[PATCH 0/2] target/iscsi-target: Add TPG context authentication context support

11 views
Skip to first unread message

Nicholas A. Bellinger

unread,
Jun 19, 2013, 11:03:46 PM6/19/13
to target-devel, Dax Kelson, Nicholas Bellinger
From: Nicholas Bellinger <n...@linux-iscsi.org>

Hi Dax & Co,

This series adds support for se_portal_group->tpg_auth_group context
that enables per TPG authentication attributes within individual
iscsi-target endpoints.

It allows optional CHAP authentication information to be configured
(for all connecting initiators) seperate from explict NodeACL initiator
behaviour, and appears in configfs under:

/sys/kernel/config/target/iscsi/$TARGETNAME/$TPGT/auth/

-r--r--r-- 1 root root 4096 Jun 19 19:37 authenticate_target
-rw-r--r-- 1 root root 4096 Jun 19 19:37 password
-rw-r--r-- 1 root root 4096 Jun 19 19:37 password_mutual
-rw-r--r-- 1 root root 4096 Jun 19 19:17 userid
-rw-r--r-- 1 root root 4096 Jun 19 19:37 userid_mutual

This takes precedence over any NodeACL authentication configuration
in iscsi_handle_authentication() when session se_node_acl->dynamic_node_acl
has been set during TPG generate_node_acls=1 operation.

Including into target-pending/queue now, please review.

Thanks!

--nab

Nicholas Bellinger (2):
target: Add se_portal_group->tpg_auth_group
iscsi-target: Add demo-mode TPG authentication context support

drivers/target/iscsi/iscsi_target_configfs.c | 126 ++++++++++++++++++++++++++
drivers/target/iscsi/iscsi_target_core.h | 1 +
drivers/target/iscsi/iscsi_target_nego.c | 13 +++-
drivers/target/target_core_fabric_configfs.c | 21 ++++-
include/target/target_core_base.h | 3 +-
include/target/target_core_configfs.h | 1 +
include/target/target_core_fabric_configfs.h | 11 +++
7 files changed, 172 insertions(+), 4 deletions(-)

--
1.7.2.5

Nicholas A. Bellinger

unread,
Jun 19, 2013, 11:03:47 PM6/19/13
to target-devel, Dax Kelson, Nicholas Bellinger
From: Nicholas Bellinger <n...@linux-iscsi.org>

This patch adds an optional /auth/ configfs group to TPG context that
can be used by fabrics like iscsi-target for TPG demo-mode
authentication.

Signed-off-by: Nicholas Bellinger <n...@linux-iscsi.org>
---
drivers/target/target_core_fabric_configfs.c | 21 +++++++++++++++++++--
include/target/target_core_base.h | 3 ++-
include/target/target_core_configfs.h | 1 +
include/target/target_core_fabric_configfs.h | 11 +++++++++++
4 files changed, 33 insertions(+), 3 deletions(-)

diff --git a/drivers/target/target_core_fabric_configfs.c b/drivers/target/target_core_fabric_configfs.c
index 04c775c..eb56eb1 100644
--- a/drivers/target/target_core_fabric_configfs.c
+++ b/drivers/target/target_core_fabric_configfs.c
@@ -965,6 +965,19 @@ TF_CIT_SETUP(tpg_attrib, &target_fabric_tpg_attrib_item_ops, NULL, NULL);

/* End of tfc_tpg_attrib_cit */

+/* Start of tfc_tpg_auth_cit */
+
+CONFIGFS_EATTR_OPS(target_fabric_tpg_auth, se_portal_group, tpg_auth_group);
+
+static struct configfs_item_operations target_fabric_tpg_auth_item_ops = {
+ .show_attribute = target_fabric_tpg_auth_attr_show,
+ .store_attribute = target_fabric_tpg_auth_attr_store,
+};
+
+TF_CIT_SETUP(tpg_auth, &target_fabric_tpg_auth_item_ops, NULL, NULL);
+
+/* End of tfc_tpg_attrib_cit */
+
/* Start of tfc_tpg_param_cit */

CONFIGFS_EATTR_OPS(target_fabric_tpg_param, se_portal_group, tpg_param_group);
@@ -1030,8 +1043,9 @@ static struct config_group *target_fabric_make_tpg(
se_tpg->tpg_group.default_groups[1] = &se_tpg->tpg_np_group;
se_tpg->tpg_group.default_groups[2] = &se_tpg->tpg_acl_group;
se_tpg->tpg_group.default_groups[3] = &se_tpg->tpg_attrib_group;
- se_tpg->tpg_group.default_groups[4] = &se_tpg->tpg_param_group;
- se_tpg->tpg_group.default_groups[5] = NULL;
+ se_tpg->tpg_group.default_groups[4] = &se_tpg->tpg_auth_group;
+ se_tpg->tpg_group.default_groups[5] = &se_tpg->tpg_param_group;
+ se_tpg->tpg_group.default_groups[6] = NULL;

config_group_init_type_name(&se_tpg->tpg_group, name,
&TF_CIT_TMPL(tf)->tfc_tpg_base_cit);
@@ -1043,6 +1057,8 @@ static struct config_group *target_fabric_make_tpg(
&TF_CIT_TMPL(tf)->tfc_tpg_nacl_cit);
config_group_init_type_name(&se_tpg->tpg_attrib_group, "attrib",
&TF_CIT_TMPL(tf)->tfc_tpg_attrib_cit);
+ config_group_init_type_name(&se_tpg->tpg_auth_group, "auth",
+ &TF_CIT_TMPL(tf)->tfc_tpg_auth_cit);
config_group_init_type_name(&se_tpg->tpg_param_group, "param",
&TF_CIT_TMPL(tf)->tfc_tpg_param_cit);

@@ -1202,6 +1218,7 @@ int target_fabric_setup_cits(struct target_fabric_configfs *tf)
target_fabric_setup_tpg_np_cit(tf);
target_fabric_setup_tpg_np_base_cit(tf);
target_fabric_setup_tpg_attrib_cit(tf);
+ target_fabric_setup_tpg_auth_cit(tf);
target_fabric_setup_tpg_param_cit(tf);
target_fabric_setup_tpg_nacl_cit(tf);
target_fabric_setup_tpg_nacl_base_cit(tf);
diff --git a/include/target/target_core_base.h b/include/target/target_core_base.h
index 9fd7a60..d92ec67 100644
--- a/include/target/target_core_base.h
+++ b/include/target/target_core_base.h
@@ -795,11 +795,12 @@ struct se_portal_group {
struct target_core_fabric_ops *se_tpg_tfo;
struct se_wwn *se_tpg_wwn;
struct config_group tpg_group;
- struct config_group *tpg_default_groups[6];
+ struct config_group *tpg_default_groups[7];
struct config_group tpg_lun_group;
struct config_group tpg_np_group;
struct config_group tpg_acl_group;
struct config_group tpg_attrib_group;
+ struct config_group tpg_auth_group;
struct config_group tpg_param_group;
};

diff --git a/include/target/target_core_configfs.h b/include/target/target_core_configfs.h
index 6125095..713c500 100644
--- a/include/target/target_core_configfs.h
+++ b/include/target/target_core_configfs.h
@@ -23,6 +23,7 @@ struct target_fabric_configfs_template {
struct config_item_type tfc_tpg_np_cit;
struct config_item_type tfc_tpg_np_base_cit;
struct config_item_type tfc_tpg_attrib_cit;
+ struct config_item_type tfc_tpg_auth_cit;
struct config_item_type tfc_tpg_param_cit;
struct config_item_type tfc_tpg_nacl_cit;
struct config_item_type tfc_tpg_nacl_base_cit;
diff --git a/include/target/target_core_fabric_configfs.h b/include/target/target_core_fabric_configfs.h
index a26fb75..b32a149 100644
--- a/include/target/target_core_fabric_configfs.h
+++ b/include/target/target_core_fabric_configfs.h
@@ -62,6 +62,17 @@ static struct target_fabric_tpg_attrib_attribute _fabric##_tpg_attrib_##_name =
_fabric##_tpg_attrib_show_##_name, \
_fabric##_tpg_attrib_store_##_name);

+CONFIGFS_EATTR_STRUCT(target_fabric_tpg_auth, se_portal_group);
+#define TF_TPG_AUTH_ATTR(_fabric, _name, _mode) \
+static struct target_fabric_tpg_auth_attribute _fabric##_tpg_auth_##_name = \
+ __CONFIGFS_EATTR(_name, _mode, \
+ _fabric##_tpg_auth_show_##_name, \
+ _fabric##_tpg_auth_store_##_name);
+
+#define TF_TPG_AUTH_ATTR_RO(_fabric, _name) \
+static struct target_fabric_tpg_auth_attribute _fabric##_tpg_auth_##_name = \
+ __CONFIGFS_EATTR_RO(_name, \
+ _fabric##_tpg_auth_show_##_name);

CONFIGFS_EATTR_STRUCT(target_fabric_tpg_param, se_portal_group);
#define TF_TPG_PARAM_ATTR(_fabric, _name, _mode) \
--
1.7.2.5

Nicholas A. Bellinger

unread,
Jun 19, 2013, 11:03:48 PM6/19/13
to target-devel, Dax Kelson, Nicholas Bellinger
From: Nicholas Bellinger <n...@linux-iscsi.org>

This patch adds a auth configfs group context following existing
explict NodeACL and discovery auth within:

/sys/kernel/config/target/iscsi/$TARGETNAME/$TPGT/auth/

This patch allows these attributes to be used for CHAP authentication
an TPG is configured in demo-mode (generate_node_acl=1).

Note this authentication information takes precedence over NodeACL
authentication when struct se_node_acl->dynamic_node_acl is present.

Signed-off-by: Nicholas Bellinger <n...@linux-iscsi.org>
---
drivers/target/iscsi/iscsi_target_configfs.c | 126 ++++++++++++++++++++++++++
drivers/target/iscsi/iscsi_target_core.h | 1 +
drivers/target/iscsi/iscsi_target_nego.c | 13 +++-
3 files changed, 139 insertions(+), 1 deletions(-)

diff --git a/drivers/target/iscsi/iscsi_target_configfs.c b/drivers/target/iscsi/iscsi_target_configfs.c
index fe4a5a20..84ecc06 100644
--- a/drivers/target/iscsi/iscsi_target_configfs.c
+++ b/drivers/target/iscsi/iscsi_target_configfs.c
@@ -1055,6 +1055,131 @@ static struct configfs_attribute *lio_target_tpg_attrib_attrs[] = {

/* End items for lio_target_tpg_attrib_cit */

+/* Start items for lio_target_tpg_auth_cit */
+
+#define __DEF_TPG_AUTH_STR(prefix, name, flags) \
+static ssize_t __iscsi_##prefix##_show_##name( \
+ struct se_portal_group *se_tpg, \
+ char *page) \
+{ \
+ struct iscsi_portal_group *tpg = container_of(se_tpg, \
+ struct iscsi_portal_group, tpg_se_tpg); \
+ struct iscsi_node_auth *auth = &tpg->tpg_demo_auth; \
+ \
+ if (!capable(CAP_SYS_ADMIN)) \
+ return -EPERM; \
+ \
+ return snprintf(page, PAGE_SIZE, "%s\n", auth->name); \
+} \
+ \
+static ssize_t __iscsi_##prefix##_store_##name( \
+ struct se_portal_group *se_tpg, \
+ const char *page, \
+ size_t count) \
+{ \
+ struct iscsi_portal_group *tpg = container_of(se_tpg, \
+ struct iscsi_portal_group, tpg_se_tpg); \
+ struct iscsi_node_auth *auth = &tpg->tpg_demo_auth; \
+ \
+ if (!capable(CAP_SYS_ADMIN)) \
+ return -EPERM; \
+ \
+ snprintf(auth->name, PAGE_SIZE, "%s", page); \
+ if (!(strncmp("NULL", auth->name, 4))) \
+ auth->naf_flags &= ~flags; \
+ else \
+ auth->naf_flags |= flags; \
+ \
+ if ((auth->naf_flags & NAF_USERID_IN_SET) && \
+ (auth->naf_flags & NAF_PASSWORD_IN_SET)) \
+ auth->authenticate_target = 1; \
+ else \
+ auth->authenticate_target = 0; \
+ \
+ return count; \
+}
+
+#define __DEF_TPG_AUTH_INT(prefix, name) \
+static ssize_t __iscsi_##prefix##_show_##name( \
+ struct se_portal_group *se_tpg, \
+ char *page) \
+{ \
+ struct iscsi_portal_group *tpg = container_of(se_tpg, \
+ struct iscsi_portal_group, tpg_se_tpg); \
+ struct iscsi_node_auth *auth = &tpg->tpg_demo_auth; \
+ \
+ if (!capable(CAP_SYS_ADMIN)) \
+ return -EPERM; \
+ \
+ return snprintf(page, PAGE_SIZE, "%d\n", auth->name); \
+}
+
+#define DEF_TPG_AUTH_STR(name, flags) \
+ __DEF_TPG_AUTH_STR(tpg_auth, name, flags) \
+static ssize_t iscsi_tpg_auth_show_##name( \
+ struct se_portal_group *se_tpg, \
+ char *page) \
+{ \
+ return __iscsi_tpg_auth_show_##name(se_tpg, page); \
+} \
+ \
+static ssize_t iscsi_tpg_auth_store_##name( \
+ struct se_portal_group *se_tpg, \
+ const char *page, \
+ size_t count) \
+{ \
+ return __iscsi_tpg_auth_store_##name(se_tpg, page, count); \
+}
+
+#define DEF_TPG_AUTH_INT(name) \
+ __DEF_TPG_AUTH_INT(tpg_auth, name) \
+static ssize_t iscsi_tpg_auth_show_##name( \
+ struct se_portal_group *se_tpg, \
+ char *page) \
+{ \
+ return __iscsi_tpg_auth_show_##name(se_tpg, page); \
+}
+
+#define TPG_AUTH_ATTR(_name, _mode) TF_TPG_AUTH_ATTR(iscsi, _name, _mode);
+#define TPG_AUTH_ATTR_RO(_name) TF_TPG_AUTH_ATTR_RO(iscsi, _name);
+
+/*
+ * * One-way authentication userid
+ * */
+DEF_TPG_AUTH_STR(userid, NAF_USERID_SET);
+TPG_AUTH_ATTR(userid, S_IRUGO | S_IWUSR);
+/*
+ * * One-way authentication password
+ * */
+DEF_TPG_AUTH_STR(password, NAF_PASSWORD_SET);
+TPG_AUTH_ATTR(password, S_IRUGO | S_IWUSR);
+/*
+ * * Enforce mutual authentication
+ * */
+DEF_TPG_AUTH_INT(authenticate_target);
+TPG_AUTH_ATTR_RO(authenticate_target);
+/*
+ * * Mutual authentication userid
+ * */
+DEF_TPG_AUTH_STR(userid_mutual, NAF_USERID_IN_SET);
+TPG_AUTH_ATTR(userid_mutual, S_IRUGO | S_IWUSR);
+/*
+ * * Mutual authentication password
+ * */
+DEF_TPG_AUTH_STR(password_mutual, NAF_PASSWORD_IN_SET);
+TPG_AUTH_ATTR(password_mutual, S_IRUGO | S_IWUSR);
+
+static struct configfs_attribute *lio_target_tpg_auth_attrs[] = {
+ &iscsi_tpg_auth_userid.attr,
+ &iscsi_tpg_auth_password.attr,
+ &iscsi_tpg_auth_authenticate_target.attr,
+ &iscsi_tpg_auth_userid_mutual.attr,
+ &iscsi_tpg_auth_password_mutual.attr,
+ NULL,
+};
+
+/* End items for lio_target_tpg_auth_cit */
+
/* Start items for lio_target_tpg_param_cit */

#define DEF_TPG_PARAM(name) \
@@ -1868,6 +1993,7 @@ int iscsi_target_register_configfs(void)
TF_CIT_TMPL(fabric)->tfc_wwn_cit.ct_attrs = lio_target_wwn_attrs;
TF_CIT_TMPL(fabric)->tfc_tpg_base_cit.ct_attrs = lio_target_tpg_attrs;
TF_CIT_TMPL(fabric)->tfc_tpg_attrib_cit.ct_attrs = lio_target_tpg_attrib_attrs;
+ TF_CIT_TMPL(fabric)->tfc_tpg_auth_cit.ct_attrs = lio_target_tpg_auth_attrs;
TF_CIT_TMPL(fabric)->tfc_tpg_param_cit.ct_attrs = lio_target_tpg_param_attrs;
TF_CIT_TMPL(fabric)->tfc_tpg_np_base_cit.ct_attrs = lio_target_portal_attrs;
TF_CIT_TMPL(fabric)->tfc_tpg_nacl_base_cit.ct_attrs = lio_target_initiator_attrs;
diff --git a/drivers/target/iscsi/iscsi_target_core.h b/drivers/target/iscsi/iscsi_target_core.h
index 60ec4b9..0422927 100644
--- a/drivers/target/iscsi/iscsi_target_core.h
+++ b/drivers/target/iscsi/iscsi_target_core.h
@@ -809,6 +809,7 @@ struct iscsi_portal_group {
struct mutex tpg_access_lock;
struct mutex np_login_lock;
struct iscsi_tpg_attrib tpg_attrib;
+ struct iscsi_node_auth tpg_demo_auth;
/* Pointer to default list of iSCSI parameters for TPG */
struct iscsi_param_list *param_list;
struct iscsi_tiqn *tpg_tiqn;
diff --git a/drivers/target/iscsi/iscsi_target_nego.c b/drivers/target/iscsi/iscsi_target_nego.c
index 7ad9120..6b5fc27 100644
--- a/drivers/target/iscsi/iscsi_target_nego.c
+++ b/drivers/target/iscsi/iscsi_target_nego.c
@@ -112,6 +112,7 @@ static u32 iscsi_handle_authentication(
struct iscsi_session *sess = conn->sess;
struct iscsi_node_auth *auth;
struct iscsi_node_acl *iscsi_nacl;
+ struct iscsi_portal_group *iscsi_tpg;
struct se_node_acl *se_nacl;

if (!sess->sess_ops->SessionType) {
@@ -132,7 +133,17 @@ static u32 iscsi_handle_authentication(
return -1;
}

- auth = ISCSI_NODE_AUTH(iscsi_nacl);
+ if (se_nacl->dynamic_node_acl) {
+ iscsi_tpg = container_of(se_nacl->se_tpg,
+ struct iscsi_portal_group, tpg_se_tpg);
+
+ auth = &iscsi_tpg->tpg_demo_auth;
+ } else {
+ iscsi_nacl = container_of(se_nacl, struct iscsi_node_acl,
+ se_node_acl);
+
+ auth = ISCSI_NODE_AUTH(iscsi_nacl);
+ }
} else {
/*
* For SessionType=Discovery
--
1.7.2.5

Reply all
Reply to author
Forward
0 new messages