Merge "Implement barbican memcache security strategy"
diff --git a/README.rst b/README.rst
index 0f4e655..33e32c7 100644
--- a/README.rst
+++ b/README.rst
@@ -412,6 +412,26 @@
You can read more about it here:
https://docs.openstack.org/security-guide/databases/database-access-control.html
+Barbican server with memcached caching and security strategy:
+
+.. code-block:: yaml
+
+ barbican:
+ server:
+ enabled: true
+ ...
+ cache:
+ engine: memcached
+ members:
+ - host: 127.0.0.1
+ port: 11211
+ - host: 127.0.0.1
+ port: 11211
+ security:
+ enabled: true
+ strategy: ENCRYPT
+ secret_key: secret
+
Documentation and Bugs
======================
diff --git a/barbican/files/pike/barbican.conf.Debian b/barbican/files/pike/barbican.conf.Debian
index b3d6f5b..6a9169b 100644
--- a/barbican/files/pike/barbican.conf.Debian
+++ b/barbican/files/pike/barbican.conf.Debian
@@ -511,6 +511,14 @@
{%- if server.cache is defined %}
memcached_servers = {%- for member in server.cache.members %}{{ member.host }}:{{ member.get('port', '11211') }}{% if not loop.last %},{% endif %}{%- endfor %}
+ {%- if server.cache.get('security', {}).get('enabled', False) %}
+memcache_security_strategy = {{ server.cache.security.get('strategy', 'ENCRYPT') }}
+ {%- if server.cache.security.secret_key is not defined or not server.cache.security.secret_key %}
+ {%- do salt.test.exception('barbican.server.cache.security.secret_key is not defined: Please add secret_key') %}
+ {%- else %}
+memcache_secret_key = {{ server.cache.security.secret_key }}
+ {%- endif %}
+ {%- endif %}
{%- else %}
token_cache_time = -1
{%- endif %}
diff --git a/tests/pillar/control_cluster.sls b/tests/pillar/control_cluster.sls
index ea8494e..45af5ad 100644
--- a/tests/pillar/control_cluster.sls
+++ b/tests/pillar/control_cluster.sls
@@ -85,6 +85,10 @@
port: 11211
- host: 10.10.10.12
port: 11211
+ security:
+ enabled: true
+ strategy: ENCRYPT
+ secret_key: secret
logging:
log_appender: false
log_handlers: