xenbits.xensource.com Git - people/liuw/libxenctrl-split/libvirt.git/commit

author	John Ferlan <jferlan@redhat.com>
	Mon, 15 Jul 2013 17:23:45 +0000 (13:23 -0400)
committer	John Ferlan <jferlan@redhat.com>
	Tue, 23 Jul 2013 14:49:02 +0000 (10:49 -0400)
commit	249409e765ed25f82f0a135c7ac750596b2f89b4
tree	065e4e30712b2d8438263fdaa32ee6dc19f2e7bd	tree
parent	200ed39d0d26a8883ab8c08e823c0a7c0a04fd6d	commit \| diff

storage: Support "chap" authentication for iscsi pool

Although the XML for CHAP authentication with plain "password"
was introduced long ago, the function was never implemented. This
patch replaces the login/password mechanism by following the
'ceph' (or RBD) model of using a 'username' with a 'secret' which
has the authentication information.

This patch performs the authentication during startPool() processing
of pools with an authType of VIR_STORAGE_POOL_AUTH_CHAP specified
for iSCSI pools.

There are two types of CHAP configurations supported for iSCSI
authentication:

  * Initiator Authentication
      Forward, one-way; The initiator is authenticated by the target.

  * Target Authentication
      Reverse, Bi-directional, mutual, two-way; The target is authenticated
      by the initiator; This method also requires Initiator Authentication

This only supports the "Initiator Authentication". (I don't have any
enterprise iSCSI env for testing, only have a iSCSI target setup with
tgtd, which doesn't support "Target Authentication").

"Discovery authentication" is not supported by tgt yet too. So this only
setup the session authentication by executing 3 iscsiadm commands, E.g:

% iscsiadm -m node --target "iqn.2013-05.test:iscsi.foo" --name \
  "node.session.auth.authmethod" -v "CHAP" --op update

% iscsiadm -m node --target "iqn.2013-05.test:iscsi.foo" --name \
  "node.session.auth.username" -v "Jim" --op update

% iscsiadm -m node --target "iqn.2013-05.test:iscsi.foo" --name \
  "node.session.auth.password" -v "Jimsecret" --op update