From: Dmitriy Bogdanov <d.bogdanov@yadro.com>
To: Mike Christie <michael.christie@oracle.com>,
Martin Petersen <martin.petersen@oracle.com>,
"target-devel@vger.kernel.org" <target-devel@vger.kernel.org>
Cc: "linux-scsi@vger.kernel.org" <linux-scsi@vger.kernel.org>,
"linux@yadro.com" <linux@yadro.com>,
Roman Bolshakov <r.bolshakov@yadro.com>,
Konstantin Shelekhin <k.shelekhin@yadro.com>
Subject: RE: [PATCH 2/3] scsi: target: iscsi: extract auth functions
Date: Mon, 4 Oct 2021 07:41:01 +0000 [thread overview]
Message-ID: <31e1f968b10047bba06e36ff97f16744@yadro.com> (raw)
In-Reply-To: <c55719fa-9150-b64e-306f-b8b31a405be4@oracle.com>
Hi Mike,
> > +{
> > + struct se_node_acl *se_nacl;
> > +
> > + if (conn->sess->sess_ops->SessionType) {
> > + /*
> > + * For SessionType=Discovery
> > + */
> > + return conn->tpg->tpg_attrib.authentication;
> > + }
> > + /*
> > + * For SessionType=Normal
> > + */
> > + se_nacl = conn->sess->se_sess->se_node_acl;
> > + if (!se_nacl) {
> > + pr_debug("Unknown ACL %s is trying to connect\n",
> > + se_nacl->initiatorname);
> > + return true;
>
> Before the patch, if we didn't have an ACL we would go by
> conn->tpg->tpg_attrib.authentication. But with the patch, if
> we don't have an ACL, then it looks like we always require authentication
> which I don't think is right.
>
> Is the code above supposed to return the value of
> conn->tpg->tpg_attrib.authentication?
No, no. This piece of code is the same as it was.
An absence of ACL is some erroneous situation because the login must be
rejected earlier in __iscsi_target_login_thread -> iscsi_target_locate_portal
> > + }
> > +
> > + if (se_nacl->dynamic_node_acl) {
> > + pr_debug("Dynamic ACL %s is trying to connect\n",
> > + se_nacl->initiatorname);
> > + return conn->tpg->tpg_attrib.authentication;
> > + }
> > +
> > + pr_debug("Known ACL %s is trying to connect\n",
> > + se_nacl->initiatorname);
> > + return conn->tpg->tpg_attrib.authentication;
> > +}
> > +
> > static int iscsi_target_handle_csg_zero(
> > struct iscsi_conn *conn,
> > struct iscsi_login *login)
> > @@ -874,22 +903,26 @@ static int iscsi_target_handle_csg_zero(
> > return -1;
> >
> > if (!iscsi_check_negotiated_keys(conn->param_list)) {
> > - if (conn->tpg->tpg_attrib.authentication &&
> > - !strncmp(param->value, NONE, 4)) {
> > - pr_err("Initiator sent AuthMethod=None but"
> > - " Target is enforcing iSCSI Authentication,"
> > - " login failed.\n");
> > - iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_INITIATOR_ERR,
> > - ISCSI_LOGIN_STATUS_AUTH_FAILED);
> > - return -1;
> > - }
> > + bool auth_required = iscsi_conn_auth_required(conn);
> > +
>
> In __iscsi_target_login_thread we have:
>
> if (conn->sess)
> conn->sess->se_sess->sup_prot_ops =
> conn->conn_transport->iscsit_get_sup_prot_ops(conn);
>
> before we call:
>
> iscsi_target_start_negotiation -> iscsi_target_do_login- > iscsi_target_handle_csg_zero
> and hit the code above.
>
> If conn->sess can be NULL then iscsi_conn_auth_required will crash.
>
> However, I can't tell how conn->sess can be NULL in that code path. Is the conn->sess
> check in __iscsi_target_login_thread not needed?
conn->sess is set to NULL in iscsi_login_non_zero_tsih_s1 and new session is created
in iscsi_login_non_zero_tsih_s2 which is before iscsi_target_start_negotiation, so
we are safe.
BR,
Dmitry
next prev parent reply other threads:[~2021-10-04 7:41 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-14 10:03 [PATCH 0/3] target: iscsi: control authentication per ACL Dmitry Bogdanov
2021-09-14 10:03 ` [PATCH 1/3] scsi: target: iscsi: Add upcast helpers Dmitry Bogdanov
2021-09-14 10:03 ` [PATCH 2/3] scsi: target: iscsi: extract auth functions Dmitry Bogdanov
2021-09-30 18:46 ` Mike Christie
2021-10-04 7:41 ` Dmitriy Bogdanov [this message]
2021-09-14 10:03 ` [PATCH 3/3] target: iscsi: control authentication per ACL Dmitry Bogdanov
2021-09-30 18:52 ` Mike Christie
2021-10-04 7:56 ` Dmitriy Bogdanov
2021-10-05 16:04 ` Mike Christie
2021-10-18 11:48 ` Dmitriy Bogdanov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=31e1f968b10047bba06e36ff97f16744@yadro.com \
--to=d.bogdanov@yadro.com \
--cc=k.shelekhin@yadro.com \
--cc=linux-scsi@vger.kernel.org \
--cc=linux@yadro.com \
--cc=martin.petersen@oracle.com \
--cc=michael.christie@oracle.com \
--cc=r.bolshakov@yadro.com \
--cc=target-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).