[Openstack-security] [Bug 1329214] Re: tgtadm iscsi chap does not work
OpenStack Infra
1329214 at bugs.launchpad.net
Wed Oct 15 10:38:20 UTC 2014
Reviewed: https://review.openstack.org/128507
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=be3d4604dc0566e0838959d998ff1d37755de6d3
Submitter: Jenkins
Branch: proposed/juno
commit be3d4604dc0566e0838959d998ff1d37755de6d3
Author: Tomoki Sekiyama <tomoki.sekiyama at hds.com>
Date: Tue Oct 14 19:09:44 2014 -0400
Fix LVM iSCSI driver tgtadm CHAP authentication
Currently CHAP Authentication in LVM iSCSI driver with tgtadm does not work.
This is because the tgtadm helper creates the target configuration file
with an 'IncomingUser' entry, which is ignored by tgtd.
This patch fixes it to 'incominguser'.
Change-Id: I14871985a2a916834122f849238f05b75726bc1a
Closes-Bug: #1329214
(cherry picked from commit e3563891545c801726d227f752cf99488ed5c7dd)
** Changed in: cinder
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1329214
Title:
tgtadm iscsi chap does not work
Status in Cinder:
Fix Released
Status in OpenStack Security Notes:
New
Bug description:
When using LVMISCSIDriver and iscsi_helper tgtadm, it should support chap unidirectional authentication because target configuration file and db.volume has record chap user and chap passwd.
By testing, I found that tgtadm iscsi chap does not work.
Is it a security bug for iscsi_helper tgtadm?
My detail test work is as follows.
1. Test details as follows without modify the source code:
1) Devstack all in one server A(10.250.10.190); another testing server B(10.250.10.191)
2) create a vm VM-A and a cinder volume VOLUME-A, attach VOLUME-A to VM-A
3) server B directly login the iscsi target that server-A export and get VOLUME-A sucessfully .
iscsiadm -m discovery -t sendtargets -p 10.250.10.190
iscsiadm -m node -T iqn.2010-10.org.openstack:volume-ee32035f-73d2-4312-a468-c7773f90a75e -p 10.250.10.190 -l --login
2. Test details as follows with modify the source code:
1) add creating user/passwd and binding user to tid code before leaving the function TgtAdm:create_iscsi_target.
type, name, passwd = chap_auth.split()
self._execute('tgtadm',
'--lld',
'iscsi',
'--mode',
'account',
'--op',
'new',
'--user',
name,
'--password',
passwd)
self._execute('tgtadm',
'--lld',
'iscsi',
'--mode',
'account',
'--op',
'bind',
'--tid',
tid,
'--user',
name
)
2) try to login VOLUME-A as the steps in item 1, it reported an authorization error as follows.
root at devaio1:/etc/iscsi# iscsiadm -m node -T iqn.2010-10.org.openstack:volume-ee32035f-73d2-4312-a468-c7773f90a75e -p 10.250.10.190 -l --login
Logging in to [iface: default, target: iqn.2010-10.org.openstack:volume-ee32035f-73d2-4312-a468-c7773f90a75e, portal: 10.250.10.190,3260] (multiple)
iscsiadm: Could not login to [iface: default, target: iqn.2010-10.org.openstack:volume-ee32035f-73d2-4312-a468-c7773f90a75e, portal: 10.250.10.190,3260].
iscsiadm: initiator reported error (24 - iSCSI login failed due to authorization failure)
iscsiadm: Could not log into all portals
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1329214/+subscriptions
More information about the Openstack-security
mailing list