florian.haas at linbit
Jul 1, 2009, 1:49 AM
Post #1 of 1
(220 views)
Permalink
|
|
[PATCH 1 of 4] RA: iSCSITarget: add support for CHAP authentication
|
|
# HG changeset patch
# User Florian Haas <florian.haas[at]linbit.com>
# Date 1246437815 -7200
# Node ID c1348677a740ff49129062e95496bdc93fd48693
# Parent 731f8f7b54500f54049eb06e1f3a2c52f3de53f1
RA: iSCSITarget: add support for CHAP authentication.
This patch adds support for incoming user authentication using
CHAP. It retains the default behavior of allowing unauthenticated
access if no username is specified.
diff -r 731f8f7b5450 -r c1348677a740 resources/OCF/iSCSITarget
--- a/resources/OCF/iSCSITarget Tue Jun 30 12:02:16 2009 +0200
+++ b/resources/OCF/iSCSITarget Wed Jul 01 10:43:35 2009 +0200
@@ -107,6 +107,23 @@
<content type="string" default="${OCF_RESKEY_initiators_default}"/>
</parameter>
+<parameter name="username" required="0" unique="0">
+<longdesc lang="en">
+A username used for initiator authentication. If unspecified,
+allowed initiators will be able to log in without authentication.
+</longdesc>
+<shortdesc lang="en">Incoming account username</shortdesc>
+<content type="string"/>
+</parameter>
+
+<parameter name="password" required="0" unique="0">
+<longdesc lang="en">
+A password used for initiator authentication.
+</longdesc>
+<shortdesc lang="en">Incoming account password</shortdesc>
+<content type="string"/>
+</parameter>
+
</parameters>
<actions>
@@ -186,6 +203,14 @@
echo "${OCF_RESKEY_name} ALL" >> /etc/initiators.deny
echo "${OCF_RESKEY_name} ${OCF_RESKEY_initiators// /,}" >> /etc/initiators.allow
fi
+ # In iet, adding a new user and assigning it to a target
+ # is one operation.
+ if [ -n "${OCF_RESKEY_username}" ]; then
+ do_cmd ietadm --op new --user \
+ --tid=${OCF_RESKEY_tid} \
+ --params=IncomingUser=${OCF_RESKEY_username},Password=${OCF_RESKEY_password} \
+ || return $OCF_ERR_GENERIC
+ fi
return $OCF_SUCCESS
;;
tgt)
@@ -207,6 +232,16 @@
--tid=${OCF_RESKEY_tid} \
--initiator-address=${initiator} || return $OCF_ERR_GENERIC
done
+ # In tgt, we must first create a user account, then assign
+ # it to a target using the "bind" operation.
+ if [ -n "${OCF_RESKEY_username}" ]; then
+ do_cmd tgtadm --lld iscsi --mode account --op new \
+ --user=${OCF_RESKEY_username} \
+ --password=${OCF_RESKEY_password} || return $OCF_ERR_GENERIC
+ do_cmd tgtadm --lld iscsi --mode account --op bind \
+ --tid=${OCF_RESKEY_tid} \
+ --user=${OCF_RESKEY_username} || return $OCF_ERR_GENERIC
+ fi
return $OCF_SUCCESS
;;
esac
@@ -235,6 +270,14 @@
--tid=${OCF_RESKEY_tid} $2 $1
shift 2
done
+ # In iet, unassigning a user from a target and
+ # deleting the user account is one operation.
+ if [ -n "${OCF_RESKEY_username}" ]; then
+ do_cmd ietadm --op delete --user \
+ --tid=${OCF_RESKEY_tid} \
+ --params=IncomingUser=${OCF_RESKEY_username} \
+ || return $OCF_ERR_GENERIC
+ fi
do_cmd ietadm --op delete \
--tid=${OCF_RESKEY_tid} || return $OCF_ERR_GENERIC
if [ -n ${OCF_RESKEY_initiators} ]; then
@@ -267,11 +310,20 @@
--tid=${OCF_RESKEY_tid} $2 $1
shift 2
done
+ # In tgt, we must first unbind the user account from
+ # the target, then remove the account itself.
+ if [ -n "${OCF_RESKEY_username}" ]; then
+ do_cmd tgtadm --lld iscsi --mode account --op unbind \
+ --tid=${OCF_RESKEY_tid} \
+ --user=${OCF_RESKEY_username} || return $OCF_ERR_GENERIC
+ do_cmd tgtadm --lld iscsi --mode account --op delete \
+ --user=${OCF_RESKEY_username} || return $OCF_ERR_GENERIC
+ fi
+ do_cmd tgtadm --lld iscsi --op delete --mode target \
+ --tid=${OCF_RESKEY_tid} && return $OCF_SUCCESS
# In tgt, we don't have to worry about our ACL
# entries. They are automatically removed upon target
# deletion.
- do_cmd tgtadm --lld iscsi --op delete --mode target \
- --tid=${OCF_RESKEY_tid} && return $OCF_SUCCESS
;;
esac
else
_______________________________________________________
Linux-HA-Dev: Linux-HA-Dev[at]lists.linux-ha.org
http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
Home Page: http://linux-ha.org/
|
