* [PATCH v5 0/3] target: iscsi: control authentication per ACL @ 2022-05-23 9:59 Dmitry Bogdanov 2022-05-23 9:59 ` [PATCH v5 1/3] scsi: target: iscsi: Add upcast helpers Dmitry Bogdanov ` (4 more replies) 0 siblings, 5 replies; 8+ messages in thread From: Dmitry Bogdanov @ 2022-05-23 9:59 UTC (permalink / raw) To: Martin Petersen, target-devel Cc: Mike Christie, linux-scsi, linux, Dmitry Bogdanov Add acls/{ACL}/attrib/authentication attribute that controls authentication for the particular ACL. By default, this attribute inherits a value of authentication attribute of the target port group to keep a backward compatibility. authentication attribute has 3 states: "0" - authentication is turned off for this ACL "1" - authentication is required for this ACL "-1" - authentication is inherited from TPG This patchset is intended for scsi-queue. v5: rebase on latest scsi-staging v4: rebase on latest scsi-queue v3: fix warning: no previous prototype for function 'iscsi_conn_auth_required' v2: show effective value (-1) for inherited mode Dmitry Bogdanov (3): scsi: target: iscsi: Add upcast helpers scsi: target: iscsi: extract auth functions target: iscsi: control authentication per ACL drivers/target/iscsi/iscsi_target_configfs.c | 116 +++++++------- drivers/target/iscsi/iscsi_target_nego.c | 148 ++++++++++++------ .../target/iscsi/iscsi_target_nodeattrib.c | 1 + drivers/target/iscsi/iscsi_target_tpg.c | 3 +- include/target/iscsi/iscsi_target_core.h | 14 ++ 5 files changed, 176 insertions(+), 106 deletions(-) -- 2.25.1 ^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH v5 1/3] scsi: target: iscsi: Add upcast helpers 2022-05-23 9:59 [PATCH v5 0/3] target: iscsi: control authentication per ACL Dmitry Bogdanov @ 2022-05-23 9:59 ` Dmitry Bogdanov 2022-05-23 18:18 ` Lee Duncan 2022-05-23 9:59 ` [PATCH v5 2/3] scsi: target: iscsi: extract auth functions Dmitry Bogdanov ` (3 subsequent siblings) 4 siblings, 1 reply; 8+ messages in thread From: Dmitry Bogdanov @ 2022-05-23 9:59 UTC (permalink / raw) To: Martin Petersen, target-devel Cc: Mike Christie, linux-scsi, linux, Dmitry Bogdanov, Roman Bolshakov, Konstantin Shelekhin iscsi target is cluttered with open-coded container_of conversions from se_nacl to iscsi_node_acl. The code could be cleaned by introducing a helper - to_iscsi_nacl() (similar to other helpers in target core). While at it, make another iscsi conversion helper consistent and rename iscsi_tpg() helper to to_iscsi_tpg(). Reviewed-by: Roman Bolshakov <r.bolshakov@yadro.com> Reviewed-by: Konstantin Shelekhin <k.shelekhin@yadro.com> Reviewed-by: Mike Christie <michael.christie@oracle.com> Signed-off-by: Dmitry Bogdanov <d.bogdanov@yadro.com> --- drivers/target/iscsi/iscsi_target_configfs.c | 82 +++++++------------- drivers/target/iscsi/iscsi_target_nego.c | 14 ++-- drivers/target/iscsi/iscsi_target_tpg.c | 3 +- include/target/iscsi/iscsi_target_core.h | 12 +++ 4 files changed, 49 insertions(+), 62 deletions(-) diff --git a/drivers/target/iscsi/iscsi_target_configfs.c b/drivers/target/iscsi/iscsi_target_configfs.c index 72f5ff959636..1096201f1599 100644 --- a/drivers/target/iscsi/iscsi_target_configfs.c +++ b/drivers/target/iscsi/iscsi_target_configfs.c @@ -210,7 +210,7 @@ static struct se_tpg_np *lio_target_call_addnptotpg( return ERR_PTR(ret); } - tpg = container_of(se_tpg, struct iscsi_portal_group, tpg_se_tpg); + tpg = to_iscsi_tpg(se_tpg); ret = iscsit_get_tpg(tpg); if (ret < 0) return ERR_PTR(-EINVAL); @@ -281,9 +281,7 @@ static ssize_t iscsi_nacl_attrib_##name##_show(struct config_item *item,\ char *page) \ { \ struct se_node_acl *se_nacl = attrib_to_nacl(item); \ - struct iscsi_node_acl *nacl = container_of(se_nacl, struct iscsi_node_acl, \ - se_node_acl); \ - \ + struct iscsi_node_acl *nacl = to_iscsi_nacl(se_nacl); \ return sprintf(page, "%u\n", nacl->node_attrib.name); \ } \ \ @@ -291,8 +289,7 @@ static ssize_t iscsi_nacl_attrib_##name##_store(struct config_item *item,\ const char *page, size_t count) \ { \ struct se_node_acl *se_nacl = attrib_to_nacl(item); \ - struct iscsi_node_acl *nacl = container_of(se_nacl, struct iscsi_node_acl, \ - se_node_acl); \ + struct iscsi_node_acl *nacl = to_iscsi_nacl(se_nacl); \ u32 val; \ int ret; \ \ @@ -377,15 +374,14 @@ static ssize_t iscsi_nacl_auth_##name##_show(struct config_item *item, \ char *page) \ { \ struct se_node_acl *nacl = auth_to_nacl(item); \ - return __iscsi_nacl_auth_##name##_show(container_of(nacl, \ - struct iscsi_node_acl, se_node_acl), page); \ + return __iscsi_nacl_auth_##name##_show(to_iscsi_nacl(nacl), page); \ } \ static ssize_t iscsi_nacl_auth_##name##_store(struct config_item *item, \ const char *page, size_t count) \ { \ struct se_node_acl *nacl = auth_to_nacl(item); \ - return __iscsi_nacl_auth_##name##_store(container_of(nacl, \ - struct iscsi_node_acl, se_node_acl), page, count); \ + return __iscsi_nacl_auth_##name##_store(to_iscsi_nacl(nacl), \ + page, count); \ } \ \ CONFIGFS_ATTR(iscsi_nacl_auth_, name) @@ -417,8 +413,7 @@ static ssize_t iscsi_nacl_auth_##name##_show(struct config_item *item, \ char *page) \ { \ struct se_node_acl *nacl = auth_to_nacl(item); \ - return __iscsi_nacl_auth_##name##_show(container_of(nacl, \ - struct iscsi_node_acl, se_node_acl), page); \ + return __iscsi_nacl_auth_##name##_show(to_iscsi_nacl(nacl), page); \ } \ \ CONFIGFS_ATTR_RO(iscsi_nacl_auth_, name) @@ -623,8 +618,7 @@ static ssize_t lio_target_nacl_cmdsn_depth_store(struct config_item *item, { struct se_node_acl *se_nacl = acl_to_nacl(item); struct se_portal_group *se_tpg = se_nacl->se_tpg; - struct iscsi_portal_group *tpg = container_of(se_tpg, - struct iscsi_portal_group, tpg_se_tpg); + struct iscsi_portal_group *tpg = to_iscsi_tpg(se_tpg); struct config_item *acl_ci, *tpg_ci, *wwn_ci; u32 cmdsn_depth = 0; int ret; @@ -700,8 +694,7 @@ static struct configfs_attribute *lio_target_initiator_attrs[] = { static int lio_target_init_nodeacl(struct se_node_acl *se_nacl, const char *name) { - struct iscsi_node_acl *acl = - container_of(se_nacl, struct iscsi_node_acl, se_node_acl); + struct iscsi_node_acl *acl = to_iscsi_nacl(se_nacl); config_group_init_type_name(&acl->node_stat_grps.iscsi_sess_stats_group, "iscsi_sess_stats", &iscsi_stat_sess_cit); @@ -720,8 +713,7 @@ static ssize_t iscsi_tpg_attrib_##name##_show(struct config_item *item, \ char *page) \ { \ struct se_portal_group *se_tpg = attrib_to_tpg(item); \ - struct iscsi_portal_group *tpg = container_of(se_tpg, \ - struct iscsi_portal_group, tpg_se_tpg); \ + struct iscsi_portal_group *tpg = to_iscsi_tpg(se_tpg); \ ssize_t rb; \ \ if (iscsit_get_tpg(tpg) < 0) \ @@ -736,8 +728,7 @@ static ssize_t iscsi_tpg_attrib_##name##_store(struct config_item *item,\ const char *page, size_t count) \ { \ struct se_portal_group *se_tpg = attrib_to_tpg(item); \ - struct iscsi_portal_group *tpg = container_of(se_tpg, \ - struct iscsi_portal_group, tpg_se_tpg); \ + struct iscsi_portal_group *tpg = to_iscsi_tpg(se_tpg); \ u32 val; \ int ret; \ \ @@ -800,8 +791,7 @@ static struct configfs_attribute *lio_target_tpg_attrib_attrs[] = { static ssize_t __iscsi_##prefix##_##name##_show(struct se_portal_group *se_tpg, \ char *page) \ { \ - struct iscsi_portal_group *tpg = container_of(se_tpg, \ - struct iscsi_portal_group, tpg_se_tpg); \ + struct iscsi_portal_group *tpg = to_iscsi_tpg(se_tpg); \ struct iscsi_node_auth *auth = &tpg->tpg_demo_auth; \ \ if (!capable(CAP_SYS_ADMIN)) \ @@ -813,8 +803,7 @@ static ssize_t __iscsi_##prefix##_##name##_show(struct se_portal_group *se_tpg, static ssize_t __iscsi_##prefix##_##name##_store(struct se_portal_group *se_tpg,\ const char *page, size_t count) \ { \ - struct iscsi_portal_group *tpg = container_of(se_tpg, \ - struct iscsi_portal_group, tpg_se_tpg); \ + struct iscsi_portal_group *tpg = to_iscsi_tpg(se_tpg); \ struct iscsi_node_auth *auth = &tpg->tpg_demo_auth; \ \ if (!capable(CAP_SYS_ADMIN)) \ @@ -861,8 +850,7 @@ DEF_TPG_AUTH_STR(password_mutual, NAF_PASSWORD_IN_SET); static ssize_t __iscsi_##prefix##_##name##_show(struct se_portal_group *se_tpg, \ char *page) \ { \ - struct iscsi_portal_group *tpg = container_of(se_tpg, \ - struct iscsi_portal_group, tpg_se_tpg); \ + struct iscsi_portal_group *tpg = to_iscsi_tpg(se_tpg); \ struct iscsi_node_auth *auth = &tpg->tpg_demo_auth; \ \ if (!capable(CAP_SYS_ADMIN)) \ @@ -900,8 +888,7 @@ static ssize_t iscsi_tpg_param_##name##_show(struct config_item *item, \ char *page) \ { \ struct se_portal_group *se_tpg = param_to_tpg(item); \ - struct iscsi_portal_group *tpg = container_of(se_tpg, \ - struct iscsi_portal_group, tpg_se_tpg); \ + struct iscsi_portal_group *tpg = to_iscsi_tpg(se_tpg); \ struct iscsi_param *param; \ ssize_t rb; \ \ @@ -923,8 +910,7 @@ static ssize_t iscsi_tpg_param_##name##_store(struct config_item *item, \ const char *page, size_t count) \ { \ struct se_portal_group *se_tpg = param_to_tpg(item); \ - struct iscsi_portal_group *tpg = container_of(se_tpg, \ - struct iscsi_portal_group, tpg_se_tpg); \ + struct iscsi_portal_group *tpg = to_iscsi_tpg(se_tpg); \ char *buf; \ int ret, len; \ \ @@ -1073,8 +1059,7 @@ static struct se_portal_group *lio_target_tiqn_addtpg(struct se_wwn *wwn, static int lio_target_tiqn_enabletpg(struct se_portal_group *se_tpg, bool enable) { - struct iscsi_portal_group *tpg = container_of(se_tpg, - struct iscsi_portal_group, tpg_se_tpg); + struct iscsi_portal_group *tpg = to_iscsi_tpg(se_tpg); int ret; ret = iscsit_get_tpg(tpg); @@ -1106,7 +1091,7 @@ static void lio_target_tiqn_deltpg(struct se_portal_group *se_tpg) struct iscsi_portal_group *tpg; struct iscsi_tiqn *tiqn; - tpg = container_of(se_tpg, struct iscsi_portal_group, tpg_se_tpg); + tpg = to_iscsi_tpg(se_tpg); tiqn = tpg->tpg_tiqn; /* * iscsit_tpg_del_portal_group() assumes force=1 @@ -1412,46 +1397,41 @@ static void lio_aborted_task(struct se_cmd *se_cmd) cmd->conn->conn_transport->iscsit_aborted_task(cmd->conn, cmd); } -static inline struct iscsi_portal_group *iscsi_tpg(struct se_portal_group *se_tpg) -{ - return container_of(se_tpg, struct iscsi_portal_group, tpg_se_tpg); -} - static char *lio_tpg_get_endpoint_wwn(struct se_portal_group *se_tpg) { - return iscsi_tpg(se_tpg)->tpg_tiqn->tiqn; + return to_iscsi_tpg(se_tpg)->tpg_tiqn->tiqn; } static u16 lio_tpg_get_tag(struct se_portal_group *se_tpg) { - return iscsi_tpg(se_tpg)->tpgt; + return to_iscsi_tpg(se_tpg)->tpgt; } static u32 lio_tpg_get_default_depth(struct se_portal_group *se_tpg) { - return iscsi_tpg(se_tpg)->tpg_attrib.default_cmdsn_depth; + return to_iscsi_tpg(se_tpg)->tpg_attrib.default_cmdsn_depth; } static int lio_tpg_check_demo_mode(struct se_portal_group *se_tpg) { - return iscsi_tpg(se_tpg)->tpg_attrib.generate_node_acls; + return to_iscsi_tpg(se_tpg)->tpg_attrib.generate_node_acls; } static int lio_tpg_check_demo_mode_cache(struct se_portal_group *se_tpg) { - return iscsi_tpg(se_tpg)->tpg_attrib.cache_dynamic_acls; + return to_iscsi_tpg(se_tpg)->tpg_attrib.cache_dynamic_acls; } static int lio_tpg_check_demo_mode_write_protect( struct se_portal_group *se_tpg) { - return iscsi_tpg(se_tpg)->tpg_attrib.demo_mode_write_protect; + return to_iscsi_tpg(se_tpg)->tpg_attrib.demo_mode_write_protect; } static int lio_tpg_check_prod_mode_write_protect( struct se_portal_group *se_tpg) { - return iscsi_tpg(se_tpg)->tpg_attrib.prod_mode_write_protect; + return to_iscsi_tpg(se_tpg)->tpg_attrib.prod_mode_write_protect; } static int lio_tpg_check_prot_fabric_only( @@ -1461,9 +1441,9 @@ static int lio_tpg_check_prot_fabric_only( * Only report fabric_prot_type if t10_pi has also been enabled * for incoming ib_isert sessions. */ - if (!iscsi_tpg(se_tpg)->tpg_attrib.t10_pi) + if (!to_iscsi_tpg(se_tpg)->tpg_attrib.t10_pi) return 0; - return iscsi_tpg(se_tpg)->tpg_attrib.fabric_prot_type; + return to_iscsi_tpg(se_tpg)->tpg_attrib.fabric_prot_type; } /* @@ -1500,16 +1480,14 @@ static void lio_tpg_close_session(struct se_session *se_sess) static u32 lio_tpg_get_inst_index(struct se_portal_group *se_tpg) { - return iscsi_tpg(se_tpg)->tpg_tiqn->tiqn_index; + return to_iscsi_tpg(se_tpg)->tpg_tiqn->tiqn_index; } static void lio_set_default_node_attributes(struct se_node_acl *se_acl) { - struct iscsi_node_acl *acl = container_of(se_acl, struct iscsi_node_acl, - se_node_acl); + struct iscsi_node_acl *acl = to_iscsi_nacl(se_acl); struct se_portal_group *se_tpg = se_acl->se_tpg; - struct iscsi_portal_group *tpg = container_of(se_tpg, - struct iscsi_portal_group, tpg_se_tpg); + struct iscsi_portal_group *tpg = to_iscsi_tpg(se_tpg); acl->node_attrib.nacl = acl; iscsit_set_default_node_attribues(acl, tpg); diff --git a/drivers/target/iscsi/iscsi_target_nego.c b/drivers/target/iscsi/iscsi_target_nego.c index b34ac9ecac31..d853bacf1cfc 100644 --- a/drivers/target/iscsi/iscsi_target_nego.c +++ b/drivers/target/iscsi/iscsi_target_nego.c @@ -104,8 +104,8 @@ static u32 iscsi_handle_authentication( { struct iscsit_session *sess = conn->sess; struct iscsi_node_auth *auth; - struct iscsi_node_acl *iscsi_nacl; - struct iscsi_portal_group *iscsi_tpg; + struct iscsi_node_acl *nacl; + struct iscsi_portal_group *tpg; struct se_node_acl *se_nacl; if (!sess->sess_ops->SessionType) { @@ -120,15 +120,13 @@ static u32 iscsi_handle_authentication( } if (se_nacl->dynamic_node_acl) { - iscsi_tpg = container_of(se_nacl->se_tpg, - struct iscsi_portal_group, tpg_se_tpg); + tpg = to_iscsi_tpg(se_nacl->se_tpg); - auth = &iscsi_tpg->tpg_demo_auth; + auth = &tpg->tpg_demo_auth; } else { - iscsi_nacl = container_of(se_nacl, struct iscsi_node_acl, - se_node_acl); + nacl = to_iscsi_nacl(se_nacl); - auth = &iscsi_nacl->node_auth; + auth = &nacl->node_auth; } } else { /* diff --git a/drivers/target/iscsi/iscsi_target_tpg.c b/drivers/target/iscsi/iscsi_target_tpg.c index 4339ee517434..3cac1aafef68 100644 --- a/drivers/target/iscsi/iscsi_target_tpg.c +++ b/drivers/target/iscsi/iscsi_target_tpg.c @@ -394,8 +394,7 @@ struct iscsi_node_attrib *iscsit_tpg_get_node_attrib( { struct se_session *se_sess = sess->se_sess; struct se_node_acl *se_nacl = se_sess->se_node_acl; - struct iscsi_node_acl *acl = container_of(se_nacl, struct iscsi_node_acl, - se_node_acl); + struct iscsi_node_acl *acl = to_iscsi_nacl(se_nacl); return &acl->node_attrib; } diff --git a/include/target/iscsi/iscsi_target_core.h b/include/target/iscsi/iscsi_target_core.h index 8e68ace428d9..4dd62947f8db 100644 --- a/include/target/iscsi/iscsi_target_core.h +++ b/include/target/iscsi/iscsi_target_core.h @@ -758,6 +758,12 @@ struct iscsi_node_acl { struct iscsi_node_stat_grps node_stat_grps; }; +static inline struct iscsi_node_acl * +to_iscsi_nacl(struct se_node_acl *se_nacl) +{ + return container_of(se_nacl, struct iscsi_node_acl, se_node_acl); +} + struct iscsi_tpg_attrib { u32 authentication; u32 login_timeout; @@ -839,6 +845,12 @@ struct iscsi_portal_group { struct list_head tpg_list; } ____cacheline_aligned; +static inline struct iscsi_portal_group * +to_iscsi_tpg(struct se_portal_group *se_tpg) +{ + return container_of(se_tpg, struct iscsi_portal_group, tpg_se_tpg); +} + struct iscsi_wwn_stat_grps { struct config_group iscsi_stat_group; struct config_group iscsi_instance_group; -- 2.25.1 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH v5 1/3] scsi: target: iscsi: Add upcast helpers 2022-05-23 9:59 ` [PATCH v5 1/3] scsi: target: iscsi: Add upcast helpers Dmitry Bogdanov @ 2022-05-23 18:18 ` Lee Duncan 0 siblings, 0 replies; 8+ messages in thread From: Lee Duncan @ 2022-05-23 18:18 UTC (permalink / raw) To: Dmitry Bogdanov, Martin Petersen, target-devel Cc: Mike Christie, linux-scsi, linux, Roman Bolshakov, Konstantin Shelekhin On 5/23/22 02:59, Dmitry Bogdanov wrote: > iscsi target is cluttered with open-coded container_of conversions from > se_nacl to iscsi_node_acl. The code could be cleaned by introducing a > helper - to_iscsi_nacl() (similar to other helpers in target core). > > While at it, make another iscsi conversion helper consistent > and rename iscsi_tpg() helper to to_iscsi_tpg(). > > Reviewed-by: Roman Bolshakov <r.bolshakov@yadro.com> > Reviewed-by: Konstantin Shelekhin <k.shelekhin@yadro.com> > Reviewed-by: Mike Christie <michael.christie@oracle.com> > Signed-off-by: Dmitry Bogdanov <d.bogdanov@yadro.com> > --- > drivers/target/iscsi/iscsi_target_configfs.c | 82 +++++++------------- > drivers/target/iscsi/iscsi_target_nego.c | 14 ++-- > drivers/target/iscsi/iscsi_target_tpg.c | 3 +- > include/target/iscsi/iscsi_target_core.h | 12 +++ > 4 files changed, 49 insertions(+), 62 deletions(-) > > diff --git a/drivers/target/iscsi/iscsi_target_configfs.c b/drivers/target/iscsi/iscsi_target_configfs.c > index 72f5ff959636..1096201f1599 100644 > --- a/drivers/target/iscsi/iscsi_target_configfs.c > +++ b/drivers/target/iscsi/iscsi_target_configfs.c > @@ -210,7 +210,7 @@ static struct se_tpg_np *lio_target_call_addnptotpg( > return ERR_PTR(ret); > } > > - tpg = container_of(se_tpg, struct iscsi_portal_group, tpg_se_tpg); > + tpg = to_iscsi_tpg(se_tpg); > ret = iscsit_get_tpg(tpg); > if (ret < 0) > return ERR_PTR(-EINVAL); > @@ -281,9 +281,7 @@ static ssize_t iscsi_nacl_attrib_##name##_show(struct config_item *item,\ > char *page) \ > { \ > struct se_node_acl *se_nacl = attrib_to_nacl(item); \ > - struct iscsi_node_acl *nacl = container_of(se_nacl, struct iscsi_node_acl, \ > - se_node_acl); \ > - \ > + struct iscsi_node_acl *nacl = to_iscsi_nacl(se_nacl); \ > return sprintf(page, "%u\n", nacl->node_attrib.name); \ > } \ > \ > @@ -291,8 +289,7 @@ static ssize_t iscsi_nacl_attrib_##name##_store(struct config_item *item,\ > const char *page, size_t count) \ > { \ > struct se_node_acl *se_nacl = attrib_to_nacl(item); \ > - struct iscsi_node_acl *nacl = container_of(se_nacl, struct iscsi_node_acl, \ > - se_node_acl); \ > + struct iscsi_node_acl *nacl = to_iscsi_nacl(se_nacl); \ > u32 val; \ > int ret; \ > \ > @@ -377,15 +374,14 @@ static ssize_t iscsi_nacl_auth_##name##_show(struct config_item *item, \ > char *page) \ > { \ > struct se_node_acl *nacl = auth_to_nacl(item); \ > - return __iscsi_nacl_auth_##name##_show(container_of(nacl, \ > - struct iscsi_node_acl, se_node_acl), page); \ > + return __iscsi_nacl_auth_##name##_show(to_iscsi_nacl(nacl), page); \ > } \ > static ssize_t iscsi_nacl_auth_##name##_store(struct config_item *item, \ > const char *page, size_t count) \ > { \ > struct se_node_acl *nacl = auth_to_nacl(item); \ > - return __iscsi_nacl_auth_##name##_store(container_of(nacl, \ > - struct iscsi_node_acl, se_node_acl), page, count); \ > + return __iscsi_nacl_auth_##name##_store(to_iscsi_nacl(nacl), \ > + page, count); \ > } \ > \ > CONFIGFS_ATTR(iscsi_nacl_auth_, name) > @@ -417,8 +413,7 @@ static ssize_t iscsi_nacl_auth_##name##_show(struct config_item *item, \ > char *page) \ > { \ > struct se_node_acl *nacl = auth_to_nacl(item); \ > - return __iscsi_nacl_auth_##name##_show(container_of(nacl, \ > - struct iscsi_node_acl, se_node_acl), page); \ > + return __iscsi_nacl_auth_##name##_show(to_iscsi_nacl(nacl), page); \ > } \ > \ > CONFIGFS_ATTR_RO(iscsi_nacl_auth_, name) > @@ -623,8 +618,7 @@ static ssize_t lio_target_nacl_cmdsn_depth_store(struct config_item *item, > { > struct se_node_acl *se_nacl = acl_to_nacl(item); > struct se_portal_group *se_tpg = se_nacl->se_tpg; > - struct iscsi_portal_group *tpg = container_of(se_tpg, > - struct iscsi_portal_group, tpg_se_tpg); > + struct iscsi_portal_group *tpg = to_iscsi_tpg(se_tpg); > struct config_item *acl_ci, *tpg_ci, *wwn_ci; > u32 cmdsn_depth = 0; > int ret; > @@ -700,8 +694,7 @@ static struct configfs_attribute *lio_target_initiator_attrs[] = { > static int lio_target_init_nodeacl(struct se_node_acl *se_nacl, > const char *name) > { > - struct iscsi_node_acl *acl = > - container_of(se_nacl, struct iscsi_node_acl, se_node_acl); > + struct iscsi_node_acl *acl = to_iscsi_nacl(se_nacl); > > config_group_init_type_name(&acl->node_stat_grps.iscsi_sess_stats_group, > "iscsi_sess_stats", &iscsi_stat_sess_cit); > @@ -720,8 +713,7 @@ static ssize_t iscsi_tpg_attrib_##name##_show(struct config_item *item, \ > char *page) \ > { \ > struct se_portal_group *se_tpg = attrib_to_tpg(item); \ > - struct iscsi_portal_group *tpg = container_of(se_tpg, \ > - struct iscsi_portal_group, tpg_se_tpg); \ > + struct iscsi_portal_group *tpg = to_iscsi_tpg(se_tpg); \ > ssize_t rb; \ > \ > if (iscsit_get_tpg(tpg) < 0) \ > @@ -736,8 +728,7 @@ static ssize_t iscsi_tpg_attrib_##name##_store(struct config_item *item,\ > const char *page, size_t count) \ > { \ > struct se_portal_group *se_tpg = attrib_to_tpg(item); \ > - struct iscsi_portal_group *tpg = container_of(se_tpg, \ > - struct iscsi_portal_group, tpg_se_tpg); \ > + struct iscsi_portal_group *tpg = to_iscsi_tpg(se_tpg); \ > u32 val; \ > int ret; \ > \ > @@ -800,8 +791,7 @@ static struct configfs_attribute *lio_target_tpg_attrib_attrs[] = { > static ssize_t __iscsi_##prefix##_##name##_show(struct se_portal_group *se_tpg, \ > char *page) \ > { \ > - struct iscsi_portal_group *tpg = container_of(se_tpg, \ > - struct iscsi_portal_group, tpg_se_tpg); \ > + struct iscsi_portal_group *tpg = to_iscsi_tpg(se_tpg); \ > struct iscsi_node_auth *auth = &tpg->tpg_demo_auth; \ > \ > if (!capable(CAP_SYS_ADMIN)) \ > @@ -813,8 +803,7 @@ static ssize_t __iscsi_##prefix##_##name##_show(struct se_portal_group *se_tpg, > static ssize_t __iscsi_##prefix##_##name##_store(struct se_portal_group *se_tpg,\ > const char *page, size_t count) \ > { \ > - struct iscsi_portal_group *tpg = container_of(se_tpg, \ > - struct iscsi_portal_group, tpg_se_tpg); \ > + struct iscsi_portal_group *tpg = to_iscsi_tpg(se_tpg); \ > struct iscsi_node_auth *auth = &tpg->tpg_demo_auth; \ > \ > if (!capable(CAP_SYS_ADMIN)) \ > @@ -861,8 +850,7 @@ DEF_TPG_AUTH_STR(password_mutual, NAF_PASSWORD_IN_SET); > static ssize_t __iscsi_##prefix##_##name##_show(struct se_portal_group *se_tpg, \ > char *page) \ > { \ > - struct iscsi_portal_group *tpg = container_of(se_tpg, \ > - struct iscsi_portal_group, tpg_se_tpg); \ > + struct iscsi_portal_group *tpg = to_iscsi_tpg(se_tpg); \ > struct iscsi_node_auth *auth = &tpg->tpg_demo_auth; \ > \ > if (!capable(CAP_SYS_ADMIN)) \ > @@ -900,8 +888,7 @@ static ssize_t iscsi_tpg_param_##name##_show(struct config_item *item, \ > char *page) \ > { \ > struct se_portal_group *se_tpg = param_to_tpg(item); \ > - struct iscsi_portal_group *tpg = container_of(se_tpg, \ > - struct iscsi_portal_group, tpg_se_tpg); \ > + struct iscsi_portal_group *tpg = to_iscsi_tpg(se_tpg); \ > struct iscsi_param *param; \ > ssize_t rb; \ > \ > @@ -923,8 +910,7 @@ static ssize_t iscsi_tpg_param_##name##_store(struct config_item *item, \ > const char *page, size_t count) \ > { \ > struct se_portal_group *se_tpg = param_to_tpg(item); \ > - struct iscsi_portal_group *tpg = container_of(se_tpg, \ > - struct iscsi_portal_group, tpg_se_tpg); \ > + struct iscsi_portal_group *tpg = to_iscsi_tpg(se_tpg); \ > char *buf; \ > int ret, len; \ > \ > @@ -1073,8 +1059,7 @@ static struct se_portal_group *lio_target_tiqn_addtpg(struct se_wwn *wwn, > static int lio_target_tiqn_enabletpg(struct se_portal_group *se_tpg, > bool enable) > { > - struct iscsi_portal_group *tpg = container_of(se_tpg, > - struct iscsi_portal_group, tpg_se_tpg); > + struct iscsi_portal_group *tpg = to_iscsi_tpg(se_tpg); > int ret; > > ret = iscsit_get_tpg(tpg); > @@ -1106,7 +1091,7 @@ static void lio_target_tiqn_deltpg(struct se_portal_group *se_tpg) > struct iscsi_portal_group *tpg; > struct iscsi_tiqn *tiqn; > > - tpg = container_of(se_tpg, struct iscsi_portal_group, tpg_se_tpg); > + tpg = to_iscsi_tpg(se_tpg); > tiqn = tpg->tpg_tiqn; > /* > * iscsit_tpg_del_portal_group() assumes force=1 > @@ -1412,46 +1397,41 @@ static void lio_aborted_task(struct se_cmd *se_cmd) > cmd->conn->conn_transport->iscsit_aborted_task(cmd->conn, cmd); > } > > -static inline struct iscsi_portal_group *iscsi_tpg(struct se_portal_group *se_tpg) > -{ > - return container_of(se_tpg, struct iscsi_portal_group, tpg_se_tpg); > -} > - > static char *lio_tpg_get_endpoint_wwn(struct se_portal_group *se_tpg) > { > - return iscsi_tpg(se_tpg)->tpg_tiqn->tiqn; > + return to_iscsi_tpg(se_tpg)->tpg_tiqn->tiqn; > } > > static u16 lio_tpg_get_tag(struct se_portal_group *se_tpg) > { > - return iscsi_tpg(se_tpg)->tpgt; > + return to_iscsi_tpg(se_tpg)->tpgt; > } > > static u32 lio_tpg_get_default_depth(struct se_portal_group *se_tpg) > { > - return iscsi_tpg(se_tpg)->tpg_attrib.default_cmdsn_depth; > + return to_iscsi_tpg(se_tpg)->tpg_attrib.default_cmdsn_depth; > } > > static int lio_tpg_check_demo_mode(struct se_portal_group *se_tpg) > { > - return iscsi_tpg(se_tpg)->tpg_attrib.generate_node_acls; > + return to_iscsi_tpg(se_tpg)->tpg_attrib.generate_node_acls; > } > > static int lio_tpg_check_demo_mode_cache(struct se_portal_group *se_tpg) > { > - return iscsi_tpg(se_tpg)->tpg_attrib.cache_dynamic_acls; > + return to_iscsi_tpg(se_tpg)->tpg_attrib.cache_dynamic_acls; > } > > static int lio_tpg_check_demo_mode_write_protect( > struct se_portal_group *se_tpg) > { > - return iscsi_tpg(se_tpg)->tpg_attrib.demo_mode_write_protect; > + return to_iscsi_tpg(se_tpg)->tpg_attrib.demo_mode_write_protect; > } > > static int lio_tpg_check_prod_mode_write_protect( > struct se_portal_group *se_tpg) > { > - return iscsi_tpg(se_tpg)->tpg_attrib.prod_mode_write_protect; > + return to_iscsi_tpg(se_tpg)->tpg_attrib.prod_mode_write_protect; > } > > static int lio_tpg_check_prot_fabric_only( > @@ -1461,9 +1441,9 @@ static int lio_tpg_check_prot_fabric_only( > * Only report fabric_prot_type if t10_pi has also been enabled > * for incoming ib_isert sessions. > */ > - if (!iscsi_tpg(se_tpg)->tpg_attrib.t10_pi) > + if (!to_iscsi_tpg(se_tpg)->tpg_attrib.t10_pi) > return 0; > - return iscsi_tpg(se_tpg)->tpg_attrib.fabric_prot_type; > + return to_iscsi_tpg(se_tpg)->tpg_attrib.fabric_prot_type; > } > > /* > @@ -1500,16 +1480,14 @@ static void lio_tpg_close_session(struct se_session *se_sess) > > static u32 lio_tpg_get_inst_index(struct se_portal_group *se_tpg) > { > - return iscsi_tpg(se_tpg)->tpg_tiqn->tiqn_index; > + return to_iscsi_tpg(se_tpg)->tpg_tiqn->tiqn_index; > } > > static void lio_set_default_node_attributes(struct se_node_acl *se_acl) > { > - struct iscsi_node_acl *acl = container_of(se_acl, struct iscsi_node_acl, > - se_node_acl); > + struct iscsi_node_acl *acl = to_iscsi_nacl(se_acl); > struct se_portal_group *se_tpg = se_acl->se_tpg; > - struct iscsi_portal_group *tpg = container_of(se_tpg, > - struct iscsi_portal_group, tpg_se_tpg); > + struct iscsi_portal_group *tpg = to_iscsi_tpg(se_tpg); > > acl->node_attrib.nacl = acl; > iscsit_set_default_node_attribues(acl, tpg); > diff --git a/drivers/target/iscsi/iscsi_target_nego.c b/drivers/target/iscsi/iscsi_target_nego.c > index b34ac9ecac31..d853bacf1cfc 100644 > --- a/drivers/target/iscsi/iscsi_target_nego.c > +++ b/drivers/target/iscsi/iscsi_target_nego.c > @@ -104,8 +104,8 @@ static u32 iscsi_handle_authentication( > { > struct iscsit_session *sess = conn->sess; > struct iscsi_node_auth *auth; > - struct iscsi_node_acl *iscsi_nacl; > - struct iscsi_portal_group *iscsi_tpg; > + struct iscsi_node_acl *nacl; > + struct iscsi_portal_group *tpg; > struct se_node_acl *se_nacl; > > if (!sess->sess_ops->SessionType) { > @@ -120,15 +120,13 @@ static u32 iscsi_handle_authentication( > } > > if (se_nacl->dynamic_node_acl) { > - iscsi_tpg = container_of(se_nacl->se_tpg, > - struct iscsi_portal_group, tpg_se_tpg); > + tpg = to_iscsi_tpg(se_nacl->se_tpg); > > - auth = &iscsi_tpg->tpg_demo_auth; > + auth = &tpg->tpg_demo_auth; > } else { > - iscsi_nacl = container_of(se_nacl, struct iscsi_node_acl, > - se_node_acl); > + nacl = to_iscsi_nacl(se_nacl); > > - auth = &iscsi_nacl->node_auth; > + auth = &nacl->node_auth; > } > } else { > /* > diff --git a/drivers/target/iscsi/iscsi_target_tpg.c b/drivers/target/iscsi/iscsi_target_tpg.c > index 4339ee517434..3cac1aafef68 100644 > --- a/drivers/target/iscsi/iscsi_target_tpg.c > +++ b/drivers/target/iscsi/iscsi_target_tpg.c > @@ -394,8 +394,7 @@ struct iscsi_node_attrib *iscsit_tpg_get_node_attrib( > { > struct se_session *se_sess = sess->se_sess; > struct se_node_acl *se_nacl = se_sess->se_node_acl; > - struct iscsi_node_acl *acl = container_of(se_nacl, struct iscsi_node_acl, > - se_node_acl); > + struct iscsi_node_acl *acl = to_iscsi_nacl(se_nacl); > > return &acl->node_attrib; > } > diff --git a/include/target/iscsi/iscsi_target_core.h b/include/target/iscsi/iscsi_target_core.h > index 8e68ace428d9..4dd62947f8db 100644 > --- a/include/target/iscsi/iscsi_target_core.h > +++ b/include/target/iscsi/iscsi_target_core.h > @@ -758,6 +758,12 @@ struct iscsi_node_acl { > struct iscsi_node_stat_grps node_stat_grps; > }; > > +static inline struct iscsi_node_acl * > +to_iscsi_nacl(struct se_node_acl *se_nacl) > +{ > + return container_of(se_nacl, struct iscsi_node_acl, se_node_acl); > +} > + > struct iscsi_tpg_attrib { > u32 authentication; > u32 login_timeout; > @@ -839,6 +845,12 @@ struct iscsi_portal_group { > struct list_head tpg_list; > } ____cacheline_aligned; > > +static inline struct iscsi_portal_group * > +to_iscsi_tpg(struct se_portal_group *se_tpg) > +{ > + return container_of(se_tpg, struct iscsi_portal_group, tpg_se_tpg); > +} > + > struct iscsi_wwn_stat_grps { > struct config_group iscsi_stat_group; > struct config_group iscsi_instance_group; Reviewed-by: Lee Duncan <lduncan@suse.com> ^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH v5 2/3] scsi: target: iscsi: extract auth functions 2022-05-23 9:59 [PATCH v5 0/3] target: iscsi: control authentication per ACL Dmitry Bogdanov 2022-05-23 9:59 ` [PATCH v5 1/3] scsi: target: iscsi: Add upcast helpers Dmitry Bogdanov @ 2022-05-23 9:59 ` Dmitry Bogdanov 2022-05-23 18:22 ` Lee Duncan 2022-05-23 9:59 ` [PATCH v5 3/3] target: iscsi: control authentication per ACL Dmitry Bogdanov ` (2 subsequent siblings) 4 siblings, 1 reply; 8+ messages in thread From: Dmitry Bogdanov @ 2022-05-23 9:59 UTC (permalink / raw) To: Martin Petersen, target-devel Cc: Mike Christie, linux-scsi, linux, Dmitry Bogdanov, Roman Bolshakov, Konstantin Shelekhin Create functions that answers simple questions: whether authentication is required, what credentials, whether connection is autenticated. Reviewed-by: Roman Bolshakov <r.bolshakov@yadro.com> Reviewed-by: Konstantin Shelekhin <k.shelekhin@yadro.com> Reviewed-by: Mike Christie <michael.christie@oracle.com> Signed-off-by: Dmitry Bogdanov <d.bogdanov@yadro.com> --- drivers/target/iscsi/iscsi_target_nego.c | 140 +++++++++++++++-------- 1 file changed, 92 insertions(+), 48 deletions(-) diff --git a/drivers/target/iscsi/iscsi_target_nego.c b/drivers/target/iscsi/iscsi_target_nego.c index d853bacf1cfc..f06f16d63fe6 100644 --- a/drivers/target/iscsi/iscsi_target_nego.c +++ b/drivers/target/iscsi/iscsi_target_nego.c @@ -94,6 +94,31 @@ int extract_param( return 0; } +static struct iscsi_node_auth *iscsi_get_node_auth(struct iscsit_conn *conn) +{ + struct iscsi_portal_group *tpg; + struct iscsi_node_acl *nacl; + struct se_node_acl *se_nacl; + + if (conn->sess->sess_ops->SessionType) + return &iscsit_global->discovery_acl.node_auth; + + se_nacl = conn->sess->se_sess->se_node_acl; + if (!se_nacl) { + pr_err("Unable to locate struct se_node_acl for CHAP auth\n"); + return NULL; + } + + if (se_nacl->dynamic_node_acl) { + tpg = to_iscsi_tpg(se_nacl->se_tpg); + return &tpg->tpg_demo_auth; + } + + nacl = to_iscsi_nacl(se_nacl); + + return &nacl->node_auth; +} + static u32 iscsi_handle_authentication( struct iscsit_conn *conn, char *in_buf, @@ -102,38 +127,11 @@ static u32 iscsi_handle_authentication( int *out_length, unsigned char *authtype) { - struct iscsit_session *sess = conn->sess; struct iscsi_node_auth *auth; - struct iscsi_node_acl *nacl; - struct iscsi_portal_group *tpg; - struct se_node_acl *se_nacl; - - if (!sess->sess_ops->SessionType) { - /* - * For SessionType=Normal - */ - se_nacl = conn->sess->se_sess->se_node_acl; - if (!se_nacl) { - pr_err("Unable to locate struct se_node_acl for" - " CHAP auth\n"); - return -1; - } - - if (se_nacl->dynamic_node_acl) { - tpg = to_iscsi_tpg(se_nacl->se_tpg); - - auth = &tpg->tpg_demo_auth; - } else { - nacl = to_iscsi_nacl(se_nacl); - auth = &nacl->node_auth; - } - } else { - /* - * For SessionType=Discovery - */ - auth = &iscsit_global->discovery_acl.node_auth; - } + auth = iscsi_get_node_auth(conn); + if (!auth) + return -1; if (strstr("CHAP", authtype)) strcpy(conn->sess->auth_type, "CHAP"); @@ -813,6 +811,37 @@ static int iscsi_target_do_authentication( return 0; } +static bool iscsi_conn_auth_required(struct iscsit_conn *conn) +{ + struct se_node_acl *se_nacl; + + if (conn->sess->sess_ops->SessionType) { + /* + * For SessionType=Discovery + */ + return conn->tpg->tpg_attrib.authentication; + } + /* + * For SessionType=Normal + */ + se_nacl = conn->sess->se_sess->se_node_acl; + if (!se_nacl) { + pr_debug("Unknown ACL %s is trying to connect\n", + se_nacl->initiatorname); + return true; + } + + if (se_nacl->dynamic_node_acl) { + pr_debug("Dynamic ACL %s is trying to connect\n", + se_nacl->initiatorname); + return conn->tpg->tpg_attrib.authentication; + } + + pr_debug("Known ACL %s is trying to connect\n", + se_nacl->initiatorname); + return conn->tpg->tpg_attrib.authentication; +} + static int iscsi_target_handle_csg_zero( struct iscsit_conn *conn, struct iscsi_login *login) @@ -874,22 +903,26 @@ static int iscsi_target_handle_csg_zero( return -1; if (!iscsi_check_negotiated_keys(conn->param_list)) { - if (conn->tpg->tpg_attrib.authentication && - !strncmp(param->value, NONE, 4)) { - pr_err("Initiator sent AuthMethod=None but" - " Target is enforcing iSCSI Authentication," - " login failed.\n"); - iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_INITIATOR_ERR, - ISCSI_LOGIN_STATUS_AUTH_FAILED); - return -1; - } + bool auth_required = iscsi_conn_auth_required(conn); + + if (auth_required) { + if (!strncmp(param->value, NONE, 4)) { + pr_err("Initiator sent AuthMethod=None but" + " Target is enforcing iSCSI Authentication," + " login failed.\n"); + iscsit_tx_login_rsp(conn, + ISCSI_STATUS_CLS_INITIATOR_ERR, + ISCSI_LOGIN_STATUS_AUTH_FAILED); + return -1; + } - if (conn->tpg->tpg_attrib.authentication && - !login->auth_complete) - return 0; + if (!login->auth_complete) + return 0; - if (strncmp(param->value, NONE, 4) && !login->auth_complete) - return 0; + if (strncmp(param->value, NONE, 4) && + !login->auth_complete) + return 0; + } if ((login_req->flags & ISCSI_FLAG_LOGIN_NEXT_STAGE1) && (login_req->flags & ISCSI_FLAG_LOGIN_TRANSIT)) { @@ -904,6 +937,18 @@ static int iscsi_target_handle_csg_zero( return iscsi_target_do_authentication(conn, login); } +static bool iscsi_conn_authenticated(struct iscsit_conn *conn, + struct iscsi_login *login) +{ + if (!iscsi_conn_auth_required(conn)) + return true; + + if (login->auth_complete) + return true; + + return false; +} + static int iscsi_target_handle_csg_one(struct iscsit_conn *conn, struct iscsi_login *login) { int ret; @@ -947,11 +992,10 @@ static int iscsi_target_handle_csg_one(struct iscsit_conn *conn, struct iscsi_lo return -1; } - if (!login->auth_complete && - conn->tpg->tpg_attrib.authentication) { + if (!iscsi_conn_authenticated(conn, login)) { pr_err("Initiator is requesting CSG: 1, has not been" - " successfully authenticated, and the Target is" - " enforcing iSCSI Authentication, login failed.\n"); + " successfully authenticated, and the Target is" + " enforcing iSCSI Authentication, login failed.\n"); iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_INITIATOR_ERR, ISCSI_LOGIN_STATUS_AUTH_FAILED); return -1; -- 2.25.1 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH v5 2/3] scsi: target: iscsi: extract auth functions 2022-05-23 9:59 ` [PATCH v5 2/3] scsi: target: iscsi: extract auth functions Dmitry Bogdanov @ 2022-05-23 18:22 ` Lee Duncan 0 siblings, 0 replies; 8+ messages in thread From: Lee Duncan @ 2022-05-23 18:22 UTC (permalink / raw) To: Dmitry Bogdanov, Martin Petersen, target-devel Cc: Mike Christie, linux-scsi, linux, Roman Bolshakov, Konstantin Shelekhin On 5/23/22 02:59, Dmitry Bogdanov wrote: > Create functions that answers simple questions: > whether authentication is required, what credentials, whether > connection is autenticated. > > Reviewed-by: Roman Bolshakov <r.bolshakov@yadro.com> > Reviewed-by: Konstantin Shelekhin <k.shelekhin@yadro.com> > Reviewed-by: Mike Christie <michael.christie@oracle.com> > Signed-off-by: Dmitry Bogdanov <d.bogdanov@yadro.com> > --- > drivers/target/iscsi/iscsi_target_nego.c | 140 +++++++++++++++-------- > 1 file changed, 92 insertions(+), 48 deletions(-) > > diff --git a/drivers/target/iscsi/iscsi_target_nego.c b/drivers/target/iscsi/iscsi_target_nego.c > index d853bacf1cfc..f06f16d63fe6 100644 > --- a/drivers/target/iscsi/iscsi_target_nego.c > +++ b/drivers/target/iscsi/iscsi_target_nego.c > @@ -94,6 +94,31 @@ int extract_param( > return 0; > } > > +static struct iscsi_node_auth *iscsi_get_node_auth(struct iscsit_conn *conn) > +{ > + struct iscsi_portal_group *tpg; > + struct iscsi_node_acl *nacl; > + struct se_node_acl *se_nacl; > + > + if (conn->sess->sess_ops->SessionType) > + return &iscsit_global->discovery_acl.node_auth; > + > + se_nacl = conn->sess->se_sess->se_node_acl; > + if (!se_nacl) { > + pr_err("Unable to locate struct se_node_acl for CHAP auth\n"); > + return NULL; > + } > + > + if (se_nacl->dynamic_node_acl) { > + tpg = to_iscsi_tpg(se_nacl->se_tpg); > + return &tpg->tpg_demo_auth; > + } > + > + nacl = to_iscsi_nacl(se_nacl); > + > + return &nacl->node_auth; > +} > + > static u32 iscsi_handle_authentication( > struct iscsit_conn *conn, > char *in_buf, > @@ -102,38 +127,11 @@ static u32 iscsi_handle_authentication( > int *out_length, > unsigned char *authtype) > { > - struct iscsit_session *sess = conn->sess; > struct iscsi_node_auth *auth; > - struct iscsi_node_acl *nacl; > - struct iscsi_portal_group *tpg; > - struct se_node_acl *se_nacl; > - > - if (!sess->sess_ops->SessionType) { > - /* > - * For SessionType=Normal > - */ > - se_nacl = conn->sess->se_sess->se_node_acl; > - if (!se_nacl) { > - pr_err("Unable to locate struct se_node_acl for" > - " CHAP auth\n"); > - return -1; > - } > - > - if (se_nacl->dynamic_node_acl) { > - tpg = to_iscsi_tpg(se_nacl->se_tpg); > - > - auth = &tpg->tpg_demo_auth; > - } else { > - nacl = to_iscsi_nacl(se_nacl); > > - auth = &nacl->node_auth; > - } > - } else { > - /* > - * For SessionType=Discovery > - */ > - auth = &iscsit_global->discovery_acl.node_auth; > - } > + auth = iscsi_get_node_auth(conn); > + if (!auth) > + return -1; > > if (strstr("CHAP", authtype)) > strcpy(conn->sess->auth_type, "CHAP"); > @@ -813,6 +811,37 @@ static int iscsi_target_do_authentication( > return 0; > } > > +static bool iscsi_conn_auth_required(struct iscsit_conn *conn) > +{ > + struct se_node_acl *se_nacl; > + > + if (conn->sess->sess_ops->SessionType) { > + /* > + * For SessionType=Discovery > + */ > + return conn->tpg->tpg_attrib.authentication; > + } > + /* > + * For SessionType=Normal > + */ > + se_nacl = conn->sess->se_sess->se_node_acl; > + if (!se_nacl) { > + pr_debug("Unknown ACL %s is trying to connect\n", > + se_nacl->initiatorname); > + return true; > + } > + > + if (se_nacl->dynamic_node_acl) { > + pr_debug("Dynamic ACL %s is trying to connect\n", > + se_nacl->initiatorname); > + return conn->tpg->tpg_attrib.authentication; > + } > + > + pr_debug("Known ACL %s is trying to connect\n", > + se_nacl->initiatorname); > + return conn->tpg->tpg_attrib.authentication; > +} > + > static int iscsi_target_handle_csg_zero( > struct iscsit_conn *conn, > struct iscsi_login *login) > @@ -874,22 +903,26 @@ static int iscsi_target_handle_csg_zero( > return -1; > > if (!iscsi_check_negotiated_keys(conn->param_list)) { > - if (conn->tpg->tpg_attrib.authentication && > - !strncmp(param->value, NONE, 4)) { > - pr_err("Initiator sent AuthMethod=None but" > - " Target is enforcing iSCSI Authentication," > - " login failed.\n"); > - iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_INITIATOR_ERR, > - ISCSI_LOGIN_STATUS_AUTH_FAILED); > - return -1; > - } > + bool auth_required = iscsi_conn_auth_required(conn); > + > + if (auth_required) { > + if (!strncmp(param->value, NONE, 4)) { > + pr_err("Initiator sent AuthMethod=None but" > + " Target is enforcing iSCSI Authentication," > + " login failed.\n"); > + iscsit_tx_login_rsp(conn, > + ISCSI_STATUS_CLS_INITIATOR_ERR, > + ISCSI_LOGIN_STATUS_AUTH_FAILED); > + return -1; > + } > > - if (conn->tpg->tpg_attrib.authentication && > - !login->auth_complete) > - return 0; > + if (!login->auth_complete) > + return 0; > > - if (strncmp(param->value, NONE, 4) && !login->auth_complete) > - return 0; > + if (strncmp(param->value, NONE, 4) && > + !login->auth_complete) > + return 0; > + } > > if ((login_req->flags & ISCSI_FLAG_LOGIN_NEXT_STAGE1) && > (login_req->flags & ISCSI_FLAG_LOGIN_TRANSIT)) { > @@ -904,6 +937,18 @@ static int iscsi_target_handle_csg_zero( > return iscsi_target_do_authentication(conn, login); > } > > +static bool iscsi_conn_authenticated(struct iscsit_conn *conn, > + struct iscsi_login *login) > +{ > + if (!iscsi_conn_auth_required(conn)) > + return true; > + > + if (login->auth_complete) > + return true; > + > + return false; > +} > + > static int iscsi_target_handle_csg_one(struct iscsit_conn *conn, struct iscsi_login *login) > { > int ret; > @@ -947,11 +992,10 @@ static int iscsi_target_handle_csg_one(struct iscsit_conn *conn, struct iscsi_lo > return -1; > } > > - if (!login->auth_complete && > - conn->tpg->tpg_attrib.authentication) { > + if (!iscsi_conn_authenticated(conn, login)) { > pr_err("Initiator is requesting CSG: 1, has not been" > - " successfully authenticated, and the Target is" > - " enforcing iSCSI Authentication, login failed.\n"); > + " successfully authenticated, and the Target is" > + " enforcing iSCSI Authentication, login failed.\n"); > iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_INITIATOR_ERR, > ISCSI_LOGIN_STATUS_AUTH_FAILED); > return -1; Reviewed-by: Lee Duncan <lduncan@suse.com> ^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH v5 3/3] target: iscsi: control authentication per ACL 2022-05-23 9:59 [PATCH v5 0/3] target: iscsi: control authentication per ACL Dmitry Bogdanov 2022-05-23 9:59 ` [PATCH v5 1/3] scsi: target: iscsi: Add upcast helpers Dmitry Bogdanov 2022-05-23 9:59 ` [PATCH v5 2/3] scsi: target: iscsi: extract auth functions Dmitry Bogdanov @ 2022-05-23 9:59 ` Dmitry Bogdanov 2022-06-08 1:55 ` [PATCH v5 0/3] " Martin K. Petersen 2022-06-10 17:45 ` Martin K. Petersen 4 siblings, 0 replies; 8+ messages in thread From: Dmitry Bogdanov @ 2022-05-23 9:59 UTC (permalink / raw) To: Martin Petersen, target-devel Cc: Mike Christie, linux-scsi, linux, Dmitry Bogdanov, Roman Bolshakov, Konstantin Shelekhin Add acls/{ACL}/attrib/authentication attribute that controls authentication for particular ACL. By default, this attribute inherits a value of the authentication attribute of the target port group to keep backward compatibility. authentication attribute has 3 states: "0" - authentication is turned off for this ACL "1" - authentication is required for this ACL "-1" - authentication is inherited from TPG Reviewed-by: Roman Bolshakov <r.bolshakov@yadro.com> Reviewed-by: Konstantin Shelekhin <k.shelekhin@yadro.com> Reviewed-by: Mike Christie <michael.christie@oracle.com> Signed-off-by: Dmitry Bogdanov <d.bogdanov@yadro.com> --- drivers/target/iscsi/iscsi_target_configfs.c | 31 +++++++++++++++++++ drivers/target/iscsi/iscsi_target_nego.c | 8 ++++- .../target/iscsi/iscsi_target_nodeattrib.c | 1 + include/target/iscsi/iscsi_target_core.h | 2 ++ 4 files changed, 41 insertions(+), 1 deletion(-) diff --git a/drivers/target/iscsi/iscsi_target_configfs.c b/drivers/target/iscsi/iscsi_target_configfs.c index 1096201f1599..c41b369a0bb9 100644 --- a/drivers/target/iscsi/iscsi_target_configfs.c +++ b/drivers/target/iscsi/iscsi_target_configfs.c @@ -314,6 +314,36 @@ ISCSI_NACL_ATTR(random_datain_pdu_offsets); ISCSI_NACL_ATTR(random_datain_seq_offsets); ISCSI_NACL_ATTR(random_r2t_offsets); +static ssize_t iscsi_nacl_attrib_authentication_show(struct config_item *item, + char *page) +{ + struct se_node_acl *se_nacl = attrib_to_nacl(item); + struct iscsi_node_acl *nacl = to_iscsi_nacl(se_nacl); + + return sprintf(page, "%d\n", nacl->node_attrib.authentication); +} + +static ssize_t iscsi_nacl_attrib_authentication_store(struct config_item *item, + const char *page, size_t count) +{ + struct se_node_acl *se_nacl = attrib_to_nacl(item); + struct iscsi_node_acl *nacl = to_iscsi_nacl(se_nacl); + s32 val; + int ret; + + ret = kstrtos32(page, 0, &val); + if (ret) + return ret; + if (val != 0 && val != 1 && val != NA_AUTHENTICATION_INHERITED) + return -EINVAL; + + nacl->node_attrib.authentication = val; + + return count; +} + +CONFIGFS_ATTR(iscsi_nacl_attrib_, authentication); + static struct configfs_attribute *lio_target_nacl_attrib_attrs[] = { &iscsi_nacl_attrib_attr_dataout_timeout, &iscsi_nacl_attrib_attr_dataout_timeout_retries, @@ -323,6 +353,7 @@ static struct configfs_attribute *lio_target_nacl_attrib_attrs[] = { &iscsi_nacl_attrib_attr_random_datain_pdu_offsets, &iscsi_nacl_attrib_attr_random_datain_seq_offsets, &iscsi_nacl_attrib_attr_random_r2t_offsets, + &iscsi_nacl_attrib_attr_authentication, NULL, }; diff --git a/drivers/target/iscsi/iscsi_target_nego.c b/drivers/target/iscsi/iscsi_target_nego.c index f06f16d63fe6..9ce35a59962b 100644 --- a/drivers/target/iscsi/iscsi_target_nego.c +++ b/drivers/target/iscsi/iscsi_target_nego.c @@ -813,6 +813,7 @@ static int iscsi_target_do_authentication( static bool iscsi_conn_auth_required(struct iscsit_conn *conn) { + struct iscsi_node_acl *nacl; struct se_node_acl *se_nacl; if (conn->sess->sess_ops->SessionType) { @@ -839,7 +840,12 @@ static bool iscsi_conn_auth_required(struct iscsit_conn *conn) pr_debug("Known ACL %s is trying to connect\n", se_nacl->initiatorname); - return conn->tpg->tpg_attrib.authentication; + + nacl = to_iscsi_nacl(se_nacl); + if (nacl->node_attrib.authentication == NA_AUTHENTICATION_INHERITED) + return conn->tpg->tpg_attrib.authentication; + + return nacl->node_attrib.authentication; } static int iscsi_target_handle_csg_zero( diff --git a/drivers/target/iscsi/iscsi_target_nodeattrib.c b/drivers/target/iscsi/iscsi_target_nodeattrib.c index 874cb33c9be0..d63efdefb18e 100644 --- a/drivers/target/iscsi/iscsi_target_nodeattrib.c +++ b/drivers/target/iscsi/iscsi_target_nodeattrib.c @@ -30,6 +30,7 @@ void iscsit_set_default_node_attribues( { struct iscsi_node_attrib *a = &acl->node_attrib; + a->authentication = NA_AUTHENTICATION_INHERITED; a->dataout_timeout = NA_DATAOUT_TIMEOUT; a->dataout_timeout_retries = NA_DATAOUT_TIMEOUT_RETRIES; a->nopin_timeout = NA_NOPIN_TIMEOUT; diff --git a/include/target/iscsi/iscsi_target_core.h b/include/target/iscsi/iscsi_target_core.h index 4dd62947f8db..94d06ddfd80a 100644 --- a/include/target/iscsi/iscsi_target_core.h +++ b/include/target/iscsi/iscsi_target_core.h @@ -26,6 +26,7 @@ struct sock; #define ISCSI_RX_THREAD_NAME "iscsi_trx" #define ISCSI_TX_THREAD_NAME "iscsi_ttx" #define ISCSI_IQN_LEN 224 +#define NA_AUTHENTICATION_INHERITED -1 /* struct iscsi_node_attrib sanity values */ #define NA_DATAOUT_TIMEOUT 3 @@ -715,6 +716,7 @@ struct iscsi_login { } ____cacheline_aligned; struct iscsi_node_attrib { + s32 authentication; u32 dataout_timeout; u32 dataout_timeout_retries; u32 default_erl; -- 2.25.1 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH v5 0/3] target: iscsi: control authentication per ACL 2022-05-23 9:59 [PATCH v5 0/3] target: iscsi: control authentication per ACL Dmitry Bogdanov ` (2 preceding siblings ...) 2022-05-23 9:59 ` [PATCH v5 3/3] target: iscsi: control authentication per ACL Dmitry Bogdanov @ 2022-06-08 1:55 ` Martin K. Petersen 2022-06-10 17:45 ` Martin K. Petersen 4 siblings, 0 replies; 8+ messages in thread From: Martin K. Petersen @ 2022-06-08 1:55 UTC (permalink / raw) To: Dmitry Bogdanov Cc: Martin Petersen, target-devel, Mike Christie, linux-scsi, linux Dmitry, > Add acls/{ACL}/attrib/authentication attribute that controls > authentication for the particular ACL. By default, this attribute > inherits a value of authentication attribute of the target port group > to keep a backward compatibility. Applied to 5.20/scsi-staging, thanks! -- Martin K. Petersen Oracle Linux Engineering ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v5 0/3] target: iscsi: control authentication per ACL 2022-05-23 9:59 [PATCH v5 0/3] target: iscsi: control authentication per ACL Dmitry Bogdanov ` (3 preceding siblings ...) 2022-06-08 1:55 ` [PATCH v5 0/3] " Martin K. Petersen @ 2022-06-10 17:45 ` Martin K. Petersen 4 siblings, 0 replies; 8+ messages in thread From: Martin K. Petersen @ 2022-06-10 17:45 UTC (permalink / raw) To: Dmitry Bogdanov, target-devel Cc: Martin K . Petersen, Mike Christie, linux-scsi, linux On Mon, 23 May 2022 12:59:02 +0300, Dmitry Bogdanov wrote: > Add acls/{ACL}/attrib/authentication attribute that controls authentication > for the particular ACL. By default, this attribute inherits a value of > authentication attribute of the target port group to keep a backward > compatibility. > > authentication attribute has 3 states: > "0" - authentication is turned off for this ACL > "1" - authentication is required for this ACL > "-1" - authentication is inherited from TPG > > [...] Applied to 5.20/scsi-queue, thanks! [1/3] scsi: target: iscsi: Add upcast helpers https://git.kernel.org/mkp/scsi/c/a11b80692be5 [2/3] scsi: target: iscsi: extract auth functions https://git.kernel.org/mkp/scsi/c/a75fcb0912a5 [3/3] target: iscsi: control authentication per ACL https://git.kernel.org/mkp/scsi/c/a6e0d179764c -- Martin K. Petersen Oracle Linux Engineering ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2022-06-10 17:45 UTC | newest] Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2022-05-23 9:59 [PATCH v5 0/3] target: iscsi: control authentication per ACL Dmitry Bogdanov 2022-05-23 9:59 ` [PATCH v5 1/3] scsi: target: iscsi: Add upcast helpers Dmitry Bogdanov 2022-05-23 18:18 ` Lee Duncan 2022-05-23 9:59 ` [PATCH v5 2/3] scsi: target: iscsi: extract auth functions Dmitry Bogdanov 2022-05-23 18:22 ` Lee Duncan 2022-05-23 9:59 ` [PATCH v5 3/3] target: iscsi: control authentication per ACL Dmitry Bogdanov 2022-06-08 1:55 ` [PATCH v5 0/3] " Martin K. Petersen 2022-06-10 17:45 ` Martin K. Petersen
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.