Implement nova memcache security strategy
Provides an option to authenticate and optionally encrypt the token
data stored in the cache:
memcache_security_strategy = MAC/ENCRYPT
memcache_secret_key = secret_key
Change-Id: I740be64fd5d822a4c4718e9b56b9fff34c2ba9da
Related-Prod: PROD-22099
diff --git a/README.rst b/README.rst
index 42ba8db..673df92 100644
--- a/README.rst
+++ b/README.rst
@@ -356,7 +356,7 @@
...
networking: contrail
-Nova services on compute node with memcached caching:
+Nova services on compute node with memcached caching and security strategy:
.. code-block:: yaml
@@ -371,6 +371,10 @@
port: 11211
- host: 127.0.0.1
port: 11211
+ security:
+ enabled: true
+ strategy: ENCRYPT
+ secret_key: secret
Client-side RabbitMQ HA setup:
diff --git a/nova/files/pike/nova-compute.conf.Debian b/nova/files/pike/nova-compute.conf.Debian
index 48b5ec3..7dba92c 100644
--- a/nova/files/pike/nova-compute.conf.Debian
+++ b/nova/files/pike/nova-compute.conf.Debian
@@ -5742,6 +5742,14 @@
{%- endif %}
{%- if compute.cache is defined %}
memcached_servers={%- for member in compute.cache.members %}{{ member.host }}:11211{% if not loop.last %},{% endif %}{%- endfor %}
+ {%- if compute.cache.get('security', {}).get('enabled', False) %}
+memcache_security_strategy = {{ compute.cache.security.get('strategy', 'ENCRYPT') }}
+ {%- if compute.cache.security.secret_key is not defined or not compute.cache.security.secret_key %}
+ {%- do salt.test.exception('compute.cache.security.secret_key is not defined: Please add secret_key') %}
+ {%- else %}
+memcache_secret_key = {{ compute.cache.security.secret_key }}
+ {%- endif %}
+ {%- endif %}
{%- endif %}
# Complete "public" Identity API endpoint. This endpoint should not be an
# "admin" endpoint, as it should be accessible by all end users. Unauthenticated
diff --git a/nova/files/pike/nova-controller.conf.Debian b/nova/files/pike/nova-controller.conf.Debian
index 1d21f4e..1ed3cc8 100644
--- a/nova/files/pike/nova-controller.conf.Debian
+++ b/nova/files/pike/nova-controller.conf.Debian
@@ -5747,6 +5747,14 @@
{%- endif %}
{%- if controller.cache is defined %}
memcached_servers={%- for member in controller.cache.members %}{{ member.host }}:11211{% if not loop.last %},{% endif %}{%- endfor %}
+ {%- if controller.cache.get('security', {}).get('enabled', False) %}
+memcache_security_strategy = {{ controller.cache.security.get('strategy', 'ENCRYPT') }}
+ {%- if controller.cache.security.secret_key is not defined or not controller.cache.security.secret_key %}
+ {%- do salt.test.exception('controller.cache.security.secret_key is not defined: Please add secret_key') %}
+ {%- else %}
+memcache_secret_key = {{ controller.cache.security.secret_key }}
+ {%- endif %}
+ {%- endif %}
{%- endif %}
# Complete "public" Identity API endpoint. This endpoint should not be an
# "admin" endpoint, as it should be accessible by all end users. Unauthenticated
diff --git a/tests/pillar/compute_cluster.sls b/tests/pillar/compute_cluster.sls
index c057c09..c3a55e2 100644
--- a/tests/pillar/compute_cluster.sls
+++ b/tests/pillar/compute_cluster.sls
@@ -74,6 +74,10 @@
port: 11211
- host: 127.0.2.1
port: 11211
+ security:
+ enabled: true
+ strategy: ENCRYPT
+ secret_key: secret
libvirt:
hw_disk_discard: unmap
live_migration_tunnelled: False
diff --git a/tests/pillar/compute_cluster_vmware.sls b/tests/pillar/compute_cluster_vmware.sls
index ceaf142..8cf5646 100644
--- a/tests/pillar/compute_cluster_vmware.sls
+++ b/tests/pillar/compute_cluster_vmware.sls
@@ -63,6 +63,10 @@
port: 11211
- host: 127.0.2.1
port: 11211
+ security:
+ enabled: true
+ strategy: ENCRYPT
+ secret_key: secret
compute_driver: vmwareapi.VMwareVCDriver
vmware:
host_username: vmware
diff --git a/tests/pillar/compute_cluster_vmware_queens.sls b/tests/pillar/compute_cluster_vmware_queens.sls
index 1d6b0cf..d508fc1 100644
--- a/tests/pillar/compute_cluster_vmware_queens.sls
+++ b/tests/pillar/compute_cluster_vmware_queens.sls
@@ -63,6 +63,10 @@
port: 11211
- host: 127.0.2.1
port: 11211
+ security:
+ enabled: true
+ strategy: ENCRYPT
+ secret_key: secret
compute_driver: vmwareapi.VMwareVCDriver
vmware:
host_username: vmware
diff --git a/tests/pillar/compute_single.sls b/tests/pillar/compute_single.sls
index 8d752de..b000da7 100644
--- a/tests/pillar/compute_single.sls
+++ b/tests/pillar/compute_single.sls
@@ -60,6 +60,10 @@
members:
- host: 127.0.0.1
port: 11211
+ security:
+ enabled: true
+ strategy: ENCRYPT
+ secret_key: secret
qemu:
user: nova
group: cinder
diff --git a/tests/pillar/compute_single_config_drive_options.sls b/tests/pillar/compute_single_config_drive_options.sls
index 6351252..78cf088 100644
--- a/tests/pillar/compute_single_config_drive_options.sls
+++ b/tests/pillar/compute_single_config_drive_options.sls
@@ -58,6 +58,10 @@
members:
- host: 127.0.0.1
port: 11211
+ security:
+ enabled: true
+ strategy: ENCRYPT
+ secret_key: secret
config_drive:
cdrom: True
format: iso9660
diff --git a/tests/pillar/control_single.sls b/tests/pillar/control_single.sls
index eb91fd9..338d63b 100644
--- a/tests/pillar/control_single.sls
+++ b/tests/pillar/control_single.sls
@@ -66,6 +66,10 @@
members:
- host: 127.0.0.1
port: 11211
+ security:
+ enabled: true
+ strategy: ENCRYPT
+ secret_key: secret
policy:
'context_is_admin': 'role:admin or role:administrator'
'compute:create': 'rule:admin_or_owner'