Implement cinder memcache security strategy
Provides an option to authenticate and optionally encrypt the token
data stored in the cache:
memcache_security_strategy = MAC/ENCRYPT
memcache_secret_key = secret_key
Change-Id: I06dc593e930992291147614d111aa8c34d9f7ee5
Related-Prod: PROD-22099
diff --git a/README.rst b/README.rst
index 3a081dc..2713758 100644
--- a/README.rst
+++ b/README.rst
@@ -796,6 +796,46 @@
You can read more about it here:
https://docs.openstack.org/security-guide/databases/database-access-control.html
+Cinder services on compute node with memcached caching and security strategy:
+
+.. code-block:: yaml
+
+ cinder:
+ volume:
+ enabled: true
+ ...
+ cache:
+ engine: memcached
+ members:
+ - host: 127.0.0.1
+ port: 11211
+ - host: 127.0.0.1
+ port: 11211
+ security:
+ enabled: true
+ strategy: ENCRYPT
+ secret_key: secret
+
+Cinder services on controller node with memcached caching and security strategy:
+
+.. code-block:: yaml
+
+ cinder:
+ controller:
+ enabled: true
+ ...
+ cache:
+ engine: memcached
+ members:
+ - host: 127.0.0.1
+ port: 11211
+ - host: 127.0.0.1
+ port: 11211
+ security:
+ enabled: true
+ strategy: ENCRYPT
+ secret_key: secret
+
Upgrades
========
diff --git a/cinder/files/pike/cinder.conf.controller.Debian b/cinder/files/pike/cinder.conf.controller.Debian
index 25acf4d..d2d31fa 100644
--- a/cinder/files/pike/cinder.conf.controller.Debian
+++ b/cinder/files/pike/cinder.conf.controller.Debian
@@ -201,6 +201,14 @@
#auth_url=http://{{ controller.identity.host }}/identity_v2_admin
{%- if controller.cache is defined %}
memcached_servers={%- for member in controller.cache.members %}{{ member.host }}:11211{% if not loop.last %},{% endif %}{%- endfor %}
+ {%- if controller.cache.get('security', {}).get('enabled', False) %}
+memcache_security_strategy = {{ controller.cache.security.get('strategy', 'ENCRYPT') }}
+ {%- if controller.cache.security.secret_key is not defined or not controller.cache.security.secret_key %}
+ {%- do salt.test.exception('controller.cache.security.secret_key is not defined: Please add secret_key') %}
+ {%- else %}
+memcache_secret_key = {{ controller.cache.security.secret_key }}
+ {%- endif %}
+ {%- endif %}
{%- endif %}
auth_version = v3
diff --git a/cinder/files/pike/cinder.conf.volume.Debian b/cinder/files/pike/cinder.conf.volume.Debian
index b9dcbfb..f6d5027 100644
--- a/cinder/files/pike/cinder.conf.volume.Debian
+++ b/cinder/files/pike/cinder.conf.volume.Debian
@@ -184,6 +184,14 @@
#auth_url=http://{{ volume.identity.host }}/identity_v2_admin
{%- if volume.cache is defined %}
memcached_servers={%- for member in volume.cache.members %}{{ member.host }}:11211{% if not loop.last %},{% endif %}{%- endfor %}
+ {%- if volume.cache.get('security', {}).get('enabled', False) %}
+memcache_security_strategy = {{ volume.cache.security.get('strategy', 'ENCRYPT') }}
+ {%- if volume.cache.security.secret_key is not defined or not volume.cache.security.secret_key %}
+ {%- do salt.test.exception('volume.cache.security.secret_key is not defined: Please add secret_key') %}
+ {%- else %}
+memcache_secret_key = {{ volume.cache.security.secret_key }}
+ {%- endif %}
+ {%- endif %}
{%- endif %}
auth_version = v3
diff --git a/tests/pillar/control_cluster.sls b/tests/pillar/control_cluster.sls
index a9628fb..f85a8c8 100644
--- a/tests/pillar/control_cluster.sls
+++ b/tests/pillar/control_cluster.sls
@@ -50,6 +50,10 @@
port: 11211
- host: 127.0.0.1
port: 11211
+ security:
+ enabled: true
+ strategy: ENCRYPT
+ secret_key: secret
storage:
engine: storwize
host: 192.168.0.1
diff --git a/tests/pillar/control_cluster_intree_wsgi.sls b/tests/pillar/control_cluster_intree_wsgi.sls
index 4c078d4..9ee5d9b 100644
--- a/tests/pillar/control_cluster_intree_wsgi.sls
+++ b/tests/pillar/control_cluster_intree_wsgi.sls
@@ -50,6 +50,10 @@
port: 11211
- host: 127.0.0.1
port: 11211
+ security:
+ enabled: true
+ strategy: ENCRYPT
+ secret_key: secret
storage:
engine: storwize
host: 192.168.0.1
diff --git a/tests/pillar/control_single.sls b/tests/pillar/control_single.sls
index 24784bc..655b552 100644
--- a/tests/pillar/control_single.sls
+++ b/tests/pillar/control_single.sls
@@ -48,6 +48,15 @@
policy:
'volume:delete': 'rule:admin_or_owner'
'volume:extend':
+ cache:
+ engine: memcached
+ members:
+ - host: 127.0.0.1
+ port: 11211
+ security:
+ enabled: true
+ strategy: ENCRYPT
+ secret_key: secret
apache:
server:
enabled: true
diff --git a/tests/pillar/volume_single.sls b/tests/pillar/volume_single.sls
index d243510..9ab908c 100644
--- a/tests/pillar/volume_single.sls
+++ b/tests/pillar/volume_single.sls
@@ -45,6 +45,15 @@
port: 22
user: username
password: pass
+ cache:
+ engine: memcached
+ members:
+ - host: 127.0.0.1
+ port: 11211
+ security:
+ enabled: true
+ strategy: ENCRYPT
+ secret_key: secret
apache:
server:
enabled: true
diff --git a/tests/pillar/volume_single_barbican.sls b/tests/pillar/volume_single_barbican.sls
index e1da081..ff78f89 100644
--- a/tests/pillar/volume_single_barbican.sls
+++ b/tests/pillar/volume_single_barbican.sls
@@ -3,7 +3,7 @@
enabled: true
version: ocata
barbican:
- enabled: true
+ enabled: true
osapi:
host: 127.0.0.1
database: