| Message ID | 20211019071843.14890-1-d.bogdanov@yadro.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | target: iscsi: control authentication per ACL | expand |
On 10/19/21 2:18 AM, Dmitry Bogdanov wrote: > dd acls/{ACL}/attrib/authentication attribute that controls authentication > for the particular ACL. By default, this attribute inherits a value of > authentication attribute of the target port group to keep a backward > compatibility. > > authentication attribute has 3 states: > "0" - authentication is turned off for this ACL > "1" - authentication is required for this ACL > "-1" - authentication is inherited from TPG > > This patchset is intended for scsi-queue. > > v3: > fix warning: no previous prototype for function 'iscsi_conn_auth_required' > > v2: > show effective value (-1) for inherited mode > I can't seem to get the patches working with the targetcli config file below It worked ok before the patches. I get this error: Oct 22 00:56:25 ol4 kernel: CHAP user or password not set for Initiator ACL Oct 22 00:56:25 ol4 kernel: Security negotiation failed. Oct 22 00:56:25 ol4 kernel: iSCSI Login negotiation failed. { "fabric_modules": [], "storage_objects": [ { "alua_tpgs": [ { "alua_access_state": 0, "alua_access_status": 0, "alua_access_type": 3, "alua_support_active_nonoptimized": 1, "alua_support_active_optimized": 1, "alua_support_offline": 1, "alua_support_standby": 1, "alua_support_transitioning": 1, "alua_support_unavailable": 1, "alua_write_metadata": 0, "implicit_trans_secs": 0, "name": "default_tg_pt_gp", "nonop_delay_msecs": 100, "preferred": 0, "tg_pt_gp_id": 0, "trans_delay_msecs": 0 } ], "attributes": { "block_size": 512, "emulate_3pc": 1, "emulate_caw": 1, "emulate_dpo": 1, "emulate_fua_read": 1, "emulate_fua_write": 1, "emulate_model_alias": 1, "emulate_pr": 1, "emulate_rest_reord": 0, "emulate_tas": 1, "emulate_tpu": 0, "emulate_tpws": 0, "emulate_ua_intlck_ctrl": 0, "emulate_write_cache": 0, "enforce_pr_isids": 1, "force_pr_aptpl": 0, "is_nonrot": 1, "max_unmap_block_desc_count": 0, "max_unmap_lba_count": 0, "max_write_same_len": 0, "optimal_sectors": 4294967288, "pi_prot_format": 0, "pi_prot_type": 0, "pi_prot_verify": 0, "queue_depth": 128, "unmap_granularity": 0, "unmap_granularity_alignment": 0, "unmap_zeroes_data": 0 }, "name": "ram0", "nullio": true, "plugin": "ramdisk", "size": 8589934592, "wwn": "9ea6da68-aec0-4560-baa8-834383f1cc6d" } ], "targets": [ { "fabric": "iscsi", "tpgs": [ { "attributes": { "authentication": 1, "cache_dynamic_acls": 1, "default_cmdsn_depth": 64, "default_erl": 0, "demo_mode_discovery": 1, "demo_mode_write_protect": 0, "fabric_prot_type": 0, "generate_node_acls": 1, "login_keys_workaround": 1, "login_timeout": 15, "netif_timeout": 2, "prod_mode_write_protect": 0, "t10_pi": 0, "tpg_enabled_sendtargets": 1 }, "enable": true, "luns": [ { "alias": "edb6aa7bf4", "alua_tg_pt_gp_name": "default_tg_pt_gp", "index": 0, "storage_object": "/backstores/ramdisk/ram0" } ], "node_acls": [ { "attributes": { "dataout_timeout": 3, "dataout_timeout_retries": 5, "default_erl": 0, "nopin_response_timeout": 30, "nopin_timeout": 15, "random_datain_pdu_offsets": 0, "random_datain_seq_offsets": 0, "random_r2t_offsets": 0 }, "chap_password": "myiscsipassword", "chap_userid": "myiscsiname", "mapped_luns": [ { "alias": "76dc7c92d0", "index": 0, "tpg_lun": 0, "write_protect": false } ], "node_wwn": "iqn.1988-12.com.oracle:ol" } ], "parameters": { "AuthMethod": "CHAP", "DataDigest": "CRC32C,None", "DataPDUInOrder": "Yes", "DataSequenceInOrder": "Yes", "DefaultTime2Retain": "20", "DefaultTime2Wait": "2", "ErrorRecoveryLevel": "0", "FirstBurstLength": "65536", "HeaderDigest": "CRC32C,None", "IFMarkInt": "Reject", "IFMarker": "No", "ImmediateData": "Yes", "InitialR2T": "Yes", "MaxBurstLength": "262144", "MaxConnections": "1", "MaxOutstandingR2T": "1", "MaxRecvDataSegmentLength": "8192", "MaxXmitDataSegmentLength": "262144", "OFMarkInt": "Reject", "OFMarker": "No", "TargetAlias": "LIO Target" }, "portals": [ { "ip_address": "20.15.0.204", "iser": false, "offload": false, "port": 3260 } ], "tag": 1 } ], "wwn": "iqn.1988-12.com.oracle:tgt1" } ] }
Hi Mike, > I can't seem to get the patches working with the targetcli config file below It worked ok before the patches. > > I get this error: > > Oct 22 00:56:25 ol4 kernel: CHAP user or password not set for Initiator ACL > Oct 22 00:56:25 ol4 kernel: Security negotiation failed. > Oct 22 00:56:25 ol4 kernel: iSCSI Login negotiation failed. This kind of error is reported for the unknown (dynamic) ACL since the config file have not have userid/password configured for TPG. Your config file looks strange - it has generate_dyn_acls=1 but has not credentials for dynamic acls. Login from the configured ACL in this config file works well for me. Could you, please, describe more details of your usecase? BR, Dmitry
Hi Mike, I've just tried one more time to reproduce your error and I failed again. With your config file the behavior is the absolutely the same for both cases with my patchset and without my patchset: * for dynamic ACLs - target fails the login and shows the bellow logs. * for the registered ACL - target succeeds the login. Could you, please, re-check the patchset? BR, Dmitry -----Original Message----- From: Dmitriy Bogdanov <d.bogdanov@yadro.com> Sent: Friday, October 22, 2021 10:48 AM To: Mike Christie <michael.christie@oracle.com>; Martin Petersen <martin.petersen@oracle.com>; target-devel@vger.kernel.org Cc: linux-scsi@vger.kernel.org; linux@yadro.com Subject: RE: [PATCH v3 0/3] target: iscsi: control authentication per ACL Hi Mike, > I can't seem to get the patches working with the targetcli config file below It worked ok before the patches. > > I get this error: > > Oct 22 00:56:25 ol4 kernel: CHAP user or password not set for Initiator ACL > Oct 22 00:56:25 ol4 kernel: Security negotiation failed. > Oct 22 00:56:25 ol4 kernel: iSCSI Login negotiation failed. This kind of error is reported for the unknown (dynamic) ACL since the config file have not have userid/password configured for TPG. Your config file looks strange - it has generate_dyn_acls=1 but has not credentials for dynamic acls. Login from the configured ACL in this config file works well for me. Could you, please, describe more details of your usecase? BR, Dmitry
On 5/4/22 1:02 PM, Dmitriy Bogdanov wrote: > Hi Mike, > > I've just tried one more time to reproduce your error and I failed again. > With your config file the behavior is the absolutely the same for both cases with my patchset and without my patchset: > * for dynamic ACLs - target fails the login and shows the bellow logs. > * for the registered ACL - target succeeds the login. > > Could you, please, re-check the patchset? Sorry I missed your reply at the bottom and sorry I messed up somewhere while testing the patches. I can't replicate the issue I thought I hit and yeah I agree the config file I attached in the last mail didn't make sense. The patches look ok, but you need to rebase them. > > BR, > Dmitry > > -----Original Message----- > From: Dmitriy Bogdanov <d.bogdanov@yadro.com> > Sent: Friday, October 22, 2021 10:48 AM > To: Mike Christie <michael.christie@oracle.com>; Martin Petersen <martin.petersen@oracle.com>; target-devel@vger.kernel.org > Cc: linux-scsi@vger.kernel.org; linux@yadro.com > Subject: RE: [PATCH v3 0/3] target: iscsi: control authentication per ACL > > Hi Mike, > >> I can't seem to get the patches working with the targetcli config file below It worked ok before the patches. >> >> I get this error: >> >> Oct 22 00:56:25 ol4 kernel: CHAP user or password not set for Initiator ACL >> Oct 22 00:56:25 ol4 kernel: Security negotiation failed. >> Oct 22 00:56:25 ol4 kernel: iSCSI Login negotiation failed. > > This kind of error is reported for the unknown (dynamic) ACL since the config file have not have > userid/password configured for TPG. Your config file looks strange - it has generate_dyn_acls=1 > but has not credentials for dynamic acls. > > Login from the configured ACL in this config file works well for me. > > Could you, please, describe more details of your usecase? > > BR, > Dmitry
dd acls/{ACL}/attrib/authentication attribute that controls authentication for the particular ACL. By default, this attribute inherits a value of authentication attribute of the target port group to keep a backward compatibility. authentication attribute has 3 states: "0" - authentication is turned off for this ACL "1" - authentication is required for this ACL "-1" - authentication is inherited from TPG This patchset is intended for scsi-queue. v3: fix warning: no previous prototype for function 'iscsi_conn_auth_required' v2: show effective value (-1) for inherited mode Dmitry Bogdanov (3): scsi: target: iscsi: Add upcast helpers scsi: target: iscsi: extract auth functions target: iscsi: control authentication per ACL drivers/target/iscsi/iscsi_target_configfs.c | 116 +++++++------- drivers/target/iscsi/iscsi_target_nego.c | 148 ++++++++++++------ .../target/iscsi/iscsi_target_nodeattrib.c | 1 + drivers/target/iscsi/iscsi_target_tpg.c | 3 +- include/target/iscsi/iscsi_target_core.h | 14 ++ 5 files changed, 176 insertions(+), 106 deletions(-)