diff --git a/cinder/tests/unit/volume/drivers/test_pure.py b/cinder/tests/unit/volume/drivers/test_pure.py index 06d0cc818a2..c8abb04bbd5 100644 --- a/cinder/tests/unit/volume/drivers/test_pure.py +++ b/cinder/tests/unit/volume/drivers/test_pure.py @@ -76,6 +76,7 @@ ISCSI_PORT_NAMES = ["ct0.eth2", "ct0.eth3", "ct1.eth2", "ct1.eth3"] FC_PORT_NAMES = ["ct0.fc2", "ct0.fc3", "ct1.fc2", "ct1.fc3"] ISCSI_IPS = ["10.0.0." + str(i + 1) for i in range(len(ISCSI_PORT_NAMES))] AC_ISCSI_IPS = ["10.1.1." + str(i + 1) for i in range(len(ISCSI_PORT_NAMES))] +ISCSI_CIDR = "0.0.0.0/0" FC_WWNS = ["21000024ff59fe9" + str(i + 1) for i in range(len(FC_PORT_NAMES))] AC_FC_WWNS = [ "21000024ff59fab" + str(i + 1) for i in range(len(FC_PORT_NAMES))] @@ -489,6 +490,7 @@ class PureDriverTestCase(test.TestCase): self.mock_config.pure_eradicate_on_delete = False self.mock_config.driver_ssl_cert_verify = False self.mock_config.driver_ssl_cert_path = None + self.mock_config.pure_iscsi_cidr = ISCSI_CIDR self.array = mock.Mock() self.array.get.return_value = GET_ARRAY_PRIMARY self.array.array_name = GET_ARRAY_PRIMARY["array_name"] diff --git a/cinder/volume/drivers/pure.py b/cinder/volume/drivers/pure.py index aa06ef043fa..3941d70649f 100644 --- a/cinder/volume/drivers/pure.py +++ b/cinder/volume/drivers/pure.py @@ -19,6 +19,7 @@ This driver requires Purity version 4.0.0 or later. """ import functools +import ipaddress import math import platform import re @@ -83,6 +84,10 @@ PURE_OPTS = [ cfg.StrOpt("pure_replication_pod_name", default="cinder-pod", help="Pure Pod name to use for sync replication " "(will be created if it does not exist)."), + cfg.StrOpt("pure_iscsi_cidr", default="0.0.0.0/0", + help="CIDR of FlashArray iSCSI targets hosts are allowed to " + "connect to. Default will allow connection to any " + "IP address."), cfg.BoolOpt("pure_eradicate_on_delete", default=False, help="When enabled, all Pure volumes, snapshots, and " @@ -2323,7 +2328,7 @@ class PureISCSIDriver(PureBaseVolumeDriver, san.SanISCSIDriver): the underlying storage connectivity with the FlashArray. """ - VERSION = "8.0.0" + VERSION = "9.0.0" def __init__(self, *args, **kwargs): execute = kwargs.pop("execute", utils.execute) @@ -2391,6 +2396,7 @@ class PureISCSIDriver(PureBaseVolumeDriver, san.SanISCSIDriver): target_luns = [] target_iqns = [] target_portals = [] + valid_portals = [] # Aggregate all targets together, we may end up with different LUNs # for different target iqn/portal sets (ie. it could be a unique LUN @@ -2402,11 +2408,29 @@ class PureISCSIDriver(PureBaseVolumeDriver, san.SanISCSIDriver): target_iqns.append(port["iqn"]) target_portals.append(port["portal"]) + # Check to ensure all returned portal IP addresses + # are in iSCSI target CIDR + if not isinstance(self.configuration.pure_iscsi_cidr, six.text_type): + cidr = self.configuration.pure_iscsi_cidr.decode('utf8') + else: + cidr = self.configuration.pure_iscsi_cidr + check_cidr = ipaddress.IPv4Network(cidr) + for target_portal in target_portals: + if not isinstance(target_portal.split(":")[0], six.text_type): + portal = (target_portal.split(":")[0]).decode('utf8') + else: + portal = target_portal.split(":")[0] + check_ip = ipaddress.IPv4Address(portal) + if check_ip in check_cidr: + valid_portals.append(target_portal) + LOG.info("iSCSI target portals that match CIDR range: '%s'", + valid_portals) + # If we have multiple ports always report them. - if target_luns and target_iqns and target_portals: + if target_luns and target_iqns and valid_portals: props["data"]["target_luns"] = target_luns props["data"]["target_iqns"] = target_iqns - props["data"]["target_portals"] = target_portals + props["data"]["target_portals"] = valid_portals return props diff --git a/releasenotes/notes/pure-iscsi-cidr-cbc1afb3850a9217.yaml b/releasenotes/notes/pure-iscsi-cidr-cbc1afb3850a9217.yaml new file mode 100644 index 00000000000..e784d9dd1a2 --- /dev/null +++ b/releasenotes/notes/pure-iscsi-cidr-cbc1afb3850a9217.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + Pure Storage FlashArray driver has added configuration option + ``pure_iscsi_cidr`` for setting a network CIDR for iSCSI target + connection. The default value will allow connections to all + iSCSI targets.