florian.haas at linbit
Jun 23, 2009, 6:01 AM
Views: 261
Permalink
|
|
[PATCH 2 of 3] iSCSITarget: add support for restricting target access based on
|
|
# HG changeset patch
# User Florian Haas <florian.haas[at]linbit.com>
# Date 1245761392 -7200
# Node ID d58da65e24b9f8717b86e18b2189d3f4b3d8550f
# Parent 1d94c4de42ede9bfd120d3ca096421db8bee8cc2
iSCSITarget: add support for restricting target access based on
initiator IP address.
This patch adds support for restricting access to specific targets
based on initiator IP address, hostname, or subnet. It retains the
default behavior of allowing access from all initiators.
diff -r 1d94c4de42ed -r d58da65e24b9 resources/OCF/iSCSITarget
--- a/resources/OCF/iSCSITarget Tue Jun 23 14:49:51 2009 +0200
+++ b/resources/OCF/iSCSITarget Tue Jun 23 14:49:52 2009 +0200
@@ -95,6 +95,18 @@
<content type="string" />
</parameter>
+<parameter name="initiators" required="0" unique="0">
+<longdesc lang="en">
+Allowed initiators. A space-separated list of initiators allowed to
+connect to this target. Initiators may be listed in any syntax
+the target implementation allows. If this parameter is empty or
+not set, access to this target will be allowed from any initiator.
+</longdesc>
+<shortdesc lang="en">List of iSCSI initiators allowed to connect
+to this target</shortdesc>
+<content type="string" default="${OCF_RESKEY_initiators_default}"/>
+</parameter>
+
</parameters>
<actions>
@@ -152,6 +164,7 @@
local param
local name
local value
+ local initiator
case $OCF_RESKEY_implementation in
iet)
@@ -165,6 +178,14 @@
--tid=${OCF_RESKEY_tid} \
--params ${name}=${value} || return $OCF_ERR_GENERIC
done
+ # For iet, access to new targets is allowed by default. To
+ # specifically enable access based on initiator address,
+ # we must first deny access to the target globally, then
+ # re-enable by specific initiator.
+ if [ -n ${OCF_RESKEY_initiators} ]; then
+ echo "${OCF_RESKEY_name} ALL" >> /etc/initiators.deny
+ echo "${OCF_RESKEY_name} ${OCF_RESKEY_initiators// /,}" >> /etc/initiators.allow
+ fi
return $OCF_SUCCESS
;;
tgt)
@@ -178,9 +199,15 @@
--tid=${OCF_RESKEY_tid} \
--name=${name} --value=${value} || return $OCF_ERR_GENERIC
done
- do_cmd tgtadm --lld iscsi --op bind --mode target \
- --tid=${OCF_RESKEY_tid} \
- --initiator-address=ALL && return $OCF_SUCCESS
+ # For tgt, we always have to add access per initiator;
+ # access to targets is denied by default. If "initiators"
+ # is unset, we must use the special keyword ALL.
+ for initiator in ${OCF_RESKEY_initiators=ALL}; do
+ do_cmd tgtadm --lld iscsi --op bind --mode target \
+ --tid=${OCF_RESKEY_tid} \
+ --initiator-address=${initiator} || return $OCF_ERR_GENERIC
+ done
+ return $OCF_SUCCESS
;;
esac
return $OCF_ERR_GENERIC
@@ -209,7 +236,16 @@
shift 2
done
do_cmd ietadm --op delete \
- --tid=${OCF_RESKEY_tid} && return $OCF_SUCCESS
+ --tid=${OCF_RESKEY_tid} || return $OCF_ERR_GENERIC
+ if [ -n ${OCF_RESKEY_initiators} ]; then
+ # Avoid stale /etc/initiators.{allow,deny} entries
+ # for this target
+ do_cmd sed -e "/^${OCF_RESKEY_name}[[:space:]]/d" \
+ -i /etc/initiators.deny
+ do_cmd sed -e "/^${OCF_RESKEY_name}[[:space:]]/d" \
+ -i /etc/initiators.allow
+ fi
+ return $OCF_SUCCESS
;;
tgt)
# Close existing connections. There is no other way to
@@ -231,6 +267,9 @@
--tid=${OCF_RESKEY_tid} $2 $1
shift 2
done
+ # In tgt, we don't have to worry about our ACL
+ # entries. They are automatically removed upon target
+ # deletion.
do_cmd tgtadm --lld iscsi --op delete --mode target \
--tid=${OCF_RESKEY_tid} && return $OCF_SUCCESS
;;
_______________________________________________________
Linux-HA-Dev: Linux-HA-Dev[at]lists.linux-ha.org
http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
Home Page: http://linux-ha.org/
|
[PATCH 2 of 3] iSCSITarget: add support for restricting target access based on