Bug 607827 - Anaconda needs separate username/password fields for iSCSI Discovery Sessions
Anaconda needs separate username/password fields for iSCSI Discovery Sessions
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: anaconda (Show other bugs)
6.0
All Linux
low Severity medium
: rc
: ---
Assigned To: Ales Kozumplik
Release Test Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-24 20:11 EDT by Dax Kelson
Modified: 2014-09-30 19:39 EDT (History)
4 users (show)

See Also:
Fixed In Version: anaconda-13.21.84-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-05-19 08:30:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dax Kelson 2010-06-24 20:11:33 EDT
Description of problem:

iSCSI supports authentication at two different phases:

1. Discovery Session
2. Operational Session

The username and password for may be (and usually is) different.

Additionally, mutual authentication can be enabled for target -> initiator authentication.

This leads to many different possible scenarios. Anaconda is currently broken in that it only supports a (weak sauce) subset.

Scenario A - (very common - aka best practice):
Discovery Authentication enabled
Operation Session Authentication enabled, with DIFFERENT username/password
Mutual Authentication enabled or rarely disabled

Scenario B - (very common due to tgt limitation):
Discovery Authentication disabled
Operation Session Authentication enabled
Mutual Authentication enabled 

Scenario C - (common for insecure folks):
Discovery Authentication enabled
Operation Session Authentication enabled, with SAME username/password
Mutual Authentication enabled or possibly disabled

Scenario D - (common in non-production/testing environments):
Discovery Authentication disabled
Operation Session Authentication disabled

Most security conscious folks WANT to A but are forced to B when working with a RHEL target (because tgt doesn't currently do Discovery Authentication).

Anaconda only asks for a single pair of usernames and passwords (4 fields) and attempts to use it BOTH for Discovery and Session. This means that only Scenarios C and D are supported and not the desired A or B scenarios.

To fix this, Anaconda needs to ask for TWO pairs of usernames and passwords (8 fields) so that Discovery Session and Operation Session authentication can be configured separately. 

This problem exists in RHEL5 and RHEL6 (I checked beta 1)
Comment 2 RHEL Product and Program Management 2010-06-24 20:42:52 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.
Comment 3 Hans de Goede 2010-06-25 02:37:39 EDT
Thanks for the bug report.

I agree with your analysis that we should allow using separate passwords for
discovery and target log in. This is however not something which we can fix for RHEL-6.0. I'll propose changing this for RHEL-6.1 .
Comment 5 Ales Kozumplik 2010-10-19 09:49:57 EDT
Fixes are available rawhide now, see bug 469382.
Comment 6 RHEL Product and Program Management 2010-10-29 17:30:50 EDT
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux maintenance release. Product Management has 
requested further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed 
products. This request is not yet committed for inclusion in an Update release.
Comment 9 Ales Kozumplik 2010-11-23 08:20:07 EST
Patches for separate discovery/login credentials for both the GUI and the TUI have been merged, most importantly:

66302e6bb41805c368b46647206328cfd86509e5 (GUI)
193a7af18f8fb01d5757802d8ee82a168db2b0be (TUI)
Comment 11 Alexander Todorov 2011-03-30 07:52:02 EDT
In anaconda 13.21.107 both text and GUI mode there is the option to specify different credentials for the discovery and login authentication when adding iSCSI targets. The user is also able to re-use the credentials from the discovery step when logging into the target.
Comment 12 errata-xmlrpc 2011-05-19 08:30:33 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0530.html

Note You need to log in before you can comment on or make changes to this bug.