Implement neutron memcache security strategy Provides an option to authenticate and optionally encrypt the token data stored in the cache: memcache_security_strategy = MAC/ENCRYPT memcache_secret_key = secret_key Change-Id: I7f623586023c8b0605bb77977a28d6b7c47e5287 Related-Prod: PROD-22099

commit: 3b0ac2c5a1022b6fcdae539599c33e0b5185cb0b [log] [tgz]
author: Oleksandr Bryndzii <obryndzii@mirantis.com> Thu Oct 04 11:06:24 2018 +0300
committer: obryndzii <obryndzii@mirantis.com> Wed Oct 17 10:39:51 2018 +0000
tree: 9536a47f0daab788c2dd36c955a3dd08c1389d7c
parent: 48df2a7bf9c440edafc0ce539d7900c6dfa45a86 [diff]
diff --git a/README.rst b/README.rst
index f5169b5..187a911 100644
--- a/README.rst
+++ b/README.rst

@@ -1473,6 +1473,25 @@
           eventletwsgi:
             level: 'DEBUG'
     ......
+Neutron server with memcached caching and security strategy:
+
+.. code-block:: yaml
+
+    neutron:
+      server:
+        enabled: true
+        ...
+        cache:
+          engine: memcached
+          members:
+          - host: 127.0.0.1
+            port: 11211
+          - host: 127.0.0.1
+            port: 11211
+          security:
+            enabled: true
+            strategy: ENCRYPT
+            secret_key: secret
 
 Upgrades
 ========

diff --git a/neutron/files/pike/neutron-server.conf b/neutron/files/pike/neutron-server.conf
index 3ba83b5..49aeff0 100644
--- a/neutron/files/pike/neutron-server.conf
+++ b/neutron/files/pike/neutron-server.conf

@@ -1017,6 +1017,14 @@
 {%- endif %}
 {%- if server.cache is defined %}
 memcached_servers={%- for member in server.cache.members %}{{ member.host }}:11211{% if not loop.last %},{% endif %}{%- endfor %}
+  {%- if server.cache.get('security', {}).get('enabled', False) %}
+memcache_security_strategy = {{ server.cache.security.get('strategy', 'ENCRYPT') }}
+    {%- if server.cache.security.secret_key is not defined or not server.cache.security.secret_key %}
+    {%- do salt.test.exception('server.cache.security.secret_key is not defined: Please add secret_key') %}
+    {%- else %}
+memcache_secret_key = {{ server.cache.security.secret_key }}
+    {%- endif %}
+  {%- endif %}
 {%- endif %}
 #
 # From keystonemiddleware.auth_token

diff --git a/tests/pillar/control_cluster.sls b/tests/pillar/control_cluster.sls
index 1a1d30b..2d70ca2 100644
--- a/tests/pillar/control_cluster.sls
+++ b/tests/pillar/control_cluster.sls

@@ -59,4 +59,16 @@
       create_subnet: 'rule:admin_or_network_owner'
       'get_network:queue_id': 'rule:admin_only'
       'create_network:shared':
-
+    cache:
+      engine: memcached
+      members:
+      - host: 127.0.0.1
+        port: 11211
+      - host: 127.0.0.1
+        port: 11211
+      - host: 127.0.0.1
+        port: 11211
+      security:
+        enabled: true
+        strategy: ENCRYPT
+        secret_key: secret
commit	3b0ac2c5a1022b6fcdae539599c33e0b5185cb0b	[log] [tgz]
author	Oleksandr Bryndzii <obryndzii@mirantis.com>	Thu Oct 04 11:06:24 2018 +0300
committer	obryndzii <obryndzii@mirantis.com>	Wed Oct 17 10:39:51 2018 +0000
tree	9536a47f0daab788c2dd36c955a3dd08c1389d7c
parent	48df2a7bf9c440edafc0ce539d7900c6dfa45a86 [diff]