LVM iSCSI driver doesn't support 'use_chap_auth' config option

Bug #1771989 reported by Niall Power on 2018-05-18
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Cinder
Undecided
Unassigned

Bug Description

I was unable to disable CHAP authentication when using LVM+iSCSI as a cinder volume backend. Looking at cinder/volume/targets/iscsi.py the create_export() method always forces CHAP authentication by generating a new username and password if none are already configured for a volume:
        # Verify we haven't setup a CHAP creds file already
        # if DNE no big deal, we'll just create it
        chap_auth = self._get_target_chap_auth(context, volume)
        if not chap_auth:
            chap_auth = (vutils.generate_username(),
                         vutils.generate_password())

I think it should honor the cinder configuration DEFAULT group option "use_chap_auth" defined here:
https://github.com/openstack/cinder/blob/d2b3e1011e238ce1c29157e0614a0416a30448a8/cinder/volume/driver.py#L187
    cfg.BoolOpt('use_chap_auth',
                default=False,
                help='Option to enable/disable CHAP authentication for '
                     'targets.'),

The LVM driver needs a small tweak to accept a None value for 'auth' in the export_info dict in create_export()

I have attached a simple patch that checks the value of 'use_chap_auth' to be True before generating new CHAP auth credentials on an iSCSI volume

fanguiju (fanguiju) on 2018-05-20
Changed in cinder:
assignee: nobody → fanguiju (fanguiju)
fanguiju (fanguiju) on 2018-05-20
Changed in cinder:
assignee: fanguiju (fanguiju) → nobody
assignee: nobody → fanguiju (fanguiju)
status: New → In Progress
Eric Harney (eharney) wrote :

I don't see a reason that we would want anyone to use the LVM driver with CHAP authentication disabled. Why do this?

Changed in cinder:
status: In Progress → Incomplete
Niall Power (niall-power) wrote :

Hi Eric.
One reason is when the initiator node has bugs in its implementation and doesn't handle CHAP correctly. The operator may not want to, but they may have to disable CHAP in such circumstances. It is certainly a reasonable argument but I think it is better applied to what the default value of the option should be, rather than whether the option should be there or not.
Also, the option is supported by a large number of the current volume drivers. I don't see why LVM should be the exception to this.

Changed in cinder:
status: Incomplete → In Progress
fanguiju (fanguiju) on 2018-06-08
Changed in cinder:
assignee: fanguiju (fanguiju) → nobody
TommyLike (hu-husheng) on 2018-06-14
tags: added: bugsmash
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers