Skip to content

Commit

Permalink
Implement inband authentication.
Browse files Browse the repository at this point in the history
Signed-off-by: Gil Bregman <[email protected]>
  • Loading branch information
gbregman committed Oct 8, 2024
1 parent d293976 commit fc11efa
Show file tree
Hide file tree
Showing 11 changed files with 901 additions and 207 deletions.
8 changes: 8 additions & 0 deletions .env
Original file line number Diff line number Diff line change
Expand Up @@ -86,3 +86,11 @@ BDEVPERF_CONTAINER_NAME="${COMPOSE_PROJECT_NAME}-bdevperf-1"
DISC1="${COMPOSE_PROJECT_NAME}-discovery-1"
GW1="${COMPOSE_PROJECT_NAME}-nvmeof-1"
GW2="${COMPOSE_PROJECT_NAME}-nvmeof-2"

# Keys for security tests
PSK_KEY1="NVMeTLSkey-1:01:YzrPElk4OYy1uUERriPwiiyEJE/+J5ckYpLB+5NHMsR2iBuT:" # generated using "nvme gen-tls-key"
PSK_KEY2="NVMeTLSkey-1:01:vUrPe33Auz/sgAAcYctjI0oOOEFM5lheeLy7U+yTsD/LHm9q:"

DHCHAP_KEY1="DHHC-1:01:rPTE0Q73nd3hEqqEuQNaPL11G/aFXpOHtldWXz9vNCeef4WV:" # generated using "nvme gen-dhchap-key"
DHCHAP_KEY2="DHHC-1:01:x7ecfGgIdOEl+J5cJ9JcZHOS2By2Me6eDJUnrsT9MVrCWRYV:"
DHCHAP_KEY3="DHHC-1:01:eNNXGjidEHHStbUi2Gmpps0JcnofReFfy+NaulguGgt327hz:"
495 changes: 347 additions & 148 deletions .github/workflows/build-container.yml

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion .gitmodules
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
[submodule "spdk"]
path = spdk
url = https://github.com/ceph/spdk.git
branch = ceph-nvmeof-v24.05
branch = ceph-nvmeof-v24.05
3 changes: 2 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,8 @@ endif
# Includes
include mk/containerized.mk
include mk/demo.mk
include mk/demosecure.mk
include mk/demosecurepsk.mk
include mk/demosecuredhchap.mk
include mk/misc.mk
include mk/autohelp.mk

Expand Down
33 changes: 26 additions & 7 deletions control/cli.py
Original file line number Diff line number Diff line change
Expand Up @@ -1056,14 +1056,28 @@ def host_add(self, args):
if args.psk:
if len(args.host_nqn) > 1:
self.cli.parser.error(f"Can't have more than one host NQN when PSK keys are used")
if args.dhchap_key:
self.cli.parser.error(f"PSK and DH-HMAC-CHAP keys are mutually exclusive")

if args.dhchap_key:
if len(args.host_nqn) > 1:
self.cli.parser.error(f"Can't have more than one host NQN when DH-HMAC-CHAP keys are used")

if args.dhchap_ctrlr_key:
if not args.dhchap_key:
self.cli.parser.error(f"DH-HMAC-CHAP controller keys can not be used without DH-HMAC-CHAP keys")

for i in range(len(args.host_nqn)):
one_host_nqn = args.host_nqn[i]

if one_host_nqn == "*" and args.psk:
self.cli.parser.error(f"PSK is only allowed for specific hosts")
self.cli.parser.error(f"PSK key is only allowed for specific hosts")

if one_host_nqn == "*" and args.dhchap_key:
self.cli.parser.error(f"DH-HMAC-CHAP key is only allowed for specific hosts")

req = pb2.add_host_req(subsystem_nqn=args.subsystem, host_nqn=one_host_nqn, psk=args.psk)
req = pb2.add_host_req(subsystem_nqn=args.subsystem, host_nqn=one_host_nqn,
psk=args.psk, dhchap_key=args.dhchap_key, dhchap_ctrlr_key=args.dhchap_ctrlr_key)
try:
ret = self.stub.add_host(req)
except Exception as ex:
Expand Down Expand Up @@ -1173,14 +1187,15 @@ def host_list(self, args):
hosts_list.append(["Any host", "n/a"])
for h in hosts_info.hosts:
use_psk = "Yes" if h.use_psk else "No"
hosts_list.append([h.nqn, use_psk])
use_dhchap = "Yes" if h.use_dhchap else "No"
hosts_list.append([h.nqn, use_psk, use_dhchap])
if len(hosts_list) > 0:
if args.format == "text":
table_format = "fancy_grid"
else:
table_format = "plain"
hosts_out = tabulate(hosts_list,
headers = ["Host NQN", "Uses PSK"],
headers = ["Host NQN", "Uses PSK", "Uses DHCHAP"],
tablefmt=table_format, stralign="center")
out_func(f"Hosts allowed to access {args.subsystem}:\n{hosts_out}")
else:
Expand Down Expand Up @@ -1210,7 +1225,9 @@ def host_list(self, args):
]
host_add_args = host_common_args + [
argument("--host-nqn", "-t", help="Host NQN list", nargs="+", required=True),
argument("--psk", help="Hosts PSK key list", required=False),
argument("--psk", help="Hosts PSK key", required=False),
argument("--dhchap-key", help="Host DH-HMAC-CHAP key", required=False),
argument("--dhchap-ctrlr-key", help="Host DH-HMAC-CHAP controller key", required=False),
]
host_del_args = host_common_args + [
argument("--host-nqn", "-t", help="Host NQN list", nargs="+", required=True),
Expand Down Expand Up @@ -1251,6 +1268,7 @@ def connection_list(self, args):
for conn in connections_info.connections:
conn_secure = "<n/a>"
conn_psk = "Yes" if conn.use_psk else "No"
conn_dhchap = "Yes" if conn.use_dhchap else "No"
if conn.connected:
conn_secure = "Yes" if conn.secure else "No"
connections_list.append([conn.nqn,
Expand All @@ -1259,14 +1277,15 @@ def connection_list(self, args):
conn.qpairs_count if conn.connected else "<n/a>",
conn.controller_id if conn.connected else "<n/a>",
conn_secure,
conn_psk])
conn_psk,
conn_dhchap])
if len(connections_list) > 0:
if args.format == "text":
table_format = "fancy_grid"
else:
table_format = "plain"
connections_out = tabulate(connections_list,
headers = ["Host NQN", "Address", "Connected", "QPairs Count", "Controller ID", "Secure", "PSK"],
headers = ["Host NQN", "Address", "Connected", "QPairs Count", "Controller ID", "Secure", "Uses\nPSK", "Uses\nDHCHAP"],
tablefmt=table_format)
out_func(f"Connections for {args.subsystem}:\n{connections_out}")
else:
Expand Down
Loading

0 comments on commit fc11efa

Please sign in to comment.