewed-by: Ben Walker <benjamin.walker@intel.com>
Reviewed-by: Jim Harris <james.r.harris@intel.com>
Reviewed-by: Daniel Verkamp <daniel.verkamp@intel.com>
This commit is contained in:
Shuhei Matsumoto 2017-11-29 14:51:23 +09:00 committed by Jim Harris
parent 42e0a6531f
commit eee268fea8
18 changed files with 109 additions and 20 deletions

View File

@ -76,7 +76,7 @@
# Netmask 192.168.1.20 <== single IP address
# Netmask 192.168.1.0/24 <== IP range 192.168.1.*
[InitiatorGroup1]
InitiatorName ALL
InitiatorName ANY
Netmask 192.168.2.0/24
# NVMe configuration options

View File

@ -84,6 +84,7 @@ static int
spdk_iscsi_init_grp_add_initiator(struct spdk_iscsi_init_grp *ig, char *name)
{
struct spdk_iscsi_initiator_name *iname;
char *p;
if (ig->ninitiators >= MAX_INITIATOR) {
SPDK_ERRLOG("> MAX_INITIATOR(=%d) is not allowed\n", MAX_INITIATOR);
@ -106,6 +107,14 @@ spdk_iscsi_init_grp_add_initiator(struct spdk_iscsi_init_grp *ig, char *name)
return -ENOMEM;
}
/* Replace "ALL" by "ANY" if set */
p = strstr(iname->name, "ALL");
if (p != NULL) {
SPDK_WARNLOG("Please use \"%s\" instead of \"%s\"\n", "ANY", "ALL");
SPDK_WARNLOG("Converting \"%s\" to \"%s\" automatically\n", "ALL", "ANY");
strncpy(p, "ANY", 3);
}
TAILQ_INSERT_TAIL(&ig->initiator_head, iname, tailq);
ig->ninitiators++;
@ -181,6 +190,7 @@ static int
spdk_iscsi_init_grp_add_netmask(struct spdk_iscsi_init_grp *ig, char *mask)
{
struct spdk_iscsi_initiator_netmask *imask;
char *p;
if (ig->nnetmasks >= MAX_NETMASK) {
SPDK_ERRLOG("> MAX_NETMASK(=%d) is not allowed\n", MAX_NETMASK);
@ -203,6 +213,14 @@ spdk_iscsi_init_grp_add_netmask(struct spdk_iscsi_init_grp *ig, char *mask)
return -ENOMEM;
}
/* Replace "ALL" by "ANY" if set */
p = strstr(imask->mask, "ALL");
if (p != NULL) {
SPDK_WARNLOG("Please use \"%s\" instead of \"%s\"\n", "ANY", "ALL");
SPDK_WARNLOG("Converting \"%s\" to \"%s\" automatically\n", "ALL", "ANY");
strncpy(p, "ANY", 3);
}
TAILQ_INSERT_TAIL(&ig->netmask_head, imask, tailq);
ig->nnetmasks++;

View File

@ -198,12 +198,12 @@ spdk_iscsi_tgt_node_access(struct spdk_iscsi_conn *conn,
TAILQ_FOREACH(iname, &igp->initiator_head, tailq) {
/* denied if iqn is matched */
if ((iname->name[0] == '!')
&& (strcasecmp(&iname->name[1], "ALL") == 0
&& (strcasecmp(&iname->name[1], "ANY") == 0
|| strcasecmp(&iname->name[1], iqn) == 0)) {
goto denied;
}
/* allowed if iqn is matched */
if (strcasecmp(iname->name, "ALL") == 0
if (strcasecmp(iname->name, "ANY") == 0
|| strcasecmp(iname->name, iqn) == 0) {
/* iqn is allowed, then check netmask */
TAILQ_FOREACH(imask, &igp->netmask_head, tailq) {
@ -240,11 +240,11 @@ spdk_iscsi_tgt_node_visible(struct spdk_iscsi_tgt_node *target, const char *iqn)
igp = target->map[i].ig;
TAILQ_FOREACH(iname, &igp->initiator_head, tailq) {
if ((iname->name[0] == '!')
&& (strcasecmp(&iname->name[1], "ALL") == 0
&& (strcasecmp(&iname->name[1], "ANY") == 0
|| strcasecmp(&iname->name[1], iqn) == 0)) {
return false;
}
if (strcasecmp(iname->name, "ALL") == 0
if (strcasecmp(iname->name, "ANY") == 0
|| strcasecmp(iname->name, iqn) == 0) {
return true;
}

View File

@ -447,7 +447,7 @@ def add_initiator_group(args):
p = subparsers.add_parser('add_initiator_group', help='Add an initiator group')
p.add_argument('tag', help='Initiator group tag (unique, integer > 0)', type=int)
p.add_argument('initiator_list', help="""Whitespace-separated list of initiator hostnames or IP addresses,
enclosed in quotes. Example: 'ALL' or '127.0.0.1 192.168.200.100'""")
enclosed in quotes. Example: 'ANY' or '127.0.0.1 192.168.200.100'""")
p.add_argument('netmask_list', help="""Whitespace-separated list of initiator netmasks enclosed in quotes.
Example: '255.255.0.0 255.248.0.0' etc""")
p.set_defaults(func=add_initiator_group)

View File

@ -14,7 +14,7 @@ timing_enter calsoft
# iSCSI target configuration
PORT=3260
INITIATOR_TAG=2
INITIATOR_NAME=ALL
INITIATOR_NAME=ANY
NETMASK=$INITIATOR_IP/32
MALLOC_BDEV_SIZE=64
MALLOC_BLOCK_SIZE=512

View File

@ -17,7 +17,7 @@ $rootdir/scripts/gen_nvme.sh >> $testdir/iscsi.conf
# iSCSI target configuration
PORT=3260
INITIATOR_TAG=2
INITIATOR_NAME=ALL
INITIATOR_NAME=ANY
NETMASK=$INITIATOR_IP/32
rpc_py="python $rootdir/scripts/rpc.py"

View File

@ -10,7 +10,7 @@ timing_enter filesystem
# iSCSI target configuration
PORT=3260
INITIATOR_TAG=2
INITIATOR_NAME=ALL
INITIATOR_NAME=ANY
NETMASK=$INITIATOR_IP/32
MALLOC_BDEV_SIZE=256
MALLOC_BLOCK_SIZE=512

View File

@ -49,7 +49,7 @@ cp $testdir/iscsi.conf.in $testdir/iscsi.conf
# iSCSI target configuration
PORT=3260
INITIATOR_TAG=2
INITIATOR_NAME=ALL
INITIATOR_NAME=ANY
NETMASK=$INITIATOR_IP/32
MALLOC_BDEV_SIZE=64
MALLOC_BLOCK_SIZE=4096

View File

@ -5,7 +5,7 @@ rootdir=$(readlink -f $(dirname $0))/../../..
rpc_py=$rootdir/scripts/rpc.py
"$rpc_py" add_initiator_group 1 "ALL" "127.0.0.1/32"
"$rpc_py" add_initiator_group 1 "ANY" "127.0.0.1/32"
"$rpc_py" add_portal_group 1 '127.0.0.1:3260'
for i in $(seq 0 15); do

View File

@ -23,7 +23,7 @@ function kill_all_iscsi_target() {
function rpc_config() {
# $1 = RPC server address
# $2 = Netmask
$rpc_py -s $1 add_initiator_group 1 ALL $2
$rpc_py -s $1 add_initiator_group 1 ANY $2
$rpc_py -s $1 construct_malloc_bdev 64 512
}
function rpc_add_ip() {

View File

@ -13,7 +13,7 @@ timing_enter iscsi_lvol
# iSCSI target configuration
PORT=3260
INITIATOR_TAG=2
INITIATOR_NAME=ALL
INITIATOR_NAME=ANY
NETMASK=$INITIATOR_IP/32
MALLOC_BDEV_SIZE=128
MALLOC_BLOCK_SIZE=512

View File

@ -55,7 +55,7 @@ timing_exit start_iscsi_tgt
echo "Creating an iSCSI target node."
$rpc_py -s "$iscsi_rpc_addr" add_portal_group 1 $TARGET_IP:$ISCSI_PORT
$rpc_py -s "$iscsi_rpc_addr" add_initiator_group 1 ALL $INITIATOR_IP/32
$rpc_py -s "$iscsi_rpc_addr" add_initiator_group 1 ANY $INITIATOR_IP/32
if [ $1 -eq 0 ]; then
$rpc_py -s "$iscsi_rpc_addr" construct_nvme_bdev -b "Nvme0" -t "rdma" -f "ipv4" -a $NVMF_FIRST_TARGET_IP -s $NVMF_PORT -n nqn.2016-06.io.spdk:cnode1
fi

View File

@ -14,7 +14,7 @@ RUNTIME=$2
PMEM_BDEVS=""
PORT=3260
INITIATOR_TAG=2
INITIATOR_NAME=ALL
INITIATOR_NAME=ANY
NETMASK=$INITIATOR_IP/32
PMEM_SIZE=128
PMEM_BLOCK_SIZE=512

View File

@ -15,7 +15,7 @@ timing_enter rbd
# iSCSI target configuration
PORT=3260
INITIATOR_TAG=2
INITIATOR_NAME=ALL
INITIATOR_NAME=ANY
NETMASK=$INITIATOR_IP/32
rpc_py="python $rootdir/scripts/rpc.py"

View File

@ -12,7 +12,7 @@ timing_enter reset
# iSCSI target configuration
PORT=3260
INITIATOR_TAG=2
INITIATOR_NAME=ALL
INITIATOR_NAME=ANY
NETMASK=$INITIATOR_IP/32
MALLOC_BDEV_SIZE=64
MALLOC_BLOCK_SIZE=512

View File

@ -14,7 +14,7 @@ netmask = ('127.0.0.1', '127.0.0.0')
rpc_param = {
'target_ip': '127.0.0.1',
'port': 3260,
'initiator_name': 'ALL',
'initiator_name': 'ANY',
'netmask': netmask,
'lun_total': 3,
'malloc_bdev_size': 64,

View File

@ -10,7 +10,7 @@ timing_enter rpc_config
# iSCSI target configuration
PORT=3260
INITIATOR_TAG=2
INITIATOR_NAME=ALL
INITIATOR_NAME=ANY
NETMASK=$INITIATOR_IP/32
MALLOC_BDEV_SIZE=64

View File

@ -377,6 +377,74 @@ delete_all_netmasks_success_case(void)
spdk_iscsi_init_grp_destroy(ig);
}
static void
initiator_name_overwrite_all_to_any_case(void)
{
int rc;
struct spdk_iscsi_init_grp *ig;
struct spdk_iscsi_initiator_name *iname;
char *all = "ALL";
char *any = "ANY";
char *all_not = "!ALL";
char *any_not = "!ANY";
ig = spdk_iscsi_init_grp_create(1);
CU_ASSERT(ig != NULL);
rc = spdk_iscsi_init_grp_add_initiator(ig, all);
CU_ASSERT(rc == 0);
iname = spdk_iscsi_init_grp_find_initiator(ig, all);
CU_ASSERT(iname == NULL);
iname = spdk_iscsi_init_grp_find_initiator(ig, any);
CU_ASSERT(iname != NULL);
rc = spdk_iscsi_init_grp_delete_initiator(ig, any);
CU_ASSERT(rc == 0);
rc = spdk_iscsi_init_grp_add_initiator(ig, all_not);
CU_ASSERT(rc == 0);
iname = spdk_iscsi_init_grp_find_initiator(ig, all_not);
CU_ASSERT(iname == NULL);
iname = spdk_iscsi_init_grp_find_initiator(ig, any_not);
CU_ASSERT(iname != NULL);
rc = spdk_iscsi_init_grp_delete_initiator(ig, any_not);
CU_ASSERT(rc == 0);
spdk_iscsi_init_grp_destroy(ig);
}
static void
netmask_overwrite_all_to_any_case(void)
{
int rc;
struct spdk_iscsi_init_grp *ig;
struct spdk_iscsi_initiator_netmask *imask;
char *all = "ALL";
char *any = "ANY";
ig = spdk_iscsi_init_grp_create(1);
CU_ASSERT(ig != NULL);
rc = spdk_iscsi_init_grp_add_netmask(ig, all);
CU_ASSERT(rc == 0);
imask = spdk_iscsi_init_grp_find_netmask(ig, all);
CU_ASSERT(imask == NULL);
imask = spdk_iscsi_init_grp_find_netmask(ig, any);
CU_ASSERT(imask != NULL);
rc = spdk_iscsi_init_grp_delete_netmask(ig, any);
CU_ASSERT(rc == 0);
spdk_iscsi_init_grp_destroy(ig);
}
int
main(int argc, char **argv)
{
@ -421,7 +489,10 @@ main(int argc, char **argv)
add_netmask_fail_case) == NULL
|| CU_add_test(suite, "delete all initiator netmasks success case",
delete_all_netmasks_success_case) == NULL
|| CU_add_test(suite, "overwrite all to any for name case",
initiator_name_overwrite_all_to_any_case) == NULL
|| CU_add_test(suite, "overwrite all to any for netmask case",
netmask_overwrite_all_to_any_case) == NULL
) {
CU_cleanup_registry();
return CU_get_error();