This section provides the instruction on how to enable the memcached protection in the OpenStack Pike deployments.
The OpenStack services that support the memcached protection include Aodh, Barbican, Cinder, Glance, Gnocchi, Heat, Ironic, Neutron, Nova, and Panko.
When using Memcached, tokens and authentication responses are stored in the
cache as raw data. If the cache is compromised, tokens and authentication
responses become readable. To mitigate this risk, MCP uses the auth_token
middleware that provides for the authentication and encryption of the token
data stored in the cache by means of the following configuration parameters:
memcache_security_strategy
Indicates whether the token data should be authenticated or authenticated and encrypted. Acceptable values include:
MAC
to authenticate (with HMAC) the token data in cacheENCRYPT
to encrypt and authenticate the token data in cacheIf the value is not set or empty, auth_token
raises an exception on
initialization.
memcache_secret_key
Mandatory if memcache_security_strategy
is defined. Used for key
derivation. If memcache_security_strategy
is defined and
memcache_secret_key
is not set, auth_token
raises an exception on
initialization.
MCP OpenStack supports the memcached protection since the Pike release. By
default, this functionality is disabled in the Pike deployments. For Queens and
newer releases, the memcached protection is enabled by default with the
ENCRYPT
security strategy.
To enable the memcached protection:
Log in to the Salt Master node.
Update your Reclass metadata model.
Verify the pillars. For example, for nova:controller
:
salt -C 'I@nova:controller' pillar.get nova:controller:cache:security
Example of system response:
---Output---
ctl02.node.local:
----------
enabled:
False
secret_key:
strategy:
ENCRYPT
ctl03.node.local:
----------
enabled:
False
secret_key:
strategy:
ENCRYPT
ctl01.node.local:
----------
enabled:
False
secret_key:
strategy:
ENCRYPT
---End output---
Select from the following options:
Enable the memcache security and specify the secret keys globally by modifying the cluster level of your deployment model:
In the <cluster_name>/openstack/init.yml
file, enable the cache
security, set the security strategy, and define the secret keys for
the required OpenStack services. For example:
parameters:
_param:
openstack_memcache_security_enabled: True
openstack_memcache_security_strategy: ENCRYPT
nova_memcache_secret_key: <SECRET_KEY>
neutron_memcache_secret_key: <SECRET_KEY>
...
Refresh pillars:
salt '*' saltutil.refresh_pillar
Verify pillars for the OpenStack services. For example, for the Nova controller:
salt -C 'I@nova:controller' pillar.get nova:controller:cache:security
Example of system response:
---Output---
ctl02.node.local:
----------
enabled:
True
secret_key:
ez6D6unod2PB4Aqp
strategy:
ENCRYPT
ctl03.node.local:
----------
enabled:
True
secret_key:
ez6D6unod2PB4Aqp
strategy:
ENCRYPT
ctl01.node.local:
----------
enabled:
True
secret_key:
ez6D6unod2PB4Aqp
strategy:
ENCRYPT
---End Output---
Apply the changes for all required OpenStack services by running the appropriate service states listed in the table below.
Define the memcache security parameters through the pillars in a granular way, which allows for particular services configuration if required.
OpenStack service | Define custom pillar | Apply the change |
---|---|---|
Aodh | aodh:
server:
cache:
security:
enabled: True
secret_key: secret-key
strategy: ENCRYPT
|
salt -C 'I@aodh:server' state.sls aodh
|
Barbican | barbican:
server:
cache:
security:
enabled: True
secret_key: secret-key
strategy: ENCRYPT
|
salt -C 'I@barbican:server' state.sls barbican.server
|
Cinder | cinder:
controller:
cache:
security:
enabled: True
secret_key: secret-key
strategy: ENCRYPT
cinder:
volume:
cache:
security:
enabled: True
secret_key: secret-key
strategy: ENCRYPT
|
salt -C 'I@cinder:controller or I@cinder:volume' state.sls cinder
|
Glance | glance:
server:
cache:
security:
enabled: True
secret_key: secret-key
strategy: ENCRYPT
|
salt -C 'I@glance:server' state.sls glance.server
|
Gnocchi | gnocchi:
server:
cache:
security:
enabled: True
secret_key: secret-key
strategy: ENCRYPT
|
salt -C 'I@gnocchi:server' state.sls gnocchi.server
|
Heat | heat:
server:
cache:
security:
enabled: True
secret_key: secret-key
strategy: ENCRYPT
|
salt -C 'I@heat:server' state.sls heat.server
|
Ironic | ironic:
api:
cache:
security:
enabled: True
secret_key: secret-key
strategy: ENCRYPT
conductor:
cache:
security:
enabled: True
secret_key: secret-key
strategy: ENCRYPT
|
salt -C 'I@ironic:api' state.sls ironic.api
salt -C 'I@ironic:conductor' state.sls ironic.conductor
|
Neutron | neutron:
server:
cache:
security:
enabled: True
secret_key: secret-key
strategy: ENCRYPT
|
salt -C 'I@neutron:server’ state.sls neutron.server
|
Nova | nova:
controller:
cache:
security:
enabled: True
secret_key: secret-key
strategy: ENCRYPT
nova:
compute:
cache:
security:
enabled: True
secret_key: secret-key
strategy: ENCRYPT
|
salt -C 'I@nova:controller or I@nova:compute' state.sls nova
|
Panko | panko:
server:
cache:
security:
enabled: True
secret_key: secret-key
strategy: ENCRYPT
|
salt -C 'I@panko:server' state.sls panko.server
|