diff --git a/docs/formatsecret.html.in b/docs/formatsecret.html.in
index 50c9533648..3e306b5566 100644
--- a/docs/formatsecret.html.in
+++ b/docs/formatsecret.html.in
@@ -64,8 +64,9 @@
       a single <code>name</code> element that specifies a usage name
       for the secret.  The Ceph secret can then be used by UUID or by
       this usage name via the <code>&lt;auth&gt;</code> element of
-      a <a href="formatdomain.html#elementsDisks">disk
-      device</a>. <span class="since">Since 0.9.7</span>.
+      a <a href="formatdomain.html#elementsDisks">disk device</a> or
+      a <a href="formatstorage.html">storage pool (rbd)</a>.
+      <span class="since">Since 0.9.7</span>.
     </p>
 
     <h3>Usage type "iscsi"</h3>
@@ -76,8 +77,9 @@
       a single <code>target</code> element that specifies a usage name
       for the secret.  The iSCSI secret can then be used by UUID or by
       this usage name via the <code>&lt;auth&gt;</code> element of
-      a <a href="formatdomain.html#elementsDisks">disk
-      device</a>. <span class="since">Since 1.0.4</span>.
+      a <a href="formatdomain.html#elementsDisks">disk device</a> or
+      a <a href="formatstorage.html">storage pool (iscsi)</a>.
+      <span class="since">Since 1.0.4</span>.
     </p>
 
     <h2><a name="example">Example</a></h2>
diff --git a/docs/formatstorage.html.in b/docs/formatstorage.html.in
index d702eb17d1..f4d561fcf0 100644
--- a/docs/formatstorage.html.in
+++ b/docs/formatstorage.html.in
@@ -72,6 +72,9 @@
         &lt;source&gt;
           &lt;host name="iscsi.example.com"/&gt;
           &lt;device path="demo-target"/&gt;
+          &lt;auth type='chap' username='myname'&gt;
+            &lt;secret type='iscsi' usage='mycluster_myname'/&gt;
+          &lt;/auth&gt;
           &lt;vendor name="Acme"/&gt;
           &lt;product name="model"/&gt;
         &lt;/source&gt;
@@ -79,7 +82,6 @@
 
     <pre>
         ...
-        &lt;source&gt;
         &lt;source&gt;
           &lt;adapter type='fc_host' parent='scsi_host5' wwnn='20000000c9831b4b' wwpn='10000000c9831b4b'/&gt;
         &lt;/source&gt;
@@ -123,6 +125,27 @@
         which is the hostname or IP address of the server. May optionally
         contain a <code>port</code> attribute for the protocol specific
         port number. <span class="since">Since 0.4.1</span></dd>
+      <dt><code>auth</code></dt>
+      <dd>If present, the <code>auth</code> element provides the
+        authentication credentials needed to access the source by the
+        setting of the <code>type</code> attribute. The <code>type</code>
+        must be either "chap" or "ceph". Additionally a mandatory attribute
+        <code>username</code> identifies the username to use during
+        authentication as well as a sub-element <code>secret</code> with
+        a mandatory attribute <code>type</code>, to tie back to a
+        <a href="formatsecret.html">libvirt secret object</a> that
+        holds the actual password or other credentials. The domain XML
+        intentionally does not expose the password, only the reference
+        to the object that manages the password. The secret element
+        <code>type</code> must be either "ceph" or "iscsi". Use "ceph" for
+        Ceph RBD (Rados Block Device) network sources and use "iscsi" for CHAP
+        (Challenge-Handshake Authentication Protocol) iSCSI targets.
+        The <code>secret</code> element requires either a <code>uuid</code>
+        attribute with the UUID of the secret object or a <code>usage</code>
+        attribute matching the key that was specified in the
+        secret object.  <span class="since">Since 0.9.7 for "ceph" and
+        1.1.1 for "chap"</span>
+      </dd>
       <dt><code>name</code></dt>
       <dd>Provides the source for pools backed by storage from a
         named element (e.g., a logical volume group name).
diff --git a/docs/schemas/storagepool.rng b/docs/schemas/storagepool.rng
index 3c2158a18f..6da3c11ac1 100644
--- a/docs/schemas/storagepool.rng
+++ b/docs/schemas/storagepool.rng
@@ -286,22 +286,10 @@
           <value>ceph</value>
         </choice>
       </attribute>
-      <choice>
-        <attribute name='login'>
-          <text/>
-        </attribute>
-        <attribute name='username'>
-          <text/>
-        </attribute>
-      </choice>
-      <optional>
-        <attribute name='passwd'>
-          <text/>
-        </attribute>
-      </optional>
-      <optional>
-        <ref name='sourceinfoauthsecret'/>
-      </optional>
+      <attribute name='username'>
+        <text/>
+      </attribute>
+      <ref name='sourceinfoauthsecret'/>
     </element>
   </define>
 
diff --git a/src/conf/storage_conf.c b/src/conf/storage_conf.c
index 1097de8c11..404545a453 100644
--- a/src/conf/storage_conf.c
+++ b/src/conf/storage_conf.c
@@ -365,8 +365,8 @@ virStoragePoolSourceClear(virStoragePoolSourcePtr source)
     VIR_FREE(source->product);
 
     if (source->authType == VIR_STORAGE_POOL_AUTH_CHAP) {
-        VIR_FREE(source->auth.chap.login);
-        VIR_FREE(source->auth.chap.passwd);
+        VIR_FREE(source->auth.chap.username);
+        VIR_FREE(source->auth.chap.secret.usage);
     }
 
     if (source->authType == VIR_STORAGE_POOL_AUTH_CEPHX) {
@@ -461,21 +461,44 @@ static int
 virStoragePoolDefParseAuthChap(xmlXPathContextPtr ctxt,
                                virStoragePoolAuthChapPtr auth)
 {
-    auth->login = virXPathString("string(./auth/@login)", ctxt);
-    if (auth->login == NULL) {
+    char *uuid = NULL;
+    int ret = -1;
+
+    auth->username = virXPathString("string(./auth/@username)", ctxt);
+    if (auth->username == NULL) {
         virReportError(VIR_ERR_XML_ERROR, "%s",
-                       _("missing auth login attribute"));
+                       _("missing auth username attribute"));
         return -1;
     }
 
-    auth->passwd = virXPathString("string(./auth/@passwd)", ctxt);
-    if (auth->passwd == NULL) {
+    uuid = virXPathString("string(./auth/secret/@uuid)", ctxt);
+    auth->secret.usage = virXPathString("string(./auth/secret/@usage)", ctxt);
+    if (uuid == NULL && auth->secret.usage == NULL) {
         virReportError(VIR_ERR_XML_ERROR, "%s",
-                       _("missing auth passwd attribute"));
+                       _("missing auth secret uuid or usage attribute"));
         return -1;
     }
 
-    return 0;
+    if (uuid != NULL) {
+        if (auth->secret.usage != NULL) {
+            virReportError(VIR_ERR_XML_ERROR, "%s",
+                           _("either auth secret uuid or usage expected"));
+            goto cleanup;
+        }
+        if (virUUIDParse(uuid, auth->secret.uuid) < 0) {
+            virReportError(VIR_ERR_XML_ERROR, "%s",
+                           _("invalid auth secret uuid"));
+            goto cleanup;
+        }
+        auth->secret.uuidUsable = true;
+    } else {
+        auth->secret.uuidUsable = false;
+    }
+
+    ret = 0;
+cleanup:
+    VIR_FREE(uuid);
+    return ret;
 }
 
 static int
@@ -1134,16 +1157,13 @@ virStoragePoolSourceFormat(virBufferPtr buf,
         virBufferAsprintf(buf,"    <format type='%s'/>\n", format);
     }
 
-    if (src->authType == VIR_STORAGE_POOL_AUTH_CHAP)
-        virBufferAsprintf(buf,"    <auth type='%s' login='%s' passwd='%s'/>\n",
+    if (src->authType == VIR_STORAGE_POOL_AUTH_CHAP ||
+        src->authType == VIR_STORAGE_POOL_AUTH_CEPHX) {
+        virBufferAsprintf(buf,"    <auth type='%s' username='%s'>\n",
                           virStoragePoolAuthTypeTypeToString(src->authType),
-                          src->auth.chap.login,
-                          src->auth.chap.passwd);
-
-    if (src->authType == VIR_STORAGE_POOL_AUTH_CEPHX) {
-        virBufferAsprintf(buf,"    <auth username='%s' type='%s'>\n",
-                          src->auth.cephx.username,
-                          virStoragePoolAuthTypeTypeToString(src->authType));
+                          (src->authType == VIR_STORAGE_POOL_AUTH_CHAP ?
+                           src->auth.chap.username :
+                           src->auth.cephx.username));
 
         virBufferAddLit(buf,"      <secret");
         if (src->auth.cephx.secret.uuidUsable) {
diff --git a/src/conf/storage_conf.h b/src/conf/storage_conf.h
index 5fbecf4874..fd9b2e7627 100644
--- a/src/conf/storage_conf.h
+++ b/src/conf/storage_conf.h
@@ -162,8 +162,8 @@ struct _virStoragePoolAuthSecret {
 typedef struct _virStoragePoolAuthChap virStoragePoolAuthChap;
 typedef virStoragePoolAuthChap *virStoragePoolAuthChapPtr;
 struct _virStoragePoolAuthChap {
-    char *login;
-    char *passwd;
+    char *username;
+    virStoragePoolAuthSecret secret;
 };
 
 typedef struct _virStoragePoolAuthCephx virStoragePoolAuthCephx;
diff --git a/tests/storagepoolxml2xmlin/pool-iscsi-auth.xml b/tests/storagepoolxml2xmlin/pool-iscsi-auth.xml
index f7d4d52aa4..c81eb6094b 100644
--- a/tests/storagepoolxml2xmlin/pool-iscsi-auth.xml
+++ b/tests/storagepoolxml2xmlin/pool-iscsi-auth.xml
@@ -4,7 +4,9 @@
   <source>
     <host name="iscsi.example.com"/>
     <device path="demo-target"/>
-    <auth type='chap' login='foobar' passwd='frobbar'/>
+    <auth type='chap' username='admin'>
+      <secret uuid='2ec115d7-3a88-3ceb-bc12-0ac909a6fd87'/>
+    </auth>
   </source>
   <target>
     <path>/dev/disk/by-path</path>
diff --git a/tests/storagepoolxml2xmlin/pool-iscsi-vendor-product.xml b/tests/storagepoolxml2xmlin/pool-iscsi-vendor-product.xml
index 01fbd9b7ce..821feb1c66 100644
--- a/tests/storagepoolxml2xmlin/pool-iscsi-vendor-product.xml
+++ b/tests/storagepoolxml2xmlin/pool-iscsi-vendor-product.xml
@@ -4,7 +4,9 @@
   <source>
     <host name="iscsi.example.com"/>
     <device path="demo-target"/>
-    <auth type='chap' login='foobar' passwd='frobbar'/>
+    <auth type='chap' username='admin'>
+      <secret uuid='2ec115d7-3a88-3ceb-bc12-0ac909a6fd87'/>
+    </auth>
     <vendor name='test-vendor'/>
     <product name='test-product'/>
   </source>
diff --git a/tests/storagepoolxml2xmlout/pool-iscsi-auth.xml b/tests/storagepoolxml2xmlout/pool-iscsi-auth.xml
index 4fa8f6493a..3d84c1c102 100644
--- a/tests/storagepoolxml2xmlout/pool-iscsi-auth.xml
+++ b/tests/storagepoolxml2xmlout/pool-iscsi-auth.xml
@@ -7,7 +7,9 @@
   <source>
     <host name='iscsi.example.com'/>
     <device path='demo-target'/>
-    <auth type='chap' login='foobar' passwd='frobbar'/>
+    <auth type='chap' username='admin'>
+      <secret uuid='2ec115d7-3a88-3ceb-bc12-0ac909a6fd87'/>
+    </auth>
   </source>
   <target>
     <path>/dev/disk/by-path</path>
diff --git a/tests/storagepoolxml2xmlout/pool-iscsi-vendor-product.xml b/tests/storagepoolxml2xmlout/pool-iscsi-vendor-product.xml
index 6ae1c393d6..4fb19bb708 100644
--- a/tests/storagepoolxml2xmlout/pool-iscsi-vendor-product.xml
+++ b/tests/storagepoolxml2xmlout/pool-iscsi-vendor-product.xml
@@ -7,7 +7,9 @@
   <source>
     <host name='iscsi.example.com'/>
     <device path='demo-target'/>
-    <auth type='chap' login='foobar' passwd='frobbar'/>
+    <auth type='chap' username='admin'>
+      <secret uuid='2ec115d7-3a88-3ceb-bc12-0ac909a6fd87'/>
+    </auth>
     <vendor name='test-vendor'/>
     <product name='test-product'/>
   </source>
diff --git a/tests/storagepoolxml2xmlout/pool-rbd.xml b/tests/storagepoolxml2xmlout/pool-rbd.xml
index 309a6d9076..4fe2fce767 100644
--- a/tests/storagepoolxml2xmlout/pool-rbd.xml
+++ b/tests/storagepoolxml2xmlout/pool-rbd.xml
@@ -8,7 +8,7 @@
     <name>rbd</name>
     <host name='localhost' port='6789'/>
     <host name='localhost' port='6790'/>
-    <auth username='admin' type='ceph'>
+    <auth type='ceph' username='admin'>
       <secret uuid='2ec115d7-3a88-3ceb-bc12-0ac909a6fd87'/>
     </auth>
   </source>