Implement glance memcache security strategy
Provides an option to authenticate and optionally encrypt the token
data stored in the cache:
memcache_security_strategy = MAC/ENCRYPT
memcache_secret_key = secret_key
Change-Id: I1ba1f4fa61684d3dd5f0aa1478044e0f46b7cffc
Related-Prod: PROD-22099
diff --git a/README.rst b/README.rst
index 6e96364..f050338 100644
--- a/README.rst
+++ b/README.rst
@@ -446,6 +446,26 @@
You can read more about it here:
https://docs.openstack.org/security-guide/databases/database-access-control.html
+Glance services on controller node with memcached caching and security strategy:
+
+.. code-block:: yaml
+
+ glance:
+ server:
+ enabled: true
+ ...
+ cache:
+ engine: memcached
+ members:
+ - host: 127.0.0.1
+ port: 11211
+ - host: 127.0.0.1
+ port: 11211
+ security:
+ enabled: true
+ strategy: ENCRYPT
+ secret_key: secret
+
Usage
=====
diff --git a/glance/files/pike/glance-api.conf.Debian b/glance/files/pike/glance-api.conf.Debian
index 0bcab9b..604f9d9 100644
--- a/glance/files/pike/glance-api.conf.Debian
+++ b/glance/files/pike/glance-api.conf.Debian
@@ -3275,6 +3275,14 @@
{%- if server.cache is defined %}
memcached_servers={%- for member in server.cache.members %}{{ member.host }}:11211{% if not loop.last %},{% endif %}{%- endfor %}
+ {%- if server.cache.get('security', {}).get('enabled', False) %}
+memcache_security_strategy = {{ server.cache.security.get('strategy', 'ENCRYPT') }}
+ {%- if server.cache.security.secret_key is not defined or not server.cache.security.secret_key %}
+ {%- do salt.test.exception('server.cache.security.secret_key is not defined: Please add secret_key') %}
+ {%- else %}
+memcache_secret_key = {{ server.cache.security.secret_key }}
+ {%- endif %}
+ {%- endif %}
{%- endif %}
#
# From keystonemiddleware.auth_token
diff --git a/glance/files/pike/glance-registry.conf.Debian b/glance/files/pike/glance-registry.conf.Debian
index e6553d7..45c976f 100644
--- a/glance/files/pike/glance-registry.conf.Debian
+++ b/glance/files/pike/glance-registry.conf.Debian
@@ -1197,6 +1197,14 @@
{%- if server.cache is defined %}
memcached_servers={%- for member in server.cache.members %}{{ member.host }}:11211{% if not loop.last %},{% endif %}{%- endfor %}
+ {%- if server.cache.get('security', {}).get('enabled', False) %}
+memcache_security_strategy = {{ server.cache.security.get('strategy', 'ENCRYPT') }}
+ {%- if server.cache.security.secret_key is not defined or not server.cache.security.secret_key %}
+ {%- do salt.test.exception('server.cache.security.secret_key is not defined: Please add secret_key') %}
+ {%- else %}
+memcache_secret_key = {{ server.cache.security.secret_key }}
+ {%- endif %}
+ {%- endif %}
{%- endif %}
# Complete "public" Identity API endpoint. This endpoint should not be an
# "admin" endpoint, as it should be accessible by all end users. Unauthenticated
diff --git a/tests/pillar/cluster.sls b/tests/pillar/cluster.sls
index b06af82..b207e46 100644
--- a/tests/pillar/cluster.sls
+++ b/tests/pillar/cluster.sls
@@ -58,3 +58,16 @@
image_tag: 256
image_location: 15
user_storage: 0
+ cache:
+ engine: memcached
+ members:
+ - host: 127.0.0.1
+ port: 11211
+ - host: 127.0.1.1
+ port: 11211
+ - host: 127.0.2.1
+ port: 11211
+ security:
+ enabled: true
+ strategy: ENCRYPT
+ secret_key: secret