Jump to: navigation, search

Difference between revisions of "IscsiChapSupport"

m (Text replace - "__NOTOC__" to "")
 
(7 intermediate revisions by one other user not shown)
Line 1: Line 1:
__NOTOC__
+
 
 
* '''Launchpad Entry''': [[CinderSpec]]:iscsi-chap
 
* '''Launchpad Entry''': [[CinderSpec]]:iscsi-chap
 
* '''Created''': 13 Aug 2012
 
* '''Created''': 13 Aug 2012
Line 5: Line 5:
  
 
== Summary ==
 
== Summary ==
A server
+
CHAP(Challenge-Handshake Authentication Protocol) is an authentication scheme used by Point to Point Protocol (PPP) servers to validate the identity of remote clients. It can applied in iSCSI to authenticate the initiators or the targets. There are several types of CHAP, including one-way authentication, two-way authentication and reverse authentication. At the beginning of this blueprint, one-way CHAP authentication, via which the target authenticates the initiators, will be implemented first.
 
 
CHAP(Challenge-Handshake Authentication Protocol) is an authentication scheme used by Point to Point Protocol (PPP) servers to validate the identity of remote clients. It can applied in iSCSI to authenticate the initiators or the targets. There are several types of CHAP, including one-way authentication, two-way authentication and reverse authentication.  
 
At the beginning of this blueprint, one-way CHAP authentication, via which the target authenticates the initiators, will be implemented first.
 
  
 
== Release Note ==
 
== Release Note ==
This section should include a paragraph describing the end-user impact of this change. It is meant to be included in the release notes of the first release in which it is implemented. (Not all of these will actually be included in the release notes, at the release manager's discretion; but writing them is a useful exercise.)
+
This feature plans to be finished in G version.
 
 
It is mandatory.
 
  
 
== Rationale ==
 
== Rationale ==
 
== User stories ==
 
== User stories ==
User sets iSCSI san Flags in nova.conf, and starts/restarts nova-volume service.
+
For one-way CHAP authentication, the user can create a volume with a username and a password, enable the authentication of a volume by binding to a username and a password and disbale the authentication of a volume by unbinding the username and the password.
  
Example nova.conf entries:
+
Example of a target description to be saved:
  
* --volume_manager=nova.volume.manager.[[VolumeManager]] --volume_driver=nova.volume.san.SolidFireSanISCSIDriver --iscsi_ip_prefix=192.168.69.211 --san_ip=192.168.69.210 --san_login=cluster_login --san_password=password --poolname=nova
 
  
The [[SolidFire]] appliance should now be available for use by [[OpenStack]] for additional block storage.
+
<pre><nowiki>
 +
<target iqn.2010-10.org.openstack:volume-XXXXXXXXXXXXXXXXXXXXXXXXXX>
 +
  backing-store /dev/stack-volumes/volume-XXXXXXXXXXXXXXXXXXXXXXXXXX
 +
  incominguser username password
 +
</target>
 +
</nowiki></pre>
  
volume-create:
+
As the first stepstone, no change need to be done to the current API. When a volume is created with tdtadm or ietadm, a username and a password will be generated by the driver and saved into the configuration file and the database.
 
 
* [[SolidFire]] driver first builds a [[SolidFire]] user account based on a concatenation of the compute nodes hostname and the nov-volume objects project_id. For example if the compute nodes hostname is: 'mycomputenode' and the project_id is '1', then the [[SolidFire]] account will be 'mycomputenode-1'. This account is critical for using the [[SolidFire]] device, it determines ownership of the volumes on the system and is also used to store/configure all of the CHAP information. The next step is to querie the [[SolidFire]] system and see if the account exists, if it does we extract the information we pull the information we need from the system (CHAP and accountID info) and use it in volume creation. If the account does now exist, then we create it using a randomly generated 12 character string for CHAP passwords. Using the accountID the requested volume is created
 
 
 
volume-attach:
 
 
 
* Volume is attached using the current iSCSI/nova api methods. Model updates are done during creation as well as export to avoid re-scans.
 
 
 
volume-delete:
 
 
 
* The [[SolidFire]] driver verifies the volume_name from the database as well as the account and issues the [[SolidFire]] API call to delete the volume.
 
 
 
On volume_create()
 
 
 
* A user account name is built based on a concatenation of the compute nodes hostname and the project-id ie on compute node with hostname 'myhost' and a project_if of '1' the result would be:
 
** 'myhost-1'
 
 
 
This has been tested with the current Diablo release using the nova api, as well as with the current Trunk release of Essex (devstack install
 
  
 
== Assumptions ==
 
== Assumptions ==
 
== Design ==
 
== Design ==
 
== Implementation ==
 
== Implementation ==
 +
When a volume is created, a pair of username and password should be generated. The username and password will be saved into the configuration file and the database automatically for the VM to initialize the connection to the volume.
 +
 
== Test/Demo Plan ==
 
== Test/Demo Plan ==
 
== Unresolved issues ==
 
== Unresolved issues ==
 
== BoF agenda and discussion ==
 
== BoF agenda and discussion ==
 
----
 
----
 
 
[[Category:Spec]]
 
[[Category:Spec]]

Latest revision as of 23:29, 17 February 2013

  • Launchpad Entry: CinderSpec:iscsi-chap
  • Created: 13 Aug 2012
  • Contributors: Vincent Hou

Summary

CHAP(Challenge-Handshake Authentication Protocol) is an authentication scheme used by Point to Point Protocol (PPP) servers to validate the identity of remote clients. It can applied in iSCSI to authenticate the initiators or the targets. There are several types of CHAP, including one-way authentication, two-way authentication and reverse authentication. At the beginning of this blueprint, one-way CHAP authentication, via which the target authenticates the initiators, will be implemented first.

Release Note

This feature plans to be finished in G version.

Rationale

User stories

For one-way CHAP authentication, the user can create a volume with a username and a password, enable the authentication of a volume by binding to a username and a password and disbale the authentication of a volume by unbinding the username and the password.

Example of a target description to be saved: 


<target iqn.2010-10.org.openstack:volume-XXXXXXXXXXXXXXXXXXXXXXXXXX>
  backing-store /dev/stack-volumes/volume-XXXXXXXXXXXXXXXXXXXXXXXXXX
  incominguser username password
</target>

As the first stepstone, no change need to be done to the current API. When a volume is created with tdtadm or ietadm, a username and a password will be generated by the driver and saved into the configuration file and the database.

Assumptions

Design

Implementation

When a volume is created, a pair of username and password should be generated. The username and password will be saved into the configuration file and the database automatically for the VM to initialize the connection to the volume.

Test/Demo Plan

Unresolved issues

BoF agenda and discussion

Retrieved from "https://wiki.openstack.org/w/index.php?title=IscsiChapSupport&oldid=16975"