scsi: target: iscsi: Control authentication per ACL

Add acls/{ACL}/attrib/authentication attribute that controls authentication
for particular ACL. By default, this attribute inherits a value of the
authentication attribute of the target port group to keep backward
compatibility.

Authentication attribute has 3 states:

 "0" - authentication is turned off for this ACL

 "1" - authentication is required for this ACL

 "-1" - authentication is inherited from TPG

Link: https://lore.kernel.org/r/20220523095905.26070-4-d.bogdanov@yadro.com
Reviewed-by: Roman Bolshakov <r.bolshakov@yadro.com>
Reviewed-by: Konstantin Shelekhin <k.shelekhin@yadro.com>
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Signed-off-by: Dmitry Bogdanov <d.bogdanov@yadro.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

diff --git a/drivers/target/iscsi/iscsi_target_configfs.c b/drivers/target/iscsi/iscsi_target_configfs.c
index b01b6701c144aecabf76f696b49e8ddc8c43105e..5d0f51822414e04018bfaaf73787d4d09ae53d70 100644 (file)
--- a/drivers/target/iscsi/iscsi_target_configfs.c
+++ b/drivers/target/iscsi/iscsi_target_configfs.c
@@ -314,6 +314,36 @@ ISCSI_NACL_ATTR(random_datain_pdu_offsets);
 ISCSI_NACL_ATTR(random_datain_seq_offsets);
 ISCSI_NACL_ATTR(random_r2t_offsets);
 
+static ssize_t iscsi_nacl_attrib_authentication_show(struct config_item *item,
+               char *page)
+{
+       struct se_node_acl *se_nacl = attrib_to_nacl(item);
+       struct iscsi_node_acl *nacl = to_iscsi_nacl(se_nacl);
+
+       return sprintf(page, "%d\n", nacl->node_attrib.authentication);
+}
+
+static ssize_t iscsi_nacl_attrib_authentication_store(struct config_item *item,
+               const char *page, size_t count)
+{
+       struct se_node_acl *se_nacl = attrib_to_nacl(item);
+       struct iscsi_node_acl *nacl = to_iscsi_nacl(se_nacl);
+       s32 val;
+       int ret;
+
+       ret = kstrtos32(page, 0, &val);
+       if (ret)
+               return ret;
+       if (val != 0 && val != 1 && val != NA_AUTHENTICATION_INHERITED)
+               return -EINVAL;
+
+       nacl->node_attrib.authentication = val;
+
+       return count;
+}
+
+CONFIGFS_ATTR(iscsi_nacl_attrib_, authentication);
+
 static struct configfs_attribute *lio_target_nacl_attrib_attrs[] = {
        &iscsi_nacl_attrib_attr_dataout_timeout,
        &iscsi_nacl_attrib_attr_dataout_timeout_retries,
@@ -323,6 +353,7 @@ static struct configfs_attribute *lio_target_nacl_attrib_attrs[] = {
        &iscsi_nacl_attrib_attr_random_datain_pdu_offsets,
        &iscsi_nacl_attrib_attr_random_datain_seq_offsets,
        &iscsi_nacl_attrib_attr_random_r2t_offsets,
+       &iscsi_nacl_attrib_attr_authentication,
        NULL,
 };
 

diff --git a/drivers/target/iscsi/iscsi_target_nego.c b/drivers/target/iscsi/iscsi_target_nego.c
index f06f16d63fe68f384dbb8b8240ffc9c8144bec54..9ce35a59962bf04edd5ebb4d78f52cdfbc1e64e6 100644 (file)
--- a/drivers/target/iscsi/iscsi_target_nego.c
+++ b/drivers/target/iscsi/iscsi_target_nego.c
@@ -813,6 +813,7 @@ static int iscsi_target_do_authentication(
 
 static bool iscsi_conn_auth_required(struct iscsit_conn *conn)
 {
+       struct iscsi_node_acl *nacl;
        struct se_node_acl *se_nacl;
 
        if (conn->sess->sess_ops->SessionType) {
@@ -839,7 +840,12 @@ static bool iscsi_conn_auth_required(struct iscsit_conn *conn)
 
        pr_debug("Known ACL %s is trying to connect\n",
                 se_nacl->initiatorname);
-       return conn->tpg->tpg_attrib.authentication;
+
+       nacl = to_iscsi_nacl(se_nacl);
+       if (nacl->node_attrib.authentication == NA_AUTHENTICATION_INHERITED)
+               return conn->tpg->tpg_attrib.authentication;
+
+       return nacl->node_attrib.authentication;
 }
 
 static int iscsi_target_handle_csg_zero(

diff --git a/drivers/target/iscsi/iscsi_target_nodeattrib.c b/drivers/target/iscsi/iscsi_target_nodeattrib.c
index 874cb33c9be01e8149e787a7b4319af4a7be44b8..d63efdefb18e42171e425160f7a84e922c0773e1 100644 (file)
--- a/drivers/target/iscsi/iscsi_target_nodeattrib.c
+++ b/drivers/target/iscsi/iscsi_target_nodeattrib.c
@@ -30,6 +30,7 @@ void iscsit_set_default_node_attribues(
 {
        struct iscsi_node_attrib *a = &acl->node_attrib;
 
+       a->authentication = NA_AUTHENTICATION_INHERITED;
        a->dataout_timeout = NA_DATAOUT_TIMEOUT;
        a->dataout_timeout_retries = NA_DATAOUT_TIMEOUT_RETRIES;
        a->nopin_timeout = NA_NOPIN_TIMEOUT;

diff --git a/include/target/iscsi/iscsi_target_core.h b/include/target/iscsi/iscsi_target_core.h
index 4dd62947f8db1154a5ce4c3171b6b8c1ba62165e..94d06ddfd80ade45e72abe9a2e6182e9c7ca5d04 100644 (file)
--- a/include/target/iscsi/iscsi_target_core.h
+++ b/include/target/iscsi/iscsi_target_core.h
@@ -26,6 +26,7 @@ struct sock;
 #define ISCSI_RX_THREAD_NAME           "iscsi_trx"
 #define ISCSI_TX_THREAD_NAME           "iscsi_ttx"
 #define ISCSI_IQN_LEN                  224
+#define NA_AUTHENTICATION_INHERITED    -1
 
 /* struct iscsi_node_attrib sanity values */
 #define NA_DATAOUT_TIMEOUT             3
@@ -715,6 +716,7 @@ struct iscsi_login {
 } ____cacheline_aligned;
 
 struct iscsi_node_attrib {
+       s32                     authentication;
        u32                     dataout_timeout;
        u32                     dataout_timeout_retries;
        u32                     default_erl;