-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable initiator name based ACL support #44
Conversation
This just adds support for initiator name based ACL support. It is enabled by default and turned off if CHAP is setup.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
Bah, I just remembered why we didn't't do this. It assumes the user is going to do all initiator ACLs or all CHAP auth. You can't mix and match as one method disables the other. Going to close this for now and think about if it is possible to modify the kernel to allow a mix and match under the same tpg. We could just create multiple TPGs, but that gets messy when we have to replicate and manage that. |
Could add a “auth chap | nochap” action right under the target to globally enable / disable CHAP and the have a “chap [password]” action under the initiators if chap is enabled. |
We can do what you propose at the gui/gwcli level. The problem is that the kernel will only allow you to have all chap or all non chap for all entries under a target's tpg. So we can't do something like this:
If we did
We would need to add something like this to the kernel:
|
Oh yeah, that means all initiators under the target tpg would use the same username/password. |
@mikechristie Yeah, I was thinking all or none on the full target as a starting point to cover cases where folks don't want to set up CHAP vs cases where they do (it's not like iSCSI is a secure protocol anyway). |
I messed up and can't seem to reopen this one. How about this one I did not add any new gui parts for the target level. It just enables ACLs by default. We then have the chap action under the initiator and if that the user sets up chap then they have to use it for all clients. If they disable chap for all the clients and/or delete the clients with chap then we fall back to the default of ACL based. I did not do the target level addition because it does not seem like a common case where someone sets up chap and then wants to remove it. Probably will just be a common case when you are playing around and you would probably just have a couple initiators and can just modify them individually. Also it seems like a waste if we ever add support to support a mix. |
This just adds support for initiator name based ACL support.
It is enabled by default and turned off if CHAP is setup.