Managing CHAP users

The Challenge-Handshake Authentication Protocol (CHAP) provides a way to restrict access to targets and their LUNs by requiring a user name and a password from the initiator. CHAP accounts apply to entire target groups.

Limitations

  • You can only delete CHAP users that do not apply to any target group.

To enable CHAP authentication for a target group

Admin panel

  1. Open Storage services > Block storage > Target groups, and then click the desired target group in the list (anywhere except group’s name).
  2. On the group right pane, open the Access control tab, and then click the pencil icon.

  3. In the Access control window, select CHAP, and then click Create user.

  4. In the Create CHAP user window, enter a user name and a password (12 to 16 characters long), and then click Create.

  5. Back on the Access control screen, select the desired CHAP user, and then click Save.

Command-line interface

  1. Create a CHAP user:

    vinfra service block-storage user create [--description <description>] <name>
    --description <description>

    User description

    A description should not contain any personally identifiable information or sensitive business data.

    <name>
    User name

    For example, to create the CHAP user user1 with the description A new user, run:

    # vinfra service block-storage user create user1 --description "A new user"

    Specify the user password when prompted. The password must be 12-16 characters long.

  2. Enable CHAP authentication for the target group and the created CHAP user:

    vinfra service block-storage target-group set --enable-chap --chap-user <user-name> <target-group>
    --enable-chap
    Enable CHAP authentication
    --chap-user <user-name>
    CHAP user name
    <target-group>
    Target group name or ID

    For example, to enable CHAP authentication for the target group tg1 and the CHAP user user1, run:

    # vinfra service block-storage target-group set --enable-chap --chap-user user1 tg1

To change the password of a CHAP user

Admin panel

  1. Open Storage services > Block storage > CHAP users, click a user to open details, and then click the pencil icon.
  2. In the Edit CHAP user window, specify a new password, and then click Apply.

Command-line interface

Use the following command:

vinfra service block-storage user set [--description <description>] [--password] <user>
--description <description>

User description

A description should not contain any personally identifiable information or sensitive business data.

--password
Change the user password
<user>
User name

For example, to change the password of the CHAP user user1, run:

# vinfra service block-storage user set user1 --password

When prompted, enter a new password, which will replace the old one. The password must be 12-16 characters long.

To disable CHAP authentication for a target group

Admin panel

  1. On the target group right pane, open the Access control tab, and then click the pencil icon in the CHAP authentication section.
  2. In the Access control window, clear CHAP, and then click Save.

Command-line interface

Use the following command:

vinfra service block-storage target-group set --disable-chap <target-group>
--disable-chap
Disable CHAP authentication
<target-group>
Target group name or ID

For example, to disable CHAP authentication for the target group tg1, run:

# vinfra service block-storage target-group set --disable-chap tg1

To delete a CHAP user

Admin panel

  1. Open Storage services > Block storage > CHAP users.
  2. Click the ellipsis icon of the user, and then click Delete.

Command-line interface

Use the following command:

vinfra service block-storage user delete <user>
<user>
User name

For example, to delete the CHAP user user1, run:

# vinfra service block-storage user delete user1