Commit ad323b80 authored by Shuhei Matsumoto's avatar Shuhei Matsumoto Committed by Ben Walker
Browse files

iscsi&scrpts/rpc: Require to specify CHAP secret file explicitly to load it 



Previous patches enabled users to configure CHAP secrets dynamically
by RPCs. Subsequent patches will enable users to load CHAP secrets
from JSON config file.

Loading CHAP secret file is done by default and this will conflict to
JSON config file.

Hence the path to CHAP secret file is required to specify in the config
file or JSON RPC set_iscsi_options explicitly after this patch.

Users who have used CHAP secret file are expected to specify it explicitly
and this will be no harm for them.

Besides, CHAP secret file is not oly for discovery sessions but also for
login to iSCSI targets. However there were wrong description to make user
misunderstand. Hence remove these wrong description in this patch too.

Change-Id: Ic4093cabc0c14b87e26baef4bba6b0d292e40c06
Signed-off-by: default avatarShuhei Matsumoto <shuhei.matsumoto.xt@hitachi.com>
Reviewed-on: https://review.gerrithub.io/421467


Tested-by: default avatarSPDK CI Jenkins <sys_sgci@intel.com>
Chandler-Test-Pool: SPDK Automated Test System <sys_sgsw@intel.com>
Reviewed-by: default avatarJim Harris <james.r.harris@intel.com>
Reviewed-by: default avatarBen Walker <benjamin.walker@intel.com>
parent aca4ba4d

CHANGELOG.md

+6 −4
Original line number Diff line number Diff line
@@ -33,10 +33,12 @@ but will be removed in future release. 
been added to set CHAP authentication for discovery sessions and existing

target nodes, respectively.



CHAP shared secret file is now loaded only once at startup. During run time

CHAP shared secrets can be configured by new JSON RPCs `add_iscsi_auth_group`,

`delete_iscsi_auth_group`, `add_secret_to_iscsi_auth_group`, and

`delete_secret_from_iscsi_auth_group` instead.

The SPDK iSCSI target supports an AuthFile which can be used to load CHAP

shared secrets when the iSCSI target starts. SPDK previously provided a

default location for this file (`/usr/local/etc/spdk/auth.conf`) if none was

specified. This default has been removed. Users must now explicitly specify

the location of this file to load CHAP shared secrets from a file, or use

the related iSCSI RPC methods to add them at runtime.



## v18.07:

doc/jsonrpc.md

+3 −1
Original line number Diff line number Diff line
@@ -1771,7 +1771,7 @@ This RPC may only be called before SPDK subsystems have been initialized. This R 


Name                        | Type    | Description

--------------------------- | --------| -----------

auth_file                   | string  | Path to CHAP shared secret file for discovery session (default: "/usr/local/etc/spdk/auth.conf")

auth_file                   | string  | Path to CHAP shared secret file (default: "")

node_base                   | string  | Prefix of the name of iSCSI target node (default: "iqn.2016-06.io.spdk")

nop_timeout                 | number  | Timeout in seconds to nop-in request to the initiator (default: 60)

nop_in_interval             | number  | Time interval in secs between nop-in requests by the target (default: 30)
@@ -1790,6 +1790,8 @@ error_recovery_level | number | Session specific parameter, ErrorRecover 
allow_duplicated_isid       | boolean | Allow duplicated initiator session ID (default: `false`)

min_connections_per_core    | number  | Allocation unit of connections per core (default: 4)



To load CHAP shared secret file, its path is required to specify explicitly in the parameter `auth_file`.



Parameters `disable_chap` and `require_chap` are mutually exclusive. Parameters `no_discovery_auth`, `req_discovery_auth`, `req_discovery_auth_mutual`, and `discovery_auth_group` are still available instead of `disable_chap`, `require_chap`, `mutual_chap`, and `chap_group`, respectivey but will be removed in future releases.



### Example

lib/iscsi/iscsi.h

+0 −1
Original line number Diff line number Diff line
@@ -50,7 +50,6 @@ 


#define SPDK_ISCSI_BUILD_ETC "/usr/local/etc/spdk"

#define SPDK_ISCSI_DEFAULT_CONFIG SPDK_ISCSI_BUILD_ETC "/iscsi.conf"

#define SPDK_ISCSI_DEFAULT_AUTHFILE SPDK_ISCSI_BUILD_ETC "/auth.conf"

#define SPDK_ISCSI_DEFAULT_NODEBASE "iqn.2016-06.io.spdk"



#define DEFAULT_MAXR2T 4

lib/iscsi/iscsi_subsystem.c

+24 −23
Original line number Diff line number Diff line
@@ -62,7 +62,7 @@ static void *g_fini_cb_arg; 
"  NodeBase \"%s\"\n" \

"\n" \

"  # files\n" \

"  AuthFile %s\n" \

"  %s %s\n" \

"\n" \

"  # socket I/O timeout sec. (polling is infinity)\n" \

"  Timeout %d\n" \
@@ -109,7 +109,9 @@ spdk_iscsi_globals_config_text(FILE *fp) 
	}



	fprintf(fp, ISCSI_CONFIG_TMPL,

		g_spdk_iscsi.nodebase, g_spdk_iscsi.authfile,

		g_spdk_iscsi.nodebase,

		g_spdk_iscsi.authfile ? "AuthFile" : "",

		g_spdk_iscsi.authfile ? g_spdk_iscsi.authfile : "",

		g_spdk_iscsi.timeout, authmethod, authgroup,

		g_spdk_iscsi.MaxSessions, g_spdk_iscsi.MaxConnectionsPerSession,

		g_spdk_iscsi.MaxConnections,
@@ -334,7 +336,8 @@ struct spdk_iscsi_pdu *spdk_get_pdu(void) 
static void

spdk_iscsi_log_globals(void)

{

	SPDK_DEBUGLOG(SPDK_LOG_ISCSI, "AuthFile %s\n", g_spdk_iscsi.authfile);

	SPDK_DEBUGLOG(SPDK_LOG_ISCSI, "AuthFile %s\n",

		      g_spdk_iscsi.authfile ? g_spdk_iscsi.authfile : "(none)");

	SPDK_DEBUGLOG(SPDK_LOG_ISCSI, "NodeBase %s\n", g_spdk_iscsi.nodebase);

	SPDK_DEBUGLOG(SPDK_LOG_ISCSI, "MaxSessions %d\n", g_spdk_iscsi.MaxSessions);

	SPDK_DEBUGLOG(SPDK_LOG_ISCSI, "MaxConnectionsPerSession %d\n",
@@ -622,14 +625,6 @@ spdk_iscsi_read_config_file_params(struct spdk_conf_section *sp, 
static int

spdk_iscsi_opts_verify(struct spdk_iscsi_opts *opts)

{

	if (!opts->authfile) {

		opts->authfile = strdup(SPDK_ISCSI_DEFAULT_AUTHFILE);

		if (opts->authfile == NULL) {

			SPDK_ERRLOG("strdup() failed for default authfile\n");

			return -ENOMEM;

		}

	}



	if (!opts->nodebase) {

		opts->nodebase = strdup(SPDK_ISCSI_DEFAULT_NODEBASE);

		if (opts->nodebase == NULL) {
@@ -746,11 +741,13 @@ spdk_iscsi_set_global_params(struct spdk_iscsi_opts *opts) 
		return rc;

	}



	if (opts->authfile != NULL) {

		g_spdk_iscsi.authfile = strdup(opts->authfile);

		if (!g_spdk_iscsi.authfile) {

			SPDK_ERRLOG("failed to strdup for auth file %s\n", opts->authfile);

			return -ENOMEM;

		}

	}



	g_spdk_iscsi.nodebase = strdup(opts->nodebase);

	if (!g_spdk_iscsi.nodebase) {
@@ -1260,6 +1257,7 @@ spdk_iscsi_parse_configuration(void *ctx) 
		SPDK_ERRLOG("spdk_iscsi_parse_tgt_nodes() failed\n");

	}



	if (g_spdk_iscsi.authfile != NULL) {

		if (access(g_spdk_iscsi.authfile, R_OK) == 0) {

			rc = spdk_iscsi_parse_auth_info();

			if (rc < 0) {
@@ -1269,6 +1267,7 @@ spdk_iscsi_parse_configuration(void *ctx) 
			SPDK_INFOLOG(SPDK_LOG_ISCSI, "CHAP secret file is not found in the path %s\n",

				     g_spdk_iscsi.authfile);

		}

	}



end:

	spdk_iscsi_init_complete(rc);
@@ -1389,7 +1388,9 @@ spdk_iscsi_opts_info_json(struct spdk_json_write_ctx *w) 
{

	spdk_json_write_object_begin(w);



	if (g_spdk_iscsi.authfile != NULL) {

		spdk_json_write_named_string(w, "auth_file", g_spdk_iscsi.authfile);

	}

	spdk_json_write_named_string(w, "node_base", g_spdk_iscsi.nodebase);



	spdk_json_write_named_uint32(w, "max_sessions", g_spdk_iscsi.MaxSessions);

scripts/rpc.py

+1 −1
Original line number Diff line number Diff line
@@ -509,7 +509,7 @@ if __name__ == "__main__": 
            min_connections_per_core=args.min_connections_per_core)



    p = subparsers.add_parser('set_iscsi_options', help="""Set options of iSCSI subsystem""")

    p.add_argument('-f', '--auth-file', help='Path to CHAP shared secret file for discovery session')

    p.add_argument('-f', '--auth-file', help='Path to CHAP shared secret file')

    p.add_argument('-b', '--node-base', help='Prefix of the name of iSCSI target node')

    p.add_argument('-o', '--nop-timeout', help='Timeout in seconds to nop-in request to the initiator', type=int)

    p.add_argument('-n', '--nop-in-interval', help='Time interval in secs between nop-in requests by the target', type=int)