Enable Chap security for HP 3PAR Cinder driver(iSCSI)
Problem statement:
Openstack HP 3PAR cinder driver currently does not support iSCSI CHAP security setting.
This opens a security vulnerability whereby any server or Virtual Machine can mount a HP 3PAR iSCSI volume that was created via OpenStack.
Proposed Solution:
The solution is to have a configurable parameter which can be used to enable or disable CHAP security while creating HP 3PAR iSCSI volumes using Openstack Cinder service. Based on this property value in the Cinder configuration file the HP 3PAR driver would randomly generate a CHAP secret and set this CHAP secret as part of “volume attach” request. This will ensure secure access to HP 3PAR iSCSI volumes in Openstack Cloud environment.
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- Vivekanandan B
- Direction:
- Needs approval
- Assignee:
- None
- Definition:
- Obsolete
- Series goal:
- None
- Implementation:
-
Unknown
- Milestone target:
- None
- Started by
- Completed by
- Sean McGinnis
Related branches
Related bugs
Sprints
Whiteboard
(smcginnis): Marking obsolete as this has been sitting out there for a long time. If this is still needed, please submit a new bp.
Adding a cinder.conf entry means that every host in the install uses the same credentials which is a security risk. We are working on a different version of CHAP for 3PAR that doesn't have this limitation.
https:/