Commit a6e0d179 authored by Dmitry Bogdanov's avatar Dmitry Bogdanov Committed by Martin K. Petersen

scsi: target: iscsi: Control authentication per ACL

Add acls/{ACL}/attrib/authentication attribute that controls authentication
for particular ACL. By default, this attribute inherits a value of the
authentication attribute of the target port group to keep backward
compatibility.

Authentication attribute has 3 states:

 "0" - authentication is turned off for this ACL

 "1" - authentication is required for this ACL

 "-1" - authentication is inherited from TPG

Link: https://lore.kernel.org/r/20220523095905.26070-4-d.bogdanov@yadro.comReviewed-by: default avatarRoman Bolshakov <r.bolshakov@yadro.com>
Reviewed-by: default avatarKonstantin Shelekhin <k.shelekhin@yadro.com>
Reviewed-by: default avatarMike Christie <michael.christie@oracle.com>
Signed-off-by: default avatarDmitry Bogdanov <d.bogdanov@yadro.com>
Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
parent a75fcb09
...@@ -314,6 +314,36 @@ ISCSI_NACL_ATTR(random_datain_pdu_offsets); ...@@ -314,6 +314,36 @@ ISCSI_NACL_ATTR(random_datain_pdu_offsets);
ISCSI_NACL_ATTR(random_datain_seq_offsets); ISCSI_NACL_ATTR(random_datain_seq_offsets);
ISCSI_NACL_ATTR(random_r2t_offsets); ISCSI_NACL_ATTR(random_r2t_offsets);
static ssize_t iscsi_nacl_attrib_authentication_show(struct config_item *item,
char *page)
{
struct se_node_acl *se_nacl = attrib_to_nacl(item);
struct iscsi_node_acl *nacl = to_iscsi_nacl(se_nacl);
return sprintf(page, "%d\n", nacl->node_attrib.authentication);
}
static ssize_t iscsi_nacl_attrib_authentication_store(struct config_item *item,
const char *page, size_t count)
{
struct se_node_acl *se_nacl = attrib_to_nacl(item);
struct iscsi_node_acl *nacl = to_iscsi_nacl(se_nacl);
s32 val;
int ret;
ret = kstrtos32(page, 0, &val);
if (ret)
return ret;
if (val != 0 && val != 1 && val != NA_AUTHENTICATION_INHERITED)
return -EINVAL;
nacl->node_attrib.authentication = val;
return count;
}
CONFIGFS_ATTR(iscsi_nacl_attrib_, authentication);
static struct configfs_attribute *lio_target_nacl_attrib_attrs[] = { static struct configfs_attribute *lio_target_nacl_attrib_attrs[] = {
&iscsi_nacl_attrib_attr_dataout_timeout, &iscsi_nacl_attrib_attr_dataout_timeout,
&iscsi_nacl_attrib_attr_dataout_timeout_retries, &iscsi_nacl_attrib_attr_dataout_timeout_retries,
...@@ -323,6 +353,7 @@ static struct configfs_attribute *lio_target_nacl_attrib_attrs[] = { ...@@ -323,6 +353,7 @@ static struct configfs_attribute *lio_target_nacl_attrib_attrs[] = {
&iscsi_nacl_attrib_attr_random_datain_pdu_offsets, &iscsi_nacl_attrib_attr_random_datain_pdu_offsets,
&iscsi_nacl_attrib_attr_random_datain_seq_offsets, &iscsi_nacl_attrib_attr_random_datain_seq_offsets,
&iscsi_nacl_attrib_attr_random_r2t_offsets, &iscsi_nacl_attrib_attr_random_r2t_offsets,
&iscsi_nacl_attrib_attr_authentication,
NULL, NULL,
}; };
......
...@@ -813,6 +813,7 @@ static int iscsi_target_do_authentication( ...@@ -813,6 +813,7 @@ static int iscsi_target_do_authentication(
static bool iscsi_conn_auth_required(struct iscsit_conn *conn) static bool iscsi_conn_auth_required(struct iscsit_conn *conn)
{ {
struct iscsi_node_acl *nacl;
struct se_node_acl *se_nacl; struct se_node_acl *se_nacl;
if (conn->sess->sess_ops->SessionType) { if (conn->sess->sess_ops->SessionType) {
...@@ -839,7 +840,12 @@ static bool iscsi_conn_auth_required(struct iscsit_conn *conn) ...@@ -839,7 +840,12 @@ static bool iscsi_conn_auth_required(struct iscsit_conn *conn)
pr_debug("Known ACL %s is trying to connect\n", pr_debug("Known ACL %s is trying to connect\n",
se_nacl->initiatorname); se_nacl->initiatorname);
return conn->tpg->tpg_attrib.authentication;
nacl = to_iscsi_nacl(se_nacl);
if (nacl->node_attrib.authentication == NA_AUTHENTICATION_INHERITED)
return conn->tpg->tpg_attrib.authentication;
return nacl->node_attrib.authentication;
} }
static int iscsi_target_handle_csg_zero( static int iscsi_target_handle_csg_zero(
......
...@@ -30,6 +30,7 @@ void iscsit_set_default_node_attribues( ...@@ -30,6 +30,7 @@ void iscsit_set_default_node_attribues(
{ {
struct iscsi_node_attrib *a = &acl->node_attrib; struct iscsi_node_attrib *a = &acl->node_attrib;
a->authentication = NA_AUTHENTICATION_INHERITED;
a->dataout_timeout = NA_DATAOUT_TIMEOUT; a->dataout_timeout = NA_DATAOUT_TIMEOUT;
a->dataout_timeout_retries = NA_DATAOUT_TIMEOUT_RETRIES; a->dataout_timeout_retries = NA_DATAOUT_TIMEOUT_RETRIES;
a->nopin_timeout = NA_NOPIN_TIMEOUT; a->nopin_timeout = NA_NOPIN_TIMEOUT;
......
...@@ -26,6 +26,7 @@ struct sock; ...@@ -26,6 +26,7 @@ struct sock;
#define ISCSI_RX_THREAD_NAME "iscsi_trx" #define ISCSI_RX_THREAD_NAME "iscsi_trx"
#define ISCSI_TX_THREAD_NAME "iscsi_ttx" #define ISCSI_TX_THREAD_NAME "iscsi_ttx"
#define ISCSI_IQN_LEN 224 #define ISCSI_IQN_LEN 224
#define NA_AUTHENTICATION_INHERITED -1
/* struct iscsi_node_attrib sanity values */ /* struct iscsi_node_attrib sanity values */
#define NA_DATAOUT_TIMEOUT 3 #define NA_DATAOUT_TIMEOUT 3
...@@ -715,6 +716,7 @@ struct iscsi_login { ...@@ -715,6 +716,7 @@ struct iscsi_login {
} ____cacheline_aligned; } ____cacheline_aligned;
struct iscsi_node_attrib { struct iscsi_node_attrib {
s32 authentication;
u32 dataout_timeout; u32 dataout_timeout;
u32 dataout_timeout_retries; u32 dataout_timeout_retries;
u32 default_erl; u32 default_erl;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment