iSCSI认证配置

2023-08-14 01:42| 来源: 网络整理| 查看: 265

iSCSI认证配置使用LinuxIO软件target等进行设置

名词: 　　Endpoint: 目标名称与显式或屏蔽的TPG (IQN/WWN +标记)的组合。　　Initiator: 控制SCSI会话开启和结束的控制设备,比较典型的就是计算机。　　Target: SCSI会话的接收端，通常是磁盘驱动器、磁带驱动器或扫描仪等设备。　　IQN (iSCSI限定名): iSCSI的一种名称格式，惟一标识世界上的每个设备(例如iqn.5886.com.acme.tapedrive.sn-a12345678)。　　Network Portal: iSCSI端点与IP地址和TCP端口的组合。IANA定义的iSCSI协议的TCP端口号是3260。　　TPG(Target Portal Group): IP地址和TCP端口号的列表，确定特定iSCSI目标将侦听哪些接口。　　WWN (World Wide Name): 标识特定光纤通道或InfiniBand目标的唯一标识符。每个WWN是一个8字节的数字，来自IEEE OUI和供应商提供的信息。

内核版本：Linux localhost.localdomain 3.10.0-957.el7.x86_64 #1 SMP Thu Nov 8 23:39:32 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

targetcli版本：/usr/bin/targetcli version 2.1.fb46

iscsid版本：iscsid version 6.2.0.874-10

iSCSI的安全认证

这三种CHAP的关系和区别：

discovery CHAP：全局认证.只有认证通过才能看到设备。TPG CHAP：一个target下的全局只读认证，若要使用TPG认证的用户名和密码,就不能配置LUN级别的ACL，因为LUN级别的ACL优先级更高,它会覆盖TPG级别的用户名和密码.所以若要使用TPG级别的用户名。密码就不能配置LUN级别的ACL,但这样认证是正常了,但用户挂载后,就只能有读权限,而没有写权限。LUN ACL CHAP：这是最精确的权限控制,配置后,用户必须使用提供该ACL的WWN,以便使用该ACL的用户名和密码做CHAP认证,否则iSCSI将无法知道用户到底提供的是那个ACL的用户名和密码,导致用户即便发现了并且成功登录的iSCSI,也无法获取该LUN设备的写权限。

设置targetcli，配置discovery认证和tpg认证，通过认证后，磁盘只有只读权限

# targetcli进入交互模式 [root@storage-test ~]# targetcli targetcli shell version 2.1.fb46 Copyright 2011-2013 by Datera, Inc and others. For help on commands, type 'help'. # discovery CHAP: # 1. 启用发现CHAP认证 /> cd iscsi/ /iscsi> #下面都在此目录下操作 /iscsi> set discovery_auth enable=1 # 2. 启用单向CHAP认证, 客户端必须提供这里设置的用户名和密码,才能发现iSCSI输出的target. /iscsi> set discovery_auth userid=disUser password=dis123456 # 3. 启用双向CHAP认证,即客户端要提供上面设置的服务器端的用户名和密码,同时服务器端必须提供客户端所设置的用户名和密码,才能认证通过. /iscsi> set discovery_auth mutual_userid=ClientDisUser mutual_password=dis654321 # 4. 查询配置: /iscsi> get discovery_auth DISCOVERY_AUTH CONFIG GROUP =========================== enable=True ----------- The enable discovery_auth parameter. mutual_password=dis654321 ------------------------- The mutual_password discovery_auth parameter. mutual_userid=ClientDisUser --------------------------- The mutual_userid discovery_auth parameter. password=dis123456 ------------------ The password discovery_auth parameter. userid=disUser -------------- The userid discovery_auth parameter. # 设置tgt全局认证，这种认证方式必须保证acls下边没有添加的客户端列表，否则验证不会生效。验证通过后，块设备只有只读权限（后文会实验）。 /iscsi> cd iqn.2021-06.com.test.www:backstorage/tpg1/ /iscsi/iqn.20...kstorage/tpg1> get auth AUTH CONFIG GROUP ================= mutual_password= ---------------- The mutual_password auth parameter. mutual_userid= -------------- The mutual_userid auth parameter. password= --------- The password auth parameter. userid= ------- The userid auth parameter. /iscsi/iqn.20...kstorage/tpg1> set attribute authentication=1 generate_node_acls=1 Parameter authentication is now '1'. Parameter generate_node_acls is now '1'. /iscsi/iqn.20...kstorage/tpg1> set auth userid=tpguser1 password=tgppasswd1 Parameter password is now 'tgppasswd1'. Parameter userid is now 'tpguser1'. /iscsi/iqn.20...kstorage/tpg1> set auth mutual_userid=ClientTPGuser1 mutual_password=ClientTPGPasswd1 Parameter mutual_password is now 'ClientTPGPasswd1'. Parameter mutual_userid is now 'ClientTPGuser1'. /iscsi/iqn.20...kstorage/tpg1> get auth AUTH CONFIG GROUP ================= mutual_password=ClientTPGPasswd1 -------------------------------- The mutual_password auth parameter. mutual_userid=ClientTPGuser1 ---------------------------- The mutual_userid auth parameter. password=tgppasswd1 ------------------- The password auth parameter. userid=tpguser1 --------------- The userid auth parameter. /iscsi> exit Global pref auto_save_on_exit=true Last 10 configs saved in /etc/target/backup/. Configuration saved to /etc/target/saveconfig.json

重启target服务

# 重启target服务 [root@localhost ~]# systemctl restart target [root@localhost ~]# systemctl status target 鈼[0m target.service - Restore LIO kernel target configuration Loaded: loaded (/usr/lib/systemd/system/target.service; enabled; vendor preset: disabled) Active: active (exited) since Thu 2021-06-24 18:21:51 CST; 5min ago Process: 18766 ExecStop=/usr/bin/targetctl clear (code=exited, status=0/SUCCESS) Process: 18776 ExecStart=/usr/bin/targetctl restore (code=exited, status=0/SUCCESS) Main PID: 18776 (code=exited, status=0/SUCCESS) Jun 24 18:21:51 localhost.localdomain systemd[1]: Starting Restore LIO kernel target configuration... Jun 24 18:21:51 localhost.localdomain systemd[1]: Started Restore LIO kernel target configuration.

修改本地initiator配置并测试

[root@localhost ~]# cd /etc/iscsi/ # 客户端名字随便起 [root@localhost iscsi]# echo "InitiatorName=iqn.2021-06.com.test.www:client">initiatorname.iscsi [root@localhost iscsi]# cat initiatorname.iscsi InitiatorName=iqn.2021-06.com.test.www:client # 修改iscsid.conf [root@localhost iscsi]# vi iscsid.conf # 找到如下部分内容进行修改 # ************* # CHAP Settings # ************* # To enable CHAP authentication set node.session.auth.authmethod # to CHAP. The default is None. node.session.auth.authmethod = CHAP # To set a CHAP username and password for initiator # authentication by the target(s), uncomment the following lines: node.session.auth.username = tpguser1 node.session.auth.password = tgppasswd1 # To set a CHAP username and password for target(s) # authentication by the initiator, uncomment the following lines: node.session.auth.username_in = ClientTPGuser1 node.session.auth.password_in = ClientTPGPasswd1 # To enable CHAP authentication for a discovery session to the target # set discovery.sendtargets.auth.authmethod to CHAP. The default is None. discovery.sendtargets.auth.authmethod = CHAP # To set a discovery session CHAP username and password for the initiator # authentication by the target(s), uncomment the following lines: discovery.sendtargets.auth.username = disUser discovery.sendtargets.auth.password = dis123456 # To set a discovery session CHAP username and password for target(s) # authentication by the initiator, uncomment the following lines: discovery.sendtargets.auth.username_in = ClientDisUser discovery.sendtargets.auth.password_in = dis654321 # discovery开头的是配置发现的认证，node.session开头的是配置的登录时的认证 # 保存退出 # 重启服务（必须重启，否则不生效） [root@localhost ~]# systemctl restart iscsid # 发现目标（必须重新发现，否则不生效） [root@localhost ~]# iscsiadm -m discovery -tst -p 192.168.2.46 192.168.2.46:3260,1 iqn.2021-06.com.test.www:backstorage # 登录目标 [root@localhost ~]# iscsiadm -m node -T iqn.2021-06.com.test.www:backstorage -l Logging in to [iface: default, target: iqn.2021-06.com.test.www:backstorage, portal: 192.168.2.46,3260] (multiple) Login to [iface: default, target: iqn.2021-06.com.test.www:backstorage, portal: 192.168.2.46,3260] successful. # 通过fdisk可以查看到一块新的磁盘/dev/sdk已经出现 [root@localhost iscsi]# fdisk -l Disk /dev/sdk: 524 MB, 524288000 bytes, 1024000 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 4194304 bytes Disk label type: dos Disk identifier: 0x00000000 Device Boot Start End Blocks Id System /dev/sdk1 1 4294967295 2147483647+ ee GPT # 尝试格式化 [root@localhost iscsi]# mkfs /dev/sdk1 mke2fs 1.42.9 (28-Dec-2013) /dev/sdk1: Read-only file system while setting up superblock #显示为只读系统 # 登出目标 [root@localhost ~]# iscsiadm -m node -T iqn.2021-06.com.test.www:backstorage -u Logging out of session [sid: 1, target: iqn.2021-06.com.test.www:backstorage, portal: 192.168.2.46,3260] Logout of [sid: 1, target: iqn.2021-06.com.test.www:backstorage, portal: 192.168.2.46,3260] successful.

设置targetcli，配置acls认证，通过认证后，磁盘有读写权限

# targetcli进入交互模式 [root@storage-test ~]# targetcli targetcli shell version 2.1.fb46 Copyright 2011-2013 by Datera, Inc and others. For help on commands, type 'help'. /iscsi/iqn.20...kstorage/tpg1> cd acls /iscsi/iqn.20...age/tpg1/acls> create iqn.2021-06.com.test.www:client Created Node ACL for iqn.2021-06.com.test.www:client Created mapped LUN 0. /iscsi/iqn.20...age/tpg1/acls> cd iqn.2021-06.com.test.www:client/ /iscsi/iqn.20...st.www:client> get auth AUTH CONFIG GROUP ================= mutual_password= ---------------- The mutual_password auth parameter. mutual_userid= -------------- The mutual_userid auth parameter. password= --------- The password auth parameter. userid= ------- The userid auth parameter. /iscsi/iqn.20...st.www:client> set auth userid=acluser1 password=aclpasswd1 Parameter password is now 'aclpasswd1'. Parameter userid is now 'acluser1'. /iscsi/iqn.20...st.www:client> set auth mutual_userid=ClientLUNuser1 mutual_password=ClientLUNPasswd1 Parameter mutual_password is now 'ClientLUNPasswd1'. Parameter mutual_userid is now 'ClientLUNuser1'. /iscsi/iqn.20...st.www:client> get auth AUTH CONFIG GROUP ================= mutual_password=ClientLUNPasswd1 -------------------------------- The mutual_password auth parameter. mutual_userid=ClientLUNuser1 ---------------------------- The mutual_userid auth parameter. password=aclpasswd1 ------------------- The password auth parameter. userid=acluser1 --------------- The userid auth parameter. /iscsi/iqn.20...st.www:client> exit Global pref auto_save_on_exit=true Last 10 configs saved in /etc/target/backup/. Configuration saved to /etc/target/saveconfig.json

重启target服务

修改本地initiator配置并测试

# 配置客户端 [root@localhost iscsi]# echo "InitiatorName=iqn.2021-06.com.test.www:client">initiatorname.iscsi [root@localhost iscsi]# cat initiatorname.iscsi InitiatorName=iqn.2021-06.com.test.www:client # 修改iscsid.conf [root@localhost iscsi]# vi iscsid.conf # 对应内容修改成如下内容 # ************* # CHAP Settings # ************* # To enable CHAP authentication set node.session.auth.authmethod # to CHAP. The default is None. node.session.auth.authmethod = CHAP # To set a CHAP username and password for initiator # authentication by the target(s), uncomment the following lines: node.session.auth.username = acluser1 node.session.auth.password = aclpasswd1 # To set a CHAP username and password for target(s) # authentication by the initiator, uncomment the following lines: node.session.auth.username_in = ClientLUNuser1 node.session.auth.password_in = ClientLUNPasswd1 # To enable CHAP authentication for a discovery session to the target # set discovery.sendtargets.auth.authmethod to CHAP. The default is None. discovery.sendtargets.auth.authmethod = CHAP # To set a discovery session CHAP username and password for the initiator # authentication by the target(s), uncomment the following lines: discovery.sendtargets.auth.username = disUser discovery.sendtargets.auth.password = dis123456 # To set a discovery session CHAP username and password for target(s) # authentication by the initiator, uncomment the following lines: discovery.sendtargets.auth.username_in = ClientDisUser discovery.sendtargets.auth.password_in = dis654321 # 更新了node.session相关的配置，改为了acl中添加的客户端配置 # 保存退出 # 重启服务（必须重启，否则不生效） [root@localhost ~]# systemctl restart iscsid # 发现目标（必须重新发现，否则不生效） [root@localhost ~]# iscsiadm -m discovery -tst -p 192.168.2.46 192.168.2.46:3260,1 iqn.2021-06.com.test.www:backstorage # 登录目标 [root@localhost ~]# iscsiadm -m node -T iqn.2021-06.com.test.www:backstorage -l Logging in to [iface: default, target: iqn.2021-06.com.test.www:backstorage, portal: 192.168.2.46,3260] (multiple) Login to [iface: default, target: iqn.2021-06.com.test.www:backstorage, portal: 192.168.2.46,3260] successful. # 通过fdisk可以查看到一块新的磁盘/dev/sdk已经出现 [root@localhost iscsi]# fdisk -l Disk /dev/sdk: 524 MB, 524288000 bytes, 1024000 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 4194304 bytes Disk label type: dos Disk identifier: 0x00000000 Device Boot Start End Blocks Id System /dev/sdk1 1 4294967295 2147483647+ ee GPT # 尝试格式化 [root@localhost iscsi]# mkfs /dev/sdk1 mke2fs 1.42.9 (28-Dec-2013) Filesystem label= OS type: Linux Block size=1024 (log=0) Fragment size=1024 (log=0) Stride=0 blocks, Stripe width=4096 blocks 4096 inodes, 16364 blocks 818 blocks (5.00%) reserved for the super user First data block=1 Maximum filesystem blocks=16777216 2 block groups 8192 blocks per group, 8192 fragments per group 2048 inodes per group Superblock backups stored on blocks: 8193 Allocating group tables: done Writing inode tables: done Writing superblocks and filesystem accounting information: done # 操作成功，可以进行读写。

【本文地址】

公司简介

联系我们