tgtadm iscsi chap does not work
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
Fix Released
|
Critical
|
Tomoki Sekiyama | ||
OpenStack Security Notes |
Fix Released
|
Undecided
|
Michael McCune |
Bug Description
When using LVMISCSIDriver and iscsi_helper tgtadm, it should support chap unidirectional authentication because target configuration file and db.volume has record chap user and chap passwd.
By testing, I found that tgtadm iscsi chap does not work.
Is it a security bug for iscsi_helper tgtadm?
My detail test work is as follows.
1. Test details as follows without modify the source code:
1) Devstack all in one server A(10.250.10.190); another testing server B(10.250.10.191)
2) create a vm VM-A and a cinder volume VOLUME-A, attach VOLUME-A to VM-A
3) server B directly login the iscsi target that server-A export and get VOLUME-A sucessfully .
iscsiadm -m discovery -t sendtargets -p 10.250.10.190
iscsiadm -m node -T iqn.2010-
2. Test details as follows with modify the source code:
1) add creating user/passwd and binding user to tid code before leaving the function TgtAdm:
type, name, passwd = chap_auth.split()
2) try to login VOLUME-A as the steps in item 1, it reported an authorization error as follows.
root@devaio1:
Logging in to [iface: default, target: iqn.2010-
iscsiadm: Could not login to [iface: default, target: iqn.2010-
iscsiadm: initiator reported error (24 - iSCSI login failed due to authorization failure)
iscsiadm: Could not log into all portals
Changed in cinder: | |
assignee: | nobody → ling-yun (zengyunling) |
assignee: | ling-yun (zengyunling) → nobody |
Changed in cinder: | |
assignee: | nobody → ling-yun (zengyunling) |
Changed in cinder: | |
importance: | Undecided → Critical |
milestone: | none → juno-rc3 |
Changed in cinder: | |
milestone: | juno-rc3 → 2014.2 |
Changed in ossn: | |
assignee: | nobody → Steven Weston (steve.weston) |
Changed in ossn: | |
status: | New → In Progress |
Changed in ossn: | |
assignee: | Steven Weston (steve.weston) → Michael McCune (mimccune) |
This may be a bug, but I fail to see the security vulnerability in it. Could you explain how this may constitute a vulnerability ?