| Message ID | 20221201101959.419545-3-berrange@redhat.com |
|---|---|
| State | New |
| Headers | show |
| Series | More work on deprecation/removal of clear text passwords | expand |
Daniel P. Berrangé <berrange@redhat.com> writes: > Support for referencing secret objects was added in > > commit b189346eb1784df95ed6fed610411dbf23d19e1f > Author: Daniel P. Berrangé <berrange@redhat.com> > Date: Thu Jan 21 14:19:21 2016 +0000 > > iscsi: add support for getting CHAP password via QCryptoSecret API > > The existing 'password' option is overdue for deprecation and > subsequent removal. > > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> > --- > block/iscsi.c | 3 +++ > docs/about/deprecated.rst | 11 +++++++++++ > 2 files changed, 14 insertions(+) > > diff --git a/block/iscsi.c b/block/iscsi.c > index a316d46d96..58c0623052 100644 > --- a/block/iscsi.c > +++ b/block/iscsi.c > @@ -1352,6 +1352,9 @@ static void apply_chap(struct iscsi_context *iscsi, QemuOpts *opts, > } else if (!password) { > error_setg(errp, "CHAP username specified but no password was given"); > return; > + } else { > + warn_report("iSCSI block driver 'password' option is deprecated, " > + "use 'password-secret' instead"); > } > > if (iscsi_set_initiator_username_pwd(iscsi, user, password)) { > diff --git a/docs/about/deprecated.rst b/docs/about/deprecated.rst > index 93affe3669..2cc8924fe9 100644 > --- a/docs/about/deprecated.rst > +++ b/docs/about/deprecated.rst > @@ -267,6 +267,17 @@ Options are: > - move backing file to NVDIMM storage and keep ``pmem=on`` > (to have NVDIMM with persistence guaranties). > > +Block driver options > +-------------------- I'm not sure about this headline. For what it's worth, -help shows -iscsi under "Block device options". > + > +``iscsi,password=xxx`` (since 8.0) > +'''''''''''''''''''''''''''''''''' > + > +Specifying the iSCSI password in plain text on the command line using the > +``password`` option is insecure. The ``password-secret`` option should be > +used instead, to refer to a ``--object secret...`` instance that provides > +a password via a file, or encrypted. > + > Device options > --------------
diff --git a/block/iscsi.c b/block/iscsi.c index a316d46d96..58c0623052 100644 --- a/block/iscsi.c +++ b/block/iscsi.c @@ -1352,6 +1352,9 @@ static void apply_chap(struct iscsi_context *iscsi, QemuOpts *opts, } else if (!password) { error_setg(errp, "CHAP username specified but no password was given"); return; + } else { + warn_report("iSCSI block driver 'password' option is deprecated, " + "use 'password-secret' instead"); } if (iscsi_set_initiator_username_pwd(iscsi, user, password)) { diff --git a/docs/about/deprecated.rst b/docs/about/deprecated.rst index 93affe3669..2cc8924fe9 100644 --- a/docs/about/deprecated.rst +++ b/docs/about/deprecated.rst @@ -267,6 +267,17 @@ Options are: - move backing file to NVDIMM storage and keep ``pmem=on`` (to have NVDIMM with persistence guaranties). +Block driver options +-------------------- + +``iscsi,password=xxx`` (since 8.0) +'''''''''''''''''''''''''''''''''' + +Specifying the iSCSI password in plain text on the command line using the +``password`` option is insecure. The ``password-secret`` option should be +used instead, to refer to a ``--object secret...`` instance that provides +a password via a file, or encrypted. + Device options --------------
Support for referencing secret objects was added in commit b189346eb1784df95ed6fed610411dbf23d19e1f Author: Daniel P. Berrangé <berrange@redhat.com> Date: Thu Jan 21 14:19:21 2016 +0000 iscsi: add support for getting CHAP password via QCryptoSecret API The existing 'password' option is overdue for deprecation and subsequent removal. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- block/iscsi.c | 3 +++ docs/about/deprecated.rst | 11 +++++++++++ 2 files changed, 14 insertions(+)