Secure memcached for the OpenStack services

Secure memcached for the OpenStack services

This section provides the instruction on how to enable the memcached protection in the OpenStack Pike deployments.

The OpenStack services that support the memcached protection include Aodh, Barbican, Cinder, Glance, Gnocchi, Heat, Ironic, Neutron, Nova, and Panko.

When using Memcached, tokens and authentication responses are stored in the cache as raw data. If the cache is compromised, tokens and authentication responses become readable. To mitigate this risk, MCP uses the auth_token middleware that provides for the authentication and encryption of the token data stored in the cache by means of the following configuration parameters:

  • memcache_security_strategy

    Indicates whether the token data should be authenticated or authenticated and encrypted. Acceptable values include:

    • MAC to authenticate (with HMAC) the token data in cache
    • ENCRYPT to encrypt and authenticate the token data in cache

    If the value is not set or empty, auth_token raises an exception on initialization.

  • memcache_secret_key

    Mandatory if memcache_security_strategy is defined. Used for key derivation. If memcache_security_strategy is defined and memcache_secret_key is not set, auth_token raises an exception on initialization.

MCP OpenStack supports the memcached protection since the Pike release. By default, this functionality is disabled in the Pike deployments. For Queens and newer releases, the memcached protection is enabled by default with the ENCRYPT security strategy.

To enable the memcached protection:

  1. Log in to the Salt Master node.

  2. Update your Reclass metadata model.

  3. Verify the pillars. For example, for nova:controller:

    salt -C 'I@nova:controller' pillar.get nova:controller:cache:security
    

    Example of system response:

    ---Output---
    ctl02.node.local:
        ----------
        enabled:
           False
        secret_key:
        strategy:
            ENCRYPT
    ctl03.node.local:
        ----------
        enabled:
            False
        secret_key:
        strategy:
            ENCRYPT
    ctl01.node.local:
        ----------
        enabled:
            False
        secret_key:
        strategy:
            ENCRYPT
    ---End output---
    
  4. Select from the following options:

    • Enable the memcache security and specify the secret keys globally by modifying the cluster level of your deployment model:

      1. In the <cluster_name>/openstack/init.yml file, enable the cache security, set the security strategy, and define the secret keys for the required OpenStack services. For example:

        parameters:
          _param:
            openstack_memcache_security_enabled: True
            openstack_memcache_security_strategy: ENCRYPT
            nova_memcache_secret_key: <SECRET_KEY>
            neutron_memcache_secret_key: <SECRET_KEY>
            ...
        
      2. Refresh pillars:

        salt '*' saltutil.refresh_pillar
        
      3. Verify pillars for the OpenStack services. For example, for the Nova controller:

        salt -C 'I@nova:controller' pillar.get nova:controller:cache:security
        

        Example of system response:

        ---Output---
        ctl02.node.local:
            ----------
            enabled:
                True
            secret_key:
                ez6D6unod2PB4Aqp
            strategy:
                ENCRYPT
        ctl03.node.local:
            ----------
            enabled:
                True
            secret_key:
                ez6D6unod2PB4Aqp
            strategy:
                ENCRYPT
        ctl01.node.local:
            ----------
            enabled:
                True
            secret_key:
                ez6D6unod2PB4Aqp
            strategy:
                ENCRYPT
        ---End Output---
        
      4. Apply the changes for all required OpenStack services by running the appropriate service states listed in the table below.

    • Define the memcache security parameters through the pillars in a granular way, which allows for particular services configuration if required.

      Memcache protection configuration for the OpenStack services
      OpenStack service Define custom pillar Apply the change
      Aodh
      aodh:
        server:
           cache:
             security:
               enabled: True
               secret_key: secret-key
               strategy: ENCRYPT
      
      salt -C 'I@aodh:server' state.sls aodh
      
      Barbican
      barbican:
        server:
          cache:
            security:
              enabled: True
              secret_key: secret-key
              strategy: ENCRYPT
      
      salt -C 'I@barbican:server' state.sls barbican.server
      
      Cinder
      cinder:
        controller:
          cache:
            security:
              enabled: True
              secret_key: secret-key
              strategy: ENCRYPT
      
      cinder:
        volume:
          cache:
            security:
              enabled: True
              secret_key: secret-key
              strategy: ENCRYPT
      
      salt -C 'I@cinder:controller or I@cinder:volume' state.sls cinder
      
      Glance
      glance:
        server:
          cache:
            security:
              enabled: True
              secret_key: secret-key
              strategy: ENCRYPT
      
      salt -C 'I@glance:server' state.sls glance.server
      
      Gnocchi
      gnocchi:
        server:
          cache:
            security:
              enabled: True
              secret_key: secret-key
              strategy: ENCRYPT
      
      salt -C 'I@gnocchi:server' state.sls gnocchi.server
      
      Heat
      heat:
        server:
          cache:
            security:
              enabled: True
              secret_key: secret-key
              strategy: ENCRYPT
      
      salt -C 'I@heat:server' state.sls heat.server
      
      Ironic
      ironic:
        api:
          cache:
            security:
              enabled: True
              secret_key: secret-key
              strategy: ENCRYPT
        conductor:
          cache:
            security:
              enabled: True
              secret_key: secret-key
              strategy: ENCRYPT
      
      salt -C 'I@ironic:api' state.sls ironic.api
      salt -C 'I@ironic:conductor' state.sls ironic.conductor
      
      Neutron
      neutron:
        server:
          cache:
            security:
              enabled: True
              secret_key: secret-key
              strategy: ENCRYPT
      
      salt -C 'I@neutron:server’ state.sls neutron.server
      
      Nova
      nova:
        controller:
          cache:
            security:
              enabled: True
              secret_key: secret-key
              strategy: ENCRYPT
      
      nova:
        compute:
          cache:
            security:
              enabled: True
              secret_key: secret-key
              strategy: ENCRYPT
      
      salt -C 'I@nova:controller or I@nova:compute' state.sls nova
      
      Panko
      panko:
        server:
          cache:
            security:
              enabled: True
              secret_key: secret-key
              strategy: ENCRYPT
      
      salt -C 'I@panko:server' state.sls panko.server