commit dcb7d7b458ec1e0244bd7014876b2a375aa91508
author Oleksandr Bryndzii <obryndzii@mirantis.com> Thu Oct 04 12:19:42 2018 +0300
committer Oleksandr Bryndzii <obryndzii@mirantis.com> Thu Oct 11 01:05:53 2018 +0300
tree 6f5ef189e52d22ff399c3a0ce797b8b1e1cc4bc3
parent ed34646fb26da23e79b5e7dc9ab190779212033e

Implement panko memcache security strategy

Provides an option to authenticate and optionally encrypt the token
data stored in the cache:
memcache_security_strategy = MAC/ENCRYPT
memcache_secret_key = secret_key

Change-Id: I70758868fb3cd1f78a4b5410baec2d509ebca105
Related-Prod: PROD-22099

README.rst

diff --git a/README.rst b/README.rst
index f1b324d..2d563ef 100644
--- a/README.rst
+++ b/README.rst
@@ -117,6 +117,25 @@
 You can read more about it here:
     https://docs.openstack.org/security-guide/databases/database-access-control.html
 
+Panko server with memcached caching and security strategy:
+--------------------
+.. code-block:: yaml
+
+    panko:
+      server:
+        enabled: true
+        ...
+        cache:
+          engine: memcached
+          members:
+          - host: 127.0.0.1
+            port: 11211
+          - host: 127.0.0.1
+            port: 11211
+          security:
+            enabled: true
+            strategy: ENCRYPT
+            secret_key: secret
 More information
 ================
 

panko/files/pike/panko.conf.Debian

diff --git a/panko/files/pike/panko.conf.Debian b/panko/files/pike/panko.conf.Debian
index 4cebd7a..5b54d53 100644
--- a/panko/files/pike/panko.conf.Debian
+++ b/panko/files/pike/panko.conf.Debian
@@ -363,6 +363,14 @@
 #memcached_servers = <None>
 {%- if server.cache is defined %}
 memcached_servers = {%- for member in server.cache.members %}{{ member.host }}:{{ member.get('port', '11211') }}{% if not loop.last %},{% endif %}{%- endfor %}
+  {%- if server.cache.get('security', {}).get('enabled', False) %}
+memcache_security_strategy = {{ server.cache.security.get('strategy', 'ENCRYPT') }}
+    {%- if server.cache.security.secret_key is not defined or not server.cache.security.secret_key %}
+    {%- do salt.test.exception('panko.server.cache.security.secret_key is not defined: Please add secret_key') %}
+    {%- else %}
+memcache_secret_key = {{ server.cache.security.secret_key }}
+    {%- endif %}
+  {%- endif %}
 {%- else %}
 token_cache_time = -1
 {%- endif %}

tests/pillar/server_cluster.sls

diff --git a/tests/pillar/server_cluster.sls b/tests/pillar/server_cluster.sls
index 79e7732..de177d1 100644
--- a/tests/pillar/server_cluster.sls
+++ b/tests/pillar/server_cluster.sls
@@ -31,6 +31,10 @@
           port: 11211
         - host: 127.0.0.1
           port: 11211
+      security:
+        enabled: true
+        strategy: ENCRYPT
+        secret_key: secret
     logging:
       log_appender: false
       log_handlers: