IscsiChapSupport
- Launchpad Entry: CinderSpec:iscsi-chap
- Created: 13 Aug 2012
- Contributors: Vincent Hou
Contents
Summary
CHAP(Challenge-Handshake Authentication Protocol) is an authentication scheme used by Point to Point Protocol (PPP) servers to validate the identity of remote clients. It can applied in iSCSI to authenticate the initiators or the targets. There are several types of CHAP, including one-way authentication, two-way authentication and reverse authentication. At the beginning of this blueprint, one-way CHAP authentication, via which the target authenticates the initiators, will be implemented first.
Release Note
This feature plans to be finished in G version.
Rationale
User stories
For one-way CHAP authentication, the user can create a volume with a username and a password, enable the authentication of a volume by binding to a username and a password and disbale the authentication of a volume by unbinding the username and the password.
Example of a target description to be saved:
<target iqn.2010-10.org.openstack:volume-XXXXXXXXXXXXXXXXXXXXXXXXXX> backing-store /dev/stack-volumes/volume-XXXXXXXXXXXXXXXXXXXXXXXXXX incominguser username password </target>
As the first stepstone, no change need to be done to the current API. When a volume is created with tdtadm or ietadm, a username and a password will be generated by the driver and saved into the configuration file and the database.
Assumptions
Design
Implementation
When a volume is created, a pair of username and password should be generated. The username and password will be saved into the configuration file and the database automatically for the VM to initialize the connection to the volume.
