Managing CHAP users
The Challenge-Handshake Authentication Protocol (CHAP) provides a way to restrict access to targets and their LUNs by requiring a user name and a password from the initiator. CHAP accounts apply to entire target groups.
Limitations
- You can only delete CHAP users that do not apply to any target group.
To enable CHAP authentication for a target group
Admin panel
- Open Storage services > Block storage > Target groups, and then click the desired target group in the list (anywhere except group’s name).
-
On the group right pane, open the Access control tab, and then click the pencil icon.
-
In the Access control window, select CHAP, and then click Create user.
-
In the Create CHAP user window, enter a user name and a password (12 to 16 characters long), and then click Create.
-
Back on the Access control screen, select the desired CHAP user, and then click Save.
Command-line interface
-
Create a CHAP user:
vinfra service block-storage user create [--description <description>] <name>
--description <description>
-
User description
A description should not contain any personally identifiable information or sensitive business data.
<name>
- User name
For example, to create the CHAP user
user1
with the descriptionA new user
, run:# vinfra service block-storage user create user1 --description "A new user"
Specify the user password when prompted. The password must be 12-16 characters long.
-
Enable CHAP authentication for the target group and the created CHAP user:
vinfra service block-storage target-group set --enable-chap --chap-user <user-name> <target-group>
--enable-chap
- Enable CHAP authentication
--chap-user <user-name>
- CHAP user name
<target-group>
- Target group name or ID
For example, to enable CHAP authentication for the target group
tg1
and the CHAP useruser1
, run:# vinfra service block-storage target-group set --enable-chap --chap-user user1 tg1
To change the password of a CHAP user
Admin panel
- Open Storage services > Block storage > CHAP users, click a user to open details, and then click the pencil icon.
- In the Edit CHAP user window, specify a new password, and then click Apply.
Command-line interface
Use the following command:
vinfra service block-storage user set [--description <description>] [--password] <user>
--description <description>
-
User description
A description should not contain any personally identifiable information or sensitive business data.
--password
- Change the user password
<user>
- User name
For example, to change the password of the CHAP user user1
, run:
# vinfra service block-storage user set user1 --password
When prompted, enter a new password, which will replace the old one. The password must be 12-16 characters long.
To disable CHAP authentication for a target group
Admin panel
Command-line interface
Use the following command:
vinfra service block-storage target-group set --disable-chap <target-group>
--disable-chap
- Disable CHAP authentication
<target-group>
- Target group name or ID
For example, to disable CHAP authentication for the target group tg1
, run:
# vinfra service block-storage target-group set --disable-chap tg1
To delete a CHAP user
Admin panel
- Open Storage services > Block storage > CHAP users.
- Click the ellipsis icon of the user, and then click Delete.
Command-line interface
Use the following command:
vinfra service block-storage user delete <user>
<user>
- User name
For example, to delete the CHAP user user1
, run:
# vinfra service block-storage user delete user1