From 610783cb6e47ccf0c3cde94dcb03dff2ae22107c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Thu, 1 Dec 2022 04:08:07 -0500 Subject: [PATCH] block: deprecate iSCSI 'password' in favour of 'password-secret' MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Support for referencing secret objects was added in commit b189346eb1784df95ed6fed610411dbf23d19e1f Author: Daniel P. Berrangé Date: Thu Jan 21 14:19:21 2016 +0000 iscsi: add support for getting CHAP password via QCryptoSecret API The existing 'password' option is overdue for deprecation and subsequent removal. Reviewed-by: Fabiano Rosas Signed-off-by: Daniel P. Berrangé --- block/iscsi.c | 3 +++ docs/about/deprecated.rst | 8 ++++++++ 2 files changed, 11 insertions(+) diff --git a/block/iscsi.c b/block/iscsi.c index b3e10f40b6..ed3e87a548 100644 --- a/block/iscsi.c +++ b/block/iscsi.c @@ -1353,6 +1353,9 @@ static void apply_chap(struct iscsi_context *iscsi, QemuOpts *opts, } else if (!password) { error_setg(errp, "CHAP username specified but no password was given"); return; + } else { + warn_report("iSCSI block driver 'password' option is deprecated, " + "use 'password-secret' instead"); } if (iscsi_set_initiator_username_pwd(iscsi, user, password)) { diff --git a/docs/about/deprecated.rst b/docs/about/deprecated.rst index cb1ec72347..d31ffa86d4 100644 --- a/docs/about/deprecated.rst +++ b/docs/about/deprecated.rst @@ -301,6 +301,14 @@ The above, converted to the current supported format:: json:{"file.driver":"rbd", "file.pool":"rbd", "file.image":"name"} +``iscsi,password=xxx`` (since 8.0) +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Specifying the iSCSI password in plain text on the command line using the +``password`` option is insecure. The ``password-secret`` option should be +used instead, to refer to a ``--object secret...`` instance that provides +a password via a file, or encrypted. + Backwards compatibility -----------------------