diff --git a/CHANGELOG.md b/CHANGELOG.md index 125d3103a..0ed302fe9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -33,10 +33,12 @@ but will be removed in future release. been added to set CHAP authentication for discovery sessions and existing target nodes, respectively. -CHAP shared secret file is now loaded only once at startup. During run time -CHAP shared secrets can be configured by new JSON RPCs `add_iscsi_auth_group`, -`delete_iscsi_auth_group`, `add_secret_to_iscsi_auth_group`, and -`delete_secret_from_iscsi_auth_group` instead. +The SPDK iSCSI target supports an AuthFile which can be used to load CHAP +shared secrets when the iSCSI target starts. SPDK previously provided a +default location for this file (`/usr/local/etc/spdk/auth.conf`) if none was +specified. This default has been removed. Users must now explicitly specify +the location of this file to load CHAP shared secrets from a file, or use +the related iSCSI RPC methods to add them at runtime. ## v18.07: diff --git a/doc/jsonrpc.md b/doc/jsonrpc.md index deaaf2e67..7892f502e 100644 --- a/doc/jsonrpc.md +++ b/doc/jsonrpc.md @@ -1771,7 +1771,7 @@ This RPC may only be called before SPDK subsystems have been initialized. This R Name | Type | Description --------------------------- | --------| ----------- -auth_file | string | Path to CHAP shared secret file for discovery session (default: "/usr/local/etc/spdk/auth.conf") +auth_file | string | Path to CHAP shared secret file (default: "") node_base | string | Prefix of the name of iSCSI target node (default: "iqn.2016-06.io.spdk") nop_timeout | number | Timeout in seconds to nop-in request to the initiator (default: 60) nop_in_interval | number | Time interval in secs between nop-in requests by the target (default: 30) @@ -1790,6 +1790,8 @@ error_recovery_level | number | Session specific parameter, ErrorRecover allow_duplicated_isid | boolean | Allow duplicated initiator session ID (default: `false`) min_connections_per_core | number | Allocation unit of connections per core (default: 4) +To load CHAP shared secret file, its path is required to specify explicitly in the parameter `auth_file`. + Parameters `disable_chap` and `require_chap` are mutually exclusive. Parameters `no_discovery_auth`, `req_discovery_auth`, `req_discovery_auth_mutual`, and `discovery_auth_group` are still available instead of `disable_chap`, `require_chap`, `mutual_chap`, and `chap_group`, respectivey but will be removed in future releases. ### Example diff --git a/lib/iscsi/iscsi.h b/lib/iscsi/iscsi.h index 169da79fe..e987a4406 100644 --- a/lib/iscsi/iscsi.h +++ b/lib/iscsi/iscsi.h @@ -50,7 +50,6 @@ #define SPDK_ISCSI_BUILD_ETC "/usr/local/etc/spdk" #define SPDK_ISCSI_DEFAULT_CONFIG SPDK_ISCSI_BUILD_ETC "/iscsi.conf" -#define SPDK_ISCSI_DEFAULT_AUTHFILE SPDK_ISCSI_BUILD_ETC "/auth.conf" #define SPDK_ISCSI_DEFAULT_NODEBASE "iqn.2016-06.io.spdk" #define DEFAULT_MAXR2T 4 diff --git a/lib/iscsi/iscsi_subsystem.c b/lib/iscsi/iscsi_subsystem.c index e4ca017c3..f63fc32e8 100644 --- a/lib/iscsi/iscsi_subsystem.c +++ b/lib/iscsi/iscsi_subsystem.c @@ -62,7 +62,7 @@ static void *g_fini_cb_arg; " NodeBase \"%s\"\n" \ "\n" \ " # files\n" \ -" AuthFile %s\n" \ +" %s %s\n" \ "\n" \ " # socket I/O timeout sec. (polling is infinity)\n" \ " Timeout %d\n" \ @@ -109,7 +109,9 @@ spdk_iscsi_globals_config_text(FILE *fp) } fprintf(fp, ISCSI_CONFIG_TMPL, - g_spdk_iscsi.nodebase, g_spdk_iscsi.authfile, + g_spdk_iscsi.nodebase, + g_spdk_iscsi.authfile ? "AuthFile" : "", + g_spdk_iscsi.authfile ? g_spdk_iscsi.authfile : "", g_spdk_iscsi.timeout, authmethod, authgroup, g_spdk_iscsi.MaxSessions, g_spdk_iscsi.MaxConnectionsPerSession, g_spdk_iscsi.MaxConnections, @@ -334,7 +336,8 @@ struct spdk_iscsi_pdu *spdk_get_pdu(void) static void spdk_iscsi_log_globals(void) { - SPDK_DEBUGLOG(SPDK_LOG_ISCSI, "AuthFile %s\n", g_spdk_iscsi.authfile); + SPDK_DEBUGLOG(SPDK_LOG_ISCSI, "AuthFile %s\n", + g_spdk_iscsi.authfile ? g_spdk_iscsi.authfile : "(none)"); SPDK_DEBUGLOG(SPDK_LOG_ISCSI, "NodeBase %s\n", g_spdk_iscsi.nodebase); SPDK_DEBUGLOG(SPDK_LOG_ISCSI, "MaxSessions %d\n", g_spdk_iscsi.MaxSessions); SPDK_DEBUGLOG(SPDK_LOG_ISCSI, "MaxConnectionsPerSession %d\n", @@ -622,14 +625,6 @@ spdk_iscsi_read_config_file_params(struct spdk_conf_section *sp, static int spdk_iscsi_opts_verify(struct spdk_iscsi_opts *opts) { - if (!opts->authfile) { - opts->authfile = strdup(SPDK_ISCSI_DEFAULT_AUTHFILE); - if (opts->authfile == NULL) { - SPDK_ERRLOG("strdup() failed for default authfile\n"); - return -ENOMEM; - } - } - if (!opts->nodebase) { opts->nodebase = strdup(SPDK_ISCSI_DEFAULT_NODEBASE); if (opts->nodebase == NULL) { @@ -746,10 +741,12 @@ spdk_iscsi_set_global_params(struct spdk_iscsi_opts *opts) return rc; } - g_spdk_iscsi.authfile = strdup(opts->authfile); - if (!g_spdk_iscsi.authfile) { - SPDK_ERRLOG("failed to strdup for auth file %s\n", opts->authfile); - return -ENOMEM; + if (opts->authfile != NULL) { + g_spdk_iscsi.authfile = strdup(opts->authfile); + if (!g_spdk_iscsi.authfile) { + SPDK_ERRLOG("failed to strdup for auth file %s\n", opts->authfile); + return -ENOMEM; + } } g_spdk_iscsi.nodebase = strdup(opts->nodebase); @@ -1260,14 +1257,16 @@ spdk_iscsi_parse_configuration(void *ctx) SPDK_ERRLOG("spdk_iscsi_parse_tgt_nodes() failed\n"); } - if (access(g_spdk_iscsi.authfile, R_OK) == 0) { - rc = spdk_iscsi_parse_auth_info(); - if (rc < 0) { - SPDK_ERRLOG("spdk_iscsi_parse_auth_info() failed\n"); + if (g_spdk_iscsi.authfile != NULL) { + if (access(g_spdk_iscsi.authfile, R_OK) == 0) { + rc = spdk_iscsi_parse_auth_info(); + if (rc < 0) { + SPDK_ERRLOG("spdk_iscsi_parse_auth_info() failed\n"); + } + } else { + SPDK_INFOLOG(SPDK_LOG_ISCSI, "CHAP secret file is not found in the path %s\n", + g_spdk_iscsi.authfile); } - } else { - SPDK_INFOLOG(SPDK_LOG_ISCSI, "CHAP secret file is not found in the path %s\n", - g_spdk_iscsi.authfile); } end: @@ -1389,7 +1388,9 @@ spdk_iscsi_opts_info_json(struct spdk_json_write_ctx *w) { spdk_json_write_object_begin(w); - spdk_json_write_named_string(w, "auth_file", g_spdk_iscsi.authfile); + if (g_spdk_iscsi.authfile != NULL) { + spdk_json_write_named_string(w, "auth_file", g_spdk_iscsi.authfile); + } spdk_json_write_named_string(w, "node_base", g_spdk_iscsi.nodebase); spdk_json_write_named_uint32(w, "max_sessions", g_spdk_iscsi.MaxSessions); diff --git a/scripts/rpc.py b/scripts/rpc.py index 230a082f1..41d49eb75 100755 --- a/scripts/rpc.py +++ b/scripts/rpc.py @@ -509,7 +509,7 @@ if __name__ == "__main__": min_connections_per_core=args.min_connections_per_core) p = subparsers.add_parser('set_iscsi_options', help="""Set options of iSCSI subsystem""") - p.add_argument('-f', '--auth-file', help='Path to CHAP shared secret file for discovery session') + p.add_argument('-f', '--auth-file', help='Path to CHAP shared secret file') p.add_argument('-b', '--node-base', help='Prefix of the name of iSCSI target node') p.add_argument('-o', '--nop-timeout', help='Timeout in seconds to nop-in request to the initiator', type=int) p.add_argument('-n', '--nop-in-interval', help='Time interval in secs between nop-in requests by the target', type=int) diff --git a/scripts/rpc/iscsi.py b/scripts/rpc/iscsi.py index 1755129e0..341e746f1 100755 --- a/scripts/rpc/iscsi.py +++ b/scripts/rpc/iscsi.py @@ -23,7 +23,7 @@ def set_iscsi_options( """Set iSCSI target options. Args: - auth_file: Path to CHAP shared secret file for discovery session (optional) + auth_file: Path to CHAP shared secret file (optional) node_base: Prefix of the name of iSCSI target node (optional) nop_timeout: Timeout in seconds to nop-in request to the initiator (optional) nop_in_interval: Time interval in secs between nop-in requests by the target (optional)