commit cfd9f8b5b9b51688c5fa6e55a86e6d4821ab2542
author Oleksandr Bryndzii <obryndzii@mirantis.com> Thu Oct 04 11:56:54 2018 +0300
committer Oleksandr Bryndzii <obryndzii@mirantis.com> Wed Oct 10 23:51:17 2018 +0300
tree 68a5e6f3915938dfde4daa83337421427298fa74
parent f085854b9d2da0072b7f6a45791fa7b1f8b20143

Implement heat memcache security strategy

Provides an option to authenticate and optionally encrypt the token
data stored in the cache:
memcache_security_strategy = MAC/ENCRYPT
memcache_secret_key = secret_key

Change-Id: Ice0259e12009bddec2607d54219e1d4b639839c2
Related-Prod: PROD-22099

README.rst

diff --git a/README.rst b/README.rst
index 46a8fc6..7df62e0 100644
--- a/README.rst
+++ b/README.rst
@@ -272,6 +272,25 @@
 You can read more about it here:
     https://docs.openstack.org/security-guide/databases/database-access-control.html
 
+Heat services with memcached caching and security strategy:
+
+.. code-block:: yaml
+
+    heat:
+      server:
+        enabled: true
+        ...
+        cache:
+          engine: memcached
+          members:
+          - host: 127.0.0.1
+            port: 11211
+          - host: 127.0.0.1
+            port: 11211
+          security:
+            enabled: true
+            strategy: ENCRYPT
+            secret_key: secret
 Upgrades
 ========
 

heat/files/pike/heat.conf.Debian

diff --git a/heat/files/pike/heat.conf.Debian b/heat/files/pike/heat.conf.Debian
index ceabe6b..293d0bc 100644
--- a/heat/files/pike/heat.conf.Debian
+++ b/heat/files/pike/heat.conf.Debian
@@ -1779,6 +1779,14 @@
 user_domain_name = Default
 {%- if server.cache is defined %}
 memcached_servers={%- for member in server.cache.members %}{{ member.host }}:11211{% if not loop.last %},{% endif %}{%- endfor %}
+  {%- if server.cache.get('security', {}).get('enabled', False) %}
+memcache_security_strategy = {{ server.cache.security.get('strategy', 'ENCRYPT') }}
+    {%- if server.cache.security.secret_key is not defined or not server.cache.security.secret_key %}
+    {%- do salt.test.exception('server.cache.security.secret_key is not defined: Please add secret_key') %}
+    {%- else %}
+memcache_secret_key = {{ server.cache.security.secret_key }}
+    {%- endif %}
+  {%- endif %}
 {%- endif %}
 
 {%- if server.cache is defined %}

tests/pillar/server_cluster.sls

diff --git a/tests/pillar/server_cluster.sls b/tests/pillar/server_cluster.sls
index 2cb36a2..0b28922 100644
--- a/tests/pillar/server_cluster.sls
+++ b/tests/pillar/server_cluster.sls
@@ -69,3 +69,16 @@
       'cloudformation:DescribeStackResource':
     max_stacks_per_tenant: 150
     max_nested_stack_depth: 10
+    cache:
+      engine: memcached
+      members:
+      - host: 127.0.0.1
+        port: 11211
+      - host: 127.0.1.1
+        port: 11211
+      - host: 127.0.2.1
+        port: 11211
+      security:
+        enabled: true
+        strategy: ENCRYPT
+        secret_key: secret