Jump to: navigation, search

IscsiChapSupport

Revision as of 12:26, 14 August 2012 by VincentHou (talk)
  • Launchpad Entry: CinderSpec:iscsi-chap
  • Created: 13 Aug 2012
  • Contributors: Vincent Hou

Summary

A server

CHAP(Challenge-Handshake Authentication Protocol) is an authentication scheme used by Point to Point Protocol (PPP) servers to validate the identity of remote clients. It can applied in iSCSI to authenticate the initiators or the targets. There are several types of CHAP, including one-way authentication, two-way authentication and reverse authentication. At the beginning of this blueprint, one-way CHAP authentication, via which the target authenticates the initiators, will be implemented first.

Release Note

This feature plans to be finished in G version.

Rationale

User stories

For one-way CHAP authentication, the user can create a volume with a username and a password, enable the authentication of a volume by binding to a username and a password and disbale the authentication of a volume by unbinding the username and the password.

Example of a target description to be saved:

  • --volume_manager=nova.volume.manager.VolumeManager --volume_driver=nova.volume.san.SolidFireSanISCSIDriver --iscsi_ip_prefix=192.168.69.211 --san_ip=192.168.69.210 --san_login=cluster_login --san_password=password --poolname=nova

So far there are three use cases, which are taken into account for this one-way authentication. It could be more to be implemented.

volume-create-with-authentication:

  • When creating a volume, the user can specify three additional parameters, CHAP username, CAHP password and CHAP type to create the credentials for the volume. For the iSCSI target, there are two types of authentication. For one-way authetication, the CHAP type is 'incoming'(The other is 'outgoing'.). The default value can be 'incoming'. In order to make the username and the password consistent with the target, they are saved in the target. The API for creating a volume should be extended with three of these parameters, and so should be the shell command.

volume-attach:

  • Volume is attached using the current iSCSI/nova api methods. Model updates are done during creation as well as export to avoid re-scans.

volume-delete:

  • The SolidFire driver verifies the volume_name from the database as well as the account and issues the SolidFire API call to delete the volume.

On volume_create()

  • A user account name is built based on a concatenation of the compute nodes hostname and the project-id ie on compute node with hostname 'myhost' and a project_if of '1' the result would be:
    • 'myhost-1'

This has been tested with the current Diablo release using the nova api, as well as with the current Trunk release of Essex (devstack install

Assumptions

Design

Implementation

Test/Demo Plan

Unresolved issues

BoF agenda and discussion

Retrieved from "https://wiki.openstack.org/w/index.php?title=IscsiChapSupport&oldid=992"