block: deprecate iSCSI 'password' in favour of 'password-secret'

Support for referencing secret objects was added in

  commit b189346eb1
  Author: Daniel P. Berrangé <berrange@redhat.com>
  Date:   Thu Jan 21 14:19:21 2016 +0000

    iscsi: add support for getting CHAP password via QCryptoSecret API

The existing 'password' option is overdue for deprecation and
subsequent removal.

Reviewed-by: Fabiano Rosas <farosas@suse.de>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrangé 2022-12-01 04:08:07 -05:00
parent c3b3a6c956
commit 610783cb6e
2 changed files with 11 additions and 0 deletions

View File

@ -1353,6 +1353,9 @@ static void apply_chap(struct iscsi_context *iscsi, QemuOpts *opts,
} else if (!password) {
error_setg(errp, "CHAP username specified but no password was given");
return;
} else {
warn_report("iSCSI block driver 'password' option is deprecated, "
"use 'password-secret' instead");
}
if (iscsi_set_initiator_username_pwd(iscsi, user, password)) {

View File

@ -301,6 +301,14 @@ The above, converted to the current supported format::
json:{"file.driver":"rbd", "file.pool":"rbd", "file.image":"name"}
``iscsi,password=xxx`` (since 8.0)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Specifying the iSCSI password in plain text on the command line using the
``password`` option is insecure. The ``password-secret`` option should be
used instead, to refer to a ``--object secret...`` instance that provides
a password via a file, or encrypted.
Backwards compatibility
-----------------------