commit 29865f5e4287c00c59bceda8331749a315be46b6
author Oleksandr Bryndzii <obryndzii@mirantis.com> Thu Oct 04 12:42:51 2018 +0300
committer Oleksandr Bryndzii <obryndzii@mirantis.com> Thu Oct 11 01:28:24 2018 +0300
tree edd45694ee621212638999e4e3eea6afd4492371
parent 7a922efba8825f440358d94e226549f1d0d2aa0f

Implement gnocchi memcache security strategy

Provides an option to authenticate and optionally encrypt the token
data stored in the cache:

memcache_security_strategy = MAC/ENCRYPT
memcache_secret_key = secret_key

Change-Id: I740b49e9626435348e0c0c9e665ac04c60ba1583
Related-Prod: PROD-22099

README.rst

diff --git a/README.rst b/README.rst
index 0549f84..94d74f6 100644
--- a/README.rst
+++ b/README.rst
@@ -313,6 +313,26 @@
 You can read more about it here:
     https://docs.openstack.org/security-guide/databases/database-access-control.html
 
+Gnocchi server with memcached caching and security strategy:
+-----------------------------
+.. code-block:: yaml
+
+    gnocchi:
+      server:
+        enabled: true
+        ...
+        cache:
+          engine: memcached
+          members:
+          - host: 127.0.0.1
+            port: 11211
+          - host: 127.0.0.1
+            port: 11211
+          security:
+            enabled: true
+            strategy: ENCRYPT
+            secret_key: secret
+
 More Information
 ================
 

gnocchi/files/4.0/gnocchi.conf

diff --git a/gnocchi/files/4.0/gnocchi.conf b/gnocchi/files/4.0/gnocchi.conf
index 4e7edc0..e1bd172 100644
--- a/gnocchi/files/4.0/gnocchi.conf
+++ b/gnocchi/files/4.0/gnocchi.conf
@@ -96,12 +96,13 @@
 token_cache_time = {{ server.cache.token_cache_time }}
 {%- endif %}
 
-{%- if server.get('cache', {}).memcache_security_strategy is defined %}
-memcache_security_strategy = {{ server.cache.memcache_security_strategy }}
-{%- endif %}
-
-{%- if server.get('cache', {}).memcache_security_strategy is defined %}
-memcache_secret_key = {{ server.cache.memcache_secret_key }}
+{%- if server.cache.get('security', {}).get('enabled', False) %}
+memcache_security_strategy = {{ server.cache.security.get('strategy', 'ENCRYPT') }}
+  {%- if server.cache.security.secret_key is not defined or not server.cache.security.secret_key %}
+  {%- do salt.test.exception('gnocchi.server.cache.security.secret_key is not defined: Please add secret_key') %}
+  {%- else %}
+memcache_secret_key = {{ server.cache.security.secret_key }}
+  {%- endif %}
 {%- endif %}
 
 {%- if server.get('cache', {}).memcache_pool_dead_retry is defined %}

tests/pillar/server_cluster.sls

diff --git a/tests/pillar/server_cluster.sls b/tests/pillar/server_cluster.sls
index 8cdcf25..b9f1415 100644
--- a/tests/pillar/server_cluster.sls
+++ b/tests/pillar/server_cluster.sls
@@ -58,6 +58,10 @@
         port: 11211
       - host: 127.0.3.1
         port: 11211
+      security:
+        enabled: true
+        strategy: ENCRYPT
+        secret_key: secret
     metricd:
       workers: 5
   statsd:
@@ -108,4 +112,4 @@
     pkgs:
       - apache2
     modules:
-      - wsgi
\ No newline at end of file
+      - wsgi