Add TLS support to MemcacheClientPool

This commit adds TLS and MTLS support to MemcacheClientPool using oslo.cache advanced pooling driver. It also bumps the minimum oslo.cache version so to include c3023dbc2e5f14f94a1c2c8d8b4b08b2fd09d610 . Change-Id: Id2f222529468932a898a3d9d05bbe819371670eb
2025-06-24 05:51:34 +02:00
parent 557d173eee
commit b07e6a1fbc
7 changed files with 68 additions and 5 deletions
--- a/doc/requirements.txt
+++ b/doc/requirements.txt
@@ -19,5 +19,5 @@ oslo.messaging>=5.29.0 # Apache-2.0
 pycadf>=1.1.0 # Apache-2.0
 PyJWT>=2.4.0 # MIT
 keystoneauth1>=3.12.0 # Apache-2.0
-oslo.cache>=1.26.0 # Apache-2.0
+oslo.cache>=3.11.0 # Apache-2.0
 python-keystoneclient>=3.20.0 # Apache-2.0
--- a/keystonemiddleware/auth_token/init.py
+++ b/keystonemiddleware/auth_token/init.py
@@ -219,6 +219,7 @@ object is stored.

 import copy
 import re
+import ssl

 from keystoneauth1 import access
 from keystoneauth1 import adapter
@@ -875,8 +876,26 @@ class AuthProtocol(BaseAuthProtocol):
            sasl_enabled=self._conf.get('memcache_sasl_enabled'),
            username=self._conf.get('memcache_username'),
            password=self._conf.get('memcache_password'),
+            tls_enabled=self._conf.get('memcache_tls_enabled'),
        )

+        if self._conf.get('memcache_tls_enabled'):
+            tls_cafile = self._conf.get('memcache_tls_cafile')
+            tls_certfile = self._conf.get('memcache_tls_certfile')
+            tls_keyfile = self._conf.get('memcache_tls_keyfile')
+            tls_allowed_ciphers = self._conf.get(
+                'memcache_tls_allowed_ciphers')
+
+            tls_context = ssl.create_default_context(cafile=tls_cafile)
+
+            if tls_certfile:
+                tls_context.load_cert_chain(tls_certfile, tls_keyfile)
+
+            if tls_allowed_ciphers:
+                tls_context.set_ciphers(tls_allowed_ciphers)
+
+            cache_kwargs['tls_context'] = tls_context
+
        if security_strategy.lower() != 'none':
            secret_key = self._conf.get('memcache_secret_key')
            return _cache.SecureTokenCache(self.log,
--- a/keystonemiddleware/auth_token/_cache.py
+++ b/keystonemiddleware/auth_token/_cache.py
@@ -100,7 +100,8 @@ class _MemcacheClientPool(object):
        # python-binary-memcached , we don't want it as hard
        # dependency, so lazy load it.
        self._sasl_enabled = arguments.pop("sasl_enabled", False)
-        if self._sasl_enabled:
+        self._tls_enabled = arguments.pop("tls_enabled", False)
+        if self._tls_enabled or self._sasl_enabled:
            from oslo_cache import _bmemcache_pool
            self._pool = _bmemcache_pool.BMemcacheClientPool(memcache_servers,
                                                             arguments,
@@ -140,20 +141,23 @@ class TokenCache(object):
    _CACHE_KEY_TEMPLATE = 'tokens/%s'

    def __init__(self, log, cache_time=None,
-                 env_cache_name=None, memcached_servers=None,
+                 env_cache_name=None, memcached_servers=None, tls_context=None,
                 use_advanced_pool=True, dead_retry=None, socket_timeout=None,
                 **kwargs):
        self._LOG = log
        self._cache_time = cache_time
        self._env_cache_name = env_cache_name
        self._memcached_servers = memcached_servers
+        self._tls_context = tls_context
        self._use_advanced_pool = use_advanced_pool
        self._arguments = {
            'dead_retry': dead_retry,
            'socket_timeout': socket_timeout,
            'sasl_enabled': kwargs.pop("sasl_enabled", False),
            'username': kwargs.pop("username", None),
-            'password': kwargs.pop("password", None)
+            'password': kwargs.pop("password", None),
+            'tls_enabled': kwargs.pop("tls_enabled", False),
+            'tls_context': tls_context
        }
        self._memcache_pool_options = kwargs

--- a/keystonemiddleware/auth_token/_opts.py
+++ b/keystonemiddleware/auth_token/_opts.py
@@ -124,6 +124,32 @@ _OPTS = [
               secret=True,
               help='(Optional, mandatory if memcache_security_strategy is'
               ' defined) This string is used for key derivation.'),
+    cfg.BoolOpt('memcache_tls_enabled',
+                default=False,
+                help='(Optional) Global toggle for TLS usage when comunicating'
+                ' with the caching servers.'),
+    cfg.StrOpt('memcache_tls_cafile',
+               help='(Optional) Path to a file of concatenated CA certificates'
+               ' in PEM format necessary to establish the caching server\'s'
+               ' authenticity. If tls_enabled is False, this option is'
+               ' ignored.'),
+    cfg.StrOpt('memcache_tls_certfile',
+               help='(Optional) Path to a single file in PEM format containing'
+               ' the client\'s certificate as well as any number of CA'
+               ' certificates needed to establish the certificate\'s'
+               ' authenticity. This file is only required when client side'
+               ' authentication is necessary. If tls_enabled is False, this'
+               ' option is ignored.'),
+    cfg.StrOpt('memcache_tls_keyfile',
+               help='(Optional) Path to a single file containing the client\'s'
+               ' private key in. Otherwhise the private key will be taken from'
+               ' the file specified in tls_certfile. If tls_enabled is False,'
+               ' this option is ignored.'),
+    cfg.StrOpt('memcache_tls_allowed_ciphers',
+               help='(Optional) Set the available ciphers for sockets created'
+               ' with the TLS context. It should be a string in the OpenSSL'
+               ' cipher list format. If not specified, all OpenSSL enabled'
+               ' ciphers will be available.'),
    cfg.IntOpt('memcache_pool_dead_retry',
               default=5 * 60,
               help='(Optional) Number of seconds memcached server is'
--- a/keystonemiddleware/tests/unit/test_opts.py
+++ b/keystonemiddleware/tests/unit/test_opts.py
@@ -58,6 +58,11 @@ class OptsTestCase(utils.TestCase):
            'memcache_security_strategy',
            'memcache_secret_key',
            'memcache_use_advanced_pool',
+            'memcache_tls_enabled',
+            'memcache_tls_cafile',
+            'memcache_tls_certfile',
+            'memcache_tls_keyfile',
+            'memcache_tls_allowed_ciphers',
            'memcache_pool_dead_retry',
            'memcache_pool_maxsize',
            'memcache_pool_unused_timeout',
@@ -106,6 +111,11 @@ class OptsTestCase(utils.TestCase):
            'memcache_security_strategy',
            'memcache_secret_key',
            'memcache_use_advanced_pool',
+            'memcache_tls_enabled',
+            'memcache_tls_cafile',
+            'memcache_tls_certfile',
+            'memcache_tls_keyfile',
+            'memcache_tls_allowed_ciphers',
            'memcache_pool_dead_retry',
            'memcache_pool_maxsize',
            'memcache_pool_unused_timeout',
--- a/releasenotes/notes/tls-support-via-oslo-cache-51d744dd8a3f6ba0.yaml
+++ b/releasenotes/notes/tls-support-via-oslo-cache-51d744dd8a3f6ba0.yaml
@@ -0,0 +1,4 @@
+---
+other:
+  - |
+    Added tls support to the MemcacheClientPool driver via oslo.cache
--- a/requirements.txt
+++ b/requirements.txt
@@ -3,7 +3,7 @@
 # you find any incorrect lower bounds, let us know or propose a fix.

 keystoneauth1>=3.12.0 # Apache-2.0
-oslo.cache>=1.26.0 # Apache-2.0
+oslo.cache>=3.11.0 # Apache-2.0
 oslo.config>=5.2.0 # Apache-2.0
 oslo.context>=2.19.2 # Apache-2.0
 oslo.i18n>=3.15.3 # Apache-2.0