commit 69a6d02028ffdc5e5694db0edd27bad9bdb3a840
author Oleksandr Bryndzii <obryndzii@mirantis.com> Wed Nov 07 12:38:16 2018 +0200
committer Oleksandr Bryndzii <obryndzii@mirantis.com> Wed Nov 07 12:38:54 2018 +0200
tree aa086f78bcc52e83356a78938569515fd8b1de7f
parent bafd805540d0d5147aeeaa5f17ce65aa8b81233f

Implement Ironic memcache security strategy

Provides an option to authenticate and optionally encrypt the token
data stored in the cache:
memcache_security_strategy = MAC/ENCRYPT
memcache_secret_key = secret_key

Change-Id: Ie252472e7e000ef76660c731b293a25dc21aa433
Related-Prod: PROD-22099

README.rst

diff --git a/README.rst b/README.rst
index a0bb932..72acd55 100644
--- a/README.rst
+++ b/README.rst
@@ -173,3 +173,23 @@
 
 You can read more about it here:
     https://docs.openstack.org/security-guide/messaging/security.html
+
+Ironic service with cache and security enabled
+
+.. code-block:: yaml
+
+  ironic:
+    api:
+      enabled: true
+      version: pike
+        cache:
+          engine: memcached
+          members:
+          - host: 127.0.0.1
+            port: 11211
+          - host: 127.0.0.1
+            port: 11211
+          security:
+            enabled: true
+            strategy: ENCRYPT
+            secret_key: secret

ironic/files/pike/ironic.conf

diff --git a/ironic/files/pike/ironic.conf b/ironic/files/pike/ironic.conf
index 86b4d95..5350c1a 100644
--- a/ironic/files/pike/ironic.conf
+++ b/ironic/files/pike/ironic.conf
@@ -2479,10 +2479,16 @@
 # caching. If left undefined, tokens will instead be cached
 # in-process. (list value)
 # Deprecated group/name - [keystone_authtoken]/memcache_servers
-{%- if ironic.get('identity', {}).get('memcached_servers') %}
-memcached_servers = {{ ironic.identity.memcached_servers }}
-{%- else %}
-#memcached_servers = <None>
+{%- if ironic.get('cache', {}).members is defined %}
+memcached_servers={%- for member in ironic.cache.members %}{{ member.host }}:11211{% if not loop.last %},{% endif %}{%- endfor %}
+  {%- if ironic.cache.get('security', {}).get('enabled', False) %}
+memcache_security_strategy = {{ ironic.cache.security.get('strategy', 'ENCRYPT') }}
+    {%- if ironic.cache.security.secret_key is not defined or not ironic.cache.security.secret_key %}
+    {%- do salt.test.exception('ironic.cache.security.secret_key is not defined: Please add secret_key') %}
+    {%- else %}
+memcache_secret_key = {{ ironic.cache.security.secret_key }}
+    {%- endif %}
+  {%- endif %}
 {%- endif %}
 
 # In order to prevent excessive effort spent validating

tests/pillar/api_single.sls

diff --git a/tests/pillar/api_single.sls b/tests/pillar/api_single.sls
index 741d92b..72800fe 100644
--- a/tests/pillar/api_single.sls
+++ b/tests/pillar/api_single.sls
@@ -21,3 +21,14 @@
       password: workshop
     identity:
       engine: 'noauth'
+    cache:
+      engine: memcached
+      members:
+      - host: 127.0.0.1
+        port: 11211
+      - host: 127.0.0.1
+        port: 11211
+      security:
+        enabled: true
+        strategy: ENCRYPT
+        secret_key: secret