From 59b54b6f46b2089b0480a276463f8d5d1de9f307 Mon Sep 17 00:00:00 2001
From: Grzegorz Grasza <xek@redhat.com>
Date: Tue, 5 Jan 2021 15:00:23 +0100
Subject: [PATCH] Add authtoken security options

Add ability to specify the memcache_security_strategy and
memcache_secret_key for keystone authtoken middleware.
The keys for individual services are hashed with a salt,
to isolate them.

Change-Id: I8d558cac3c23c3c0708e7e00d7bb83ac91795bb7
---
 manifests/profile/base/aodh/authtoken.pp      | 21 ++++++++++++++++++-
 manifests/profile/base/barbican/authtoken.pp  | 21 ++++++++++++++++++-
 manifests/profile/base/cinder/authtoken.pp    | 21 ++++++++++++++++++-
 manifests/profile/base/designate/authtoken.pp | 21 ++++++++++++++++++-
 manifests/profile/base/glance/authtoken.pp    | 21 ++++++++++++++++++-
 manifests/profile/base/gnocchi/authtoken.pp   | 21 ++++++++++++++++++-
 manifests/profile/base/heat/authtoken.pp      | 21 ++++++++++++++++++-
 manifests/profile/base/ironic/authtoken.pp    | 21 ++++++++++++++++++-
 .../base/ironic_inspector/authtoken.pp        | 21 ++++++++++++++++++-
 manifests/profile/base/manila/authtoken.pp    | 21 ++++++++++++++++++-
 manifests/profile/base/mistral/authtoken.pp   | 21 ++++++++++++++++++-
 manifests/profile/base/neutron/authtoken.pp   | 21 ++++++++++++++++++-
 manifests/profile/base/nova/authtoken.pp      | 21 ++++++++++++++++++-
 manifests/profile/base/novajoin/authtoken.pp  | 21 ++++++++++++++++++-
 manifests/profile/base/octavia/authtoken.pp   | 21 ++++++++++++++++++-
 manifests/profile/base/placement/authtoken.pp | 21 ++++++++++++++++++-
 manifests/profile/base/zaqar/authtoken.pp     | 21 ++++++++++++++++++-
 ...dd-memcache-security-92060c4fe540774c.yaml |  7 +++++++
 18 files changed, 347 insertions(+), 17 deletions(-)
 create mode 100644 releasenotes/notes/add-memcache-security-92060c4fe540774c.yaml

diff --git a/manifests/profile/base/aodh/authtoken.pp b/manifests/profile/base/aodh/authtoken.pp
index 785d55422..cd6a4b097 100644
--- a/manifests/profile/base/aodh/authtoken.pp
+++ b/manifests/profile/base/aodh/authtoken.pp
@@ -29,10 +29,21 @@
 #   (Optional) Memcached port to use.
 #   Defaults to hiera('memcached_authtoken_port', 11211)
 #
+# [*security_strategy*]
+#   (Optional) Memcached (authtoken) security strategy.
+#   Defaults to hiera('memcached_authtoken_security_strategy', undef)
+#
+# [*secret_key*]
+#   (Optional) Memcached (authtoken) secret key, used with security_strategy.
+#   The key is hashed with a salt, to isolate services.
+#   Defaults to hiera('memcached_authtoken_secret_key', undef)
+#
 class tripleo::profile::base::aodh::authtoken (
   $step                = Integer(hiera('step')),
   $memcached_ips       = hiera('memcached_node_ips', []),
   $memcached_port      = hiera('memcached_authtoken_port', 11211),
+  $security_strategy   = hiera('memcached_authtoken_security_strategy', undef),
+  $secret_key          = hiera('memcached_authtoken_secret_key', undef),
 ) {
 
   if $step >= 3 {
@@ -42,8 +53,16 @@ class tripleo::profile::base::aodh::authtoken (
       $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ":${memcached_port}")
     }
 
+    if $secret_key {
+      $hashed_secret_key = sha256("${secret_key}+aodh")
+    } else {
+      $hashed_secret_key = undef
+    }
+
     class { 'aodh::keystone::authtoken':
-      memcached_servers => $memcache_servers
+      memcached_servers          => $memcache_servers,
+      memcache_security_strategy => $security_strategy,
+      memcache_secret_key        => $hashed_secret_key,
     }
   }
 }
diff --git a/manifests/profile/base/barbican/authtoken.pp b/manifests/profile/base/barbican/authtoken.pp
index 95af9d6c8..1e8e82b8c 100644
--- a/manifests/profile/base/barbican/authtoken.pp
+++ b/manifests/profile/base/barbican/authtoken.pp
@@ -29,10 +29,21 @@
 #   (Optional) Memcached port to use.
 #   Defaults to hiera('memcached_authtoken_port', [])
 #
+# [*security_strategy*]
+#   (Optional) Memcached (authtoken) security strategy.
+#   Defaults to hiera('memcached_authtoken_security_strategy', undef)
+#
+# [*secret_key*]
+#   (Optional) Memcached (authtoken) secret key, used with security_strategy.
+#   The key is hashed with a salt, to isolate services.
+#   Defaults to hiera('memcached_authtoken_secret_key', undef)
+#
 class tripleo::profile::base::barbican::authtoken (
   $step                = Integer(hiera('step')),
   $memcached_ips       = hiera('memcached_node_ips', []),
   $memcached_port      = hiera('memcached_authtoken_port', 11211),
+  $security_strategy   = hiera('memcached_authtoken_security_strategy', undef),
+  $secret_key          = hiera('memcached_authtoken_secret_key', undef),
 ) {
 
   if $step >= 3 {
@@ -42,8 +53,16 @@ class tripleo::profile::base::barbican::authtoken (
       $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ":${memcached_port}")
     }
 
+    if $secret_key {
+      $hashed_secret_key = sha256("${secret_key}+barbican")
+    } else {
+      $hashed_secret_key = undef
+    }
+
     class { 'barbican::keystone::authtoken':
-      memcached_servers => $memcache_servers
+      memcached_servers          => $memcache_servers,
+      memcache_security_strategy => $security_strategy,
+      memcache_secret_key        => $hashed_secret_key,
     }
   }
 }
diff --git a/manifests/profile/base/cinder/authtoken.pp b/manifests/profile/base/cinder/authtoken.pp
index c4edf001e..1ead22b25 100644
--- a/manifests/profile/base/cinder/authtoken.pp
+++ b/manifests/profile/base/cinder/authtoken.pp
@@ -29,10 +29,21 @@
 #   (Optional) Memcached port to use.
 #   Defaults to hiera('memcached_authtoken_port', 11211)
 #
+# [*security_strategy*]
+#   (Optional) Memcached (authtoken) security strategy.
+#   Defaults to hiera('memcached_authtoken_security_strategy', undef)
+#
+# [*secret_key*]
+#   (Optional) Memcached (authtoken) secret key, used with security_strategy.
+#   The key is hashed with a salt, to isolate services.
+#   Defaults to hiera('memcached_authtoken_secret_key', undef)
+#
 class tripleo::profile::base::cinder::authtoken (
   $step                = Integer(hiera('step')),
   $memcached_ips       = hiera('memcached_node_ips', []),
   $memcached_port      = hiera('memcached_authtoken_port', 11211),
+  $security_strategy   = hiera('memcached_authtoken_security_strategy', undef),
+  $secret_key          = hiera('memcached_authtoken_secret_key', undef),
 ) {
 
   if $step >= 3 {
@@ -42,8 +53,16 @@ class tripleo::profile::base::cinder::authtoken (
       $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ":${memcached_port}")
     }
 
+    if $secret_key {
+      $hashed_secret_key = sha256("${secret_key}+cinder")
+    } else {
+      $hashed_secret_key = undef
+    }
+
     class { 'cinder::keystone::authtoken':
-      memcached_servers => $memcache_servers
+      memcached_servers          => $memcache_servers,
+      memcache_security_strategy => $security_strategy,
+      memcache_secret_key        => $hashed_secret_key,
     }
   }
 }
diff --git a/manifests/profile/base/designate/authtoken.pp b/manifests/profile/base/designate/authtoken.pp
index d5856c2cc..526f869ef 100644
--- a/manifests/profile/base/designate/authtoken.pp
+++ b/manifests/profile/base/designate/authtoken.pp
@@ -29,10 +29,21 @@
 #   (Optional) Memcached port to use.
 #   Defaults to hiera('memcached_authtoken_port', 11211)
 #
+# [*security_strategy*]
+#   (Optional) Memcached (authtoken) security strategy.
+#   Defaults to hiera('memcached_authtoken_security_strategy', undef)
+#
+# [*secret_key*]
+#   (Optional) Memcached (authtoken) secret key, used with security_strategy.
+#   The key is hashed with a salt, to isolate services.
+#   Defaults to hiera('memcached_authtoken_secret_key', undef)
+#
 class tripleo::profile::base::designate::authtoken (
   $step                = Integer(hiera('step')),
   $memcached_ips       = hiera('memcached_node_ips', []),
   $memcached_port      = hiera('memcached_authtoken_port', 11211),
+  $security_strategy   = hiera('memcached_authtoken_security_strategy', undef),
+  $secret_key          = hiera('memcached_authtoken_secret_key', undef),
 ) {
 
   if $step >= 3 {
@@ -42,8 +53,16 @@ class tripleo::profile::base::designate::authtoken (
       $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ":${memcached_port}")
     }
 
+    if $secret_key {
+      $hashed_secret_key = sha256("${secret_key}+designate")
+    } else {
+      $hashed_secret_key = undef
+    }
+
     class { 'designate::keystone::authtoken':
-      memcached_servers => $memcache_servers
+      memcached_servers          => $memcache_servers,
+      memcache_security_strategy => $security_strategy,
+      memcache_secret_key        => $hashed_secret_key,
     }
   }
 }
diff --git a/manifests/profile/base/glance/authtoken.pp b/manifests/profile/base/glance/authtoken.pp
index 0ab02f2c8..cf39e0189 100644
--- a/manifests/profile/base/glance/authtoken.pp
+++ b/manifests/profile/base/glance/authtoken.pp
@@ -29,10 +29,21 @@
 #   (Optional) Memcached port to use.
 #   Defaults to hiera('memcached_authtoken_port', 11211)
 #
+# [*security_strategy*]
+#   (Optional) Memcached (authtoken) security strategy.
+#   Defaults to hiera('memcached_authtoken_security_strategy', undef)
+#
+# [*secret_key*]
+#   (Optional) Memcached (authtoken) secret key, used with security_strategy.
+#   The key is hashed with a salt, to isolate services.
+#   Defaults to hiera('memcached_authtoken_secret_key', undef)
+#
 class tripleo::profile::base::glance::authtoken (
   $step                = Integer(hiera('step')),
   $memcached_ips       = hiera('memcached_node_ips', []),
   $memcached_port      = hiera('memcached_authtoken_port', 11211),
+  $security_strategy   = hiera('memcached_authtoken_security_strategy', undef),
+  $secret_key          = hiera('memcached_authtoken_secret_key', undef),
 ) {
 
   if $step >= 3 {
@@ -42,8 +53,16 @@ class tripleo::profile::base::glance::authtoken (
       $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ":${memcached_port}")
     }
 
+    if $secret_key {
+      $hashed_secret_key = sha256("${secret_key}+glance")
+    } else {
+      $hashed_secret_key = undef
+    }
+
     class { 'glance::api::authtoken':
-      memcached_servers => $memcache_servers
+      memcached_servers          => $memcache_servers,
+      memcache_security_strategy => $security_strategy,
+      memcache_secret_key        => $hashed_secret_key,
     }
   }
 }
diff --git a/manifests/profile/base/gnocchi/authtoken.pp b/manifests/profile/base/gnocchi/authtoken.pp
index 40f106b75..c23993a1f 100644
--- a/manifests/profile/base/gnocchi/authtoken.pp
+++ b/manifests/profile/base/gnocchi/authtoken.pp
@@ -29,10 +29,21 @@
 #   (Optional) Memcached port to use.
 #   Defaults to hiera('memcached_authtoken_port', 11211)
 #
+# [*security_strategy*]
+#   (Optional) Memcached (authtoken) security strategy.
+#   Defaults to hiera('memcached_authtoken_security_strategy', undef)
+#
+# [*secret_key*]
+#   (Optional) Memcached (authtoken) secret key, used with security_strategy.
+#   The key is hashed with a salt, to isolate services.
+#   Defaults to hiera('memcached_authtoken_secret_key', undef)
+#
 class tripleo::profile::base::gnocchi::authtoken (
   $step                = Integer(hiera('step')),
   $memcached_ips       = hiera('memcached_node_ips', []),
   $memcached_port      = hiera('memcached_authtoken_port', 11211),
+  $security_strategy   = hiera('memcached_authtoken_security_strategy', undef),
+  $secret_key          = hiera('memcached_authtoken_secret_key', undef),
 ) {
 
   if $step >= 3 {
@@ -42,8 +53,16 @@ class tripleo::profile::base::gnocchi::authtoken (
       $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ":${memcached_port}")
     }
 
+    if $secret_key {
+      $hashed_secret_key = sha256("${secret_key}+gnocchi")
+    } else {
+      $hashed_secret_key = undef
+    }
+
     class { 'gnocchi::keystone::authtoken':
-      memcached_servers => $memcache_servers
+      memcached_servers          => $memcache_servers,
+      memcache_security_strategy => $security_strategy,
+      memcache_secret_key        => $hashed_secret_key,
     }
   }
 }
diff --git a/manifests/profile/base/heat/authtoken.pp b/manifests/profile/base/heat/authtoken.pp
index 1a1419688..b1b20bfff 100644
--- a/manifests/profile/base/heat/authtoken.pp
+++ b/manifests/profile/base/heat/authtoken.pp
@@ -29,10 +29,21 @@
 #   (Optional) Memcached port to use.
 #   Defaults to hiera('memcached_authtoken_port', 11211)
 #
+# [*security_strategy*]
+#   (Optional) Memcached (authtoken) security strategy.
+#   Defaults to hiera('memcached_authtoken_security_strategy', undef)
+#
+# [*secret_key*]
+#   (Optional) Memcached (authtoken) secret key, used with security_strategy.
+#   The key is hashed with a salt, to isolate services.
+#   Defaults to hiera('memcached_authtoken_secret_key', undef)
+#
 class tripleo::profile::base::heat::authtoken (
   $step                = Integer(hiera('step')),
   $memcached_ips       = hiera('memcached_node_ips', []),
   $memcached_port      = hiera('memcached_authtoken_port', 11211),
+  $security_strategy   = hiera('memcached_authtoken_security_strategy', undef),
+  $secret_key          = hiera('memcached_authtoken_secret_key', undef),
 ) {
 
   if $step >= 3 {
@@ -42,8 +53,16 @@ class tripleo::profile::base::heat::authtoken (
       $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ":${memcached_port}")
     }
 
+    if $secret_key {
+      $hashed_secret_key = sha256("${secret_key}+heat")
+    } else {
+      $hashed_secret_key = undef
+    }
+
     class { 'heat::keystone::authtoken':
-      memcached_servers => $memcache_servers
+      memcached_servers          => $memcache_servers,
+      memcache_security_strategy => $security_strategy,
+      memcache_secret_key        => $hashed_secret_key,
     }
   }
 }
diff --git a/manifests/profile/base/ironic/authtoken.pp b/manifests/profile/base/ironic/authtoken.pp
index 0c861afe6..a62a54213 100644
--- a/manifests/profile/base/ironic/authtoken.pp
+++ b/manifests/profile/base/ironic/authtoken.pp
@@ -29,10 +29,21 @@
 #   (Optional) Memcached port to use.
 #   Defaults to hiera('memcached_authtoken_port', 11211)
 #
+# [*security_strategy*]
+#   (Optional) Memcached (authtoken) security strategy.
+#   Defaults to hiera('memcached_authtoken_security_strategy', undef)
+#
+# [*secret_key*]
+#   (Optional) Memcached (authtoken) secret key, used with security_strategy.
+#   The key is hashed with a salt, to isolate services.
+#   Defaults to hiera('memcached_authtoken_secret_key', undef)
+#
 class tripleo::profile::base::ironic::authtoken (
   $step                = Integer(hiera('step')),
   $memcached_ips       = hiera('memcached_node_ips', []),
   $memcached_port      = hiera('memcached_authtoken_port', 11211),
+  $security_strategy   = hiera('memcached_authtoken_security_strategy', undef),
+  $secret_key          = hiera('memcached_authtoken_secret_key', undef),
 ) {
 
   if $step >= 3 {
@@ -42,8 +53,16 @@ class tripleo::profile::base::ironic::authtoken (
       $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ":${memcached_port}")
     }
 
+    if $secret_key {
+      $hashed_secret_key = sha256("${secret_key}+ironic")
+    } else {
+      $hashed_secret_key = undef
+    }
+
     class { 'ironic::api::authtoken':
-      memcached_servers => $memcache_servers
+      memcached_servers          => $memcache_servers,
+      memcache_security_strategy => $security_strategy,
+      memcache_secret_key        => $hashed_secret_key,
     }
   }
 }
diff --git a/manifests/profile/base/ironic_inspector/authtoken.pp b/manifests/profile/base/ironic_inspector/authtoken.pp
index 85ee9a4f7..5edf8b4f3 100644
--- a/manifests/profile/base/ironic_inspector/authtoken.pp
+++ b/manifests/profile/base/ironic_inspector/authtoken.pp
@@ -29,10 +29,21 @@
 #   (Optional) Memcached port to use.
 #   Defaults to hiera('memcached_authtoken_port', 11211)
 #
+# [*security_strategy*]
+#   (Optional) Memcached (authtoken) security strategy.
+#   Defaults to hiera('memcached_authtoken_security_strategy', undef)
+#
+# [*secret_key*]
+#   (Optional) Memcached (authtoken) secret key, used with security_strategy.
+#   The key is hashed with a salt, to isolate services.
+#   Defaults to hiera('memcached_authtoken_secret_key', undef)
+#
 class tripleo::profile::base::ironic_inspector::authtoken (
   $step                = Integer(hiera('step')),
   $memcached_ips       = hiera('memcached_node_ips', []),
   $memcached_port      = hiera('memcached_authtoken_port', 11211),
+  $security_strategy   = hiera('memcached_authtoken_security_strategy', undef),
+  $secret_key          = hiera('memcached_authtoken_secret_key', undef),
 ) {
 
   if $step >= 3 {
@@ -42,8 +53,16 @@ class tripleo::profile::base::ironic_inspector::authtoken (
       $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ":${memcached_port}")
     }
 
+    if $secret_key {
+      $hashed_secret_key = sha256("${secret_key}+ironic_inspector")
+    } else {
+      $hashed_secret_key = undef
+    }
+
     class { 'ironic::inspector::authtoken':
-      memcached_servers => $memcache_servers
+      memcached_servers          => $memcache_servers,
+      memcache_security_strategy => $security_strategy,
+      memcache_secret_key        => $hashed_secret_key,
     }
   }
 }
diff --git a/manifests/profile/base/manila/authtoken.pp b/manifests/profile/base/manila/authtoken.pp
index 9fa8c0173..96f3bd185 100644
--- a/manifests/profile/base/manila/authtoken.pp
+++ b/manifests/profile/base/manila/authtoken.pp
@@ -29,10 +29,21 @@
 #   (Optional) Memcached port to use.
 #   Defaults to hiera('memcached_authtoken_port', 11211)
 #
+# [*security_strategy*]
+#   (Optional) Memcached (authtoken) security strategy.
+#   Defaults to hiera('memcached_authtoken_security_strategy', undef)
+#
+# [*secret_key*]
+#   (Optional) Memcached (authtoken) secret key, used with security_strategy.
+#   The key is hashed with a salt, to isolate services.
+#   Defaults to hiera('memcached_authtoken_secret_key', undef)
+#
 class tripleo::profile::base::manila::authtoken (
   $step                = Integer(hiera('step')),
   $memcached_ips       = hiera('memcached_node_ips', []),
   $memcached_port      = hiera('memcached_authtoken_port', 11211),
+  $security_strategy   = hiera('memcached_authtoken_security_strategy', undef),
+  $secret_key          = hiera('memcached_authtoken_secret_key', undef),
 ) {
 
   if $step >= 3 {
@@ -42,8 +53,16 @@ class tripleo::profile::base::manila::authtoken (
       $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ":${memcached_port}")
     }
 
+    if $secret_key {
+      $hashed_secret_key = sha256("${secret_key}+manila")
+    } else {
+      $hashed_secret_key = undef
+    }
+
     class { 'manila::keystone::authtoken':
-      memcached_servers => $memcache_servers
+      memcached_servers          => $memcache_servers,
+      memcache_security_strategy => $security_strategy,
+      memcache_secret_key        => $hashed_secret_key,
     }
   }
 }
diff --git a/manifests/profile/base/mistral/authtoken.pp b/manifests/profile/base/mistral/authtoken.pp
index 19d50d483..a77f55578 100644
--- a/manifests/profile/base/mistral/authtoken.pp
+++ b/manifests/profile/base/mistral/authtoken.pp
@@ -29,10 +29,21 @@
 #   (Optional) Memcached port to use.
 #   Defaults to hiera('memcached_authtoken_port', 11211)
 #
+# [*security_strategy*]
+#   (Optional) Memcached (authtoken) security strategy.
+#   Defaults to hiera('memcached_authtoken_security_strategy', undef)
+#
+# [*secret_key*]
+#   (Optional) Memcached (authtoken) secret key, used with security_strategy.
+#   The key is hashed with a salt, to isolate services.
+#   Defaults to hiera('memcached_authtoken_secret_key', undef)
+#
 class tripleo::profile::base::mistral::authtoken (
   $step                = Integer(hiera('step')),
   $memcached_ips       = hiera('memcached_node_ips', []),
   $memcached_port      = hiera('memcached_authtoken_port', 11211),
+  $security_strategy   = hiera('memcached_authtoken_security_strategy', undef),
+  $secret_key          = hiera('memcached_authtoken_secret_key', undef),
 ) {
 
   if $step >= 3 {
@@ -42,8 +53,16 @@ class tripleo::profile::base::mistral::authtoken (
       $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ":${memcached_port}")
     }
 
+    if $secret_key {
+      $hashed_secret_key = sha256("${secret_key}+mistral")
+    } else {
+      $hashed_secret_key = undef
+    }
+
     class { 'mistral::keystone::authtoken':
-      memcached_servers => $memcache_servers
+      memcached_servers          => $memcache_servers,
+      memcache_security_strategy => $security_strategy,
+      memcache_secret_key        => $hashed_secret_key,
     }
   }
 }
diff --git a/manifests/profile/base/neutron/authtoken.pp b/manifests/profile/base/neutron/authtoken.pp
index 1308cf121..34b8ef4c9 100644
--- a/manifests/profile/base/neutron/authtoken.pp
+++ b/manifests/profile/base/neutron/authtoken.pp
@@ -29,10 +29,21 @@
 #   (Optional) Memcached port to use.
 #   Defaults to hiera('memcached_authtoken_port', 11211)
 #
+# [*security_strategy*]
+#   (Optional) Memcached (authtoken) security strategy.
+#   Defaults to hiera('memcached_authtoken_security_strategy', undef)
+#
+# [*secret_key*]
+#   (Optional) Memcached (authtoken) secret key, used with security_strategy.
+#   The key is hashed with a salt, to isolate services.
+#   Defaults to hiera('memcached_authtoken_secret_key', undef)
+#
 class tripleo::profile::base::neutron::authtoken (
   $step                = Integer(hiera('step')),
   $memcached_ips       = hiera('memcached_node_ips', []),
   $memcached_port      = hiera('memcached_authtoken_port', 11211),
+  $security_strategy   = hiera('memcached_authtoken_security_strategy', undef),
+  $secret_key          = hiera('memcached_authtoken_secret_key', undef),
 ) {
 
   if $step >= 3 {
@@ -42,8 +53,16 @@ class tripleo::profile::base::neutron::authtoken (
       $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ":${memcached_port}")
     }
 
+    if $secret_key {
+      $hashed_secret_key = sha256("${secret_key}+neutron")
+    } else {
+      $hashed_secret_key = undef
+    }
+
     class { 'neutron::keystone::authtoken':
-      memcached_servers => $memcache_servers
+      memcached_servers          => $memcache_servers,
+      memcache_security_strategy => $security_strategy,
+      memcache_secret_key        => $hashed_secret_key,
     }
   }
 }
diff --git a/manifests/profile/base/nova/authtoken.pp b/manifests/profile/base/nova/authtoken.pp
index 6d311f0ba..011fa828a 100644
--- a/manifests/profile/base/nova/authtoken.pp
+++ b/manifests/profile/base/nova/authtoken.pp
@@ -29,10 +29,21 @@
 #   (Optional) Memcached port to use.
 #   Defaults to hiera('memcached_authtoken_port', 11211)
 #
+# [*security_strategy*]
+#   (Optional) Memcached (authtoken) security strategy.
+#   Defaults to hiera('memcached_authtoken_security_strategy', undef)
+#
+# [*secret_key*]
+#   (Optional) Memcached (authtoken) secret key, used with security_strategy.
+#   The key is hashed with a salt, to isolate services.
+#   Defaults to hiera('memcached_authtoken_secret_key', undef)
+#
 class tripleo::profile::base::nova::authtoken (
   $step                = Integer(hiera('step')),
   $memcached_ips       = hiera('memcached_node_ips', []),
   $memcached_port      = hiera('memcached_authtoken_port', 11211),
+  $security_strategy   = hiera('memcached_authtoken_security_strategy', undef),
+  $secret_key          = hiera('memcached_authtoken_secret_key', undef),
 ) {
 
   if $step >= 3 {
@@ -42,8 +53,16 @@ class tripleo::profile::base::nova::authtoken (
       $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ":${memcached_port}")
     }
 
+    if $secret_key {
+      $hashed_secret_key = sha256("${secret_key}+nova")
+    } else {
+      $hashed_secret_key = undef
+    }
+
     class { 'nova::keystone::authtoken':
-      memcached_servers => $memcache_servers
+      memcached_servers          => $memcache_servers,
+      memcache_security_strategy => $security_strategy,
+      memcache_secret_key        => $hashed_secret_key,
     }
   }
 }
diff --git a/manifests/profile/base/novajoin/authtoken.pp b/manifests/profile/base/novajoin/authtoken.pp
index 095fc17d0..6d8304451 100644
--- a/manifests/profile/base/novajoin/authtoken.pp
+++ b/manifests/profile/base/novajoin/authtoken.pp
@@ -29,10 +29,21 @@
 #   (Optional) Memcached port to use.
 #   Defaults to hiera('memcached_authtoken_port', 11211)
 #
+# [*security_strategy*]
+#   (Optional) Memcached (authtoken) security strategy.
+#   Defaults to hiera('memcached_authtoken_security_strategy', undef)
+#
+# [*secret_key*]
+#   (Optional) Memcached (authtoken) secret key, used with security_strategy.
+#   The key is hashed with a salt, to isolate services.
+#   Defaults to hiera('memcached_authtoken_secret_key', undef)
+#
 class tripleo::profile::base::novajoin::authtoken (
   $step                = Integer(hiera('step')),
   $memcached_ips       = hiera('memcached_node_ips', []),
   $memcached_port      = hiera('memcached_authtoken_port', 11211),
+  $security_strategy   = hiera('memcached_authtoken_security_strategy', undef),
+  $secret_key          = hiera('memcached_authtoken_secret_key', undef),
 ) {
 
   if $step >= 3 {
@@ -42,8 +53,16 @@ class tripleo::profile::base::novajoin::authtoken (
       $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ":${memcached_port}")
     }
 
+    if $secret_key {
+      $hashed_secret_key = sha256("${secret_key}+novajoin")
+    } else {
+      $hashed_secret_key = undef
+    }
+
     class { 'nova::metadata::novajoin::authtoken':
-      memcached_servers => $memcache_servers
+      memcached_servers          => $memcache_servers,
+      memcache_security_strategy => $security_strategy,
+      memcache_secret_key        => $hashed_secret_key,
     }
   }
 }
diff --git a/manifests/profile/base/octavia/authtoken.pp b/manifests/profile/base/octavia/authtoken.pp
index f06764753..ae8f42885 100644
--- a/manifests/profile/base/octavia/authtoken.pp
+++ b/manifests/profile/base/octavia/authtoken.pp
@@ -29,10 +29,21 @@
 #   (Optional) Memcached port to use.
 #   Defaults to hiera('memcached_authtoken_port', 11211)
 #
+# [*security_strategy*]
+#   (Optional) Memcached (authtoken) security strategy.
+#   Defaults to hiera('memcached_authtoken_security_strategy', undef)
+#
+# [*secret_key*]
+#   (Optional) Memcached (authtoken) secret key, used with security_strategy.
+#   The key is hashed with a salt, to isolate services.
+#   Defaults to hiera('memcached_authtoken_secret_key', undef)
+#
 class tripleo::profile::base::octavia::authtoken (
   $step                = Integer(hiera('step')),
   $memcached_ips       = hiera('memcached_node_ips', []),
   $memcached_port      = hiera('memcached_authtoken_port', 11211),
+  $security_strategy   = hiera('memcached_authtoken_security_strategy', undef),
+  $secret_key          = hiera('memcached_authtoken_secret_key', undef),
 ) {
 
   if $step >= 3 {
@@ -42,8 +53,16 @@ class tripleo::profile::base::octavia::authtoken (
       $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ":${memcached_port}")
     }
 
+    if $secret_key {
+      $hashed_secret_key = sha256("${secret_key}+octavia")
+    } else {
+      $hashed_secret_key = undef
+    }
+
     class { 'octavia::keystone::authtoken':
-      memcached_servers => $memcache_servers
+      memcached_servers          => $memcache_servers,
+      memcache_security_strategy => $security_strategy,
+      memcache_secret_key        => $hashed_secret_key,
     }
   }
 }
diff --git a/manifests/profile/base/placement/authtoken.pp b/manifests/profile/base/placement/authtoken.pp
index c9806946c..412ec8b44 100644
--- a/manifests/profile/base/placement/authtoken.pp
+++ b/manifests/profile/base/placement/authtoken.pp
@@ -29,10 +29,21 @@
 #   (Optional) Memcached port to use.
 #   Defaults to hiera('memcached_authtoken_port', 11211)
 #
+# [*security_strategy*]
+#   (Optional) Memcached (authtoken) security strategy.
+#   Defaults to hiera('memcached_authtoken_security_strategy', undef)
+#
+# [*secret_key*]
+#   (Optional) Memcached (authtoken) secret key, used with security_strategy.
+#   The key is hashed with a salt, to isolate services.
+#   Defaults to hiera('memcached_authtoken_secret_key', undef)
+#
 class tripleo::profile::base::placement::authtoken (
   $step                = Integer(hiera('step')),
   $memcached_ips       = hiera('memcached_node_ips', []),
   $memcached_port      = hiera('memcached_authtoken_port', 11211),
+  $security_strategy   = hiera('memcached_authtoken_security_strategy', undef),
+  $secret_key          = hiera('memcached_authtoken_secret_key', undef),
 ) {
 
   if $step >= 3 {
@@ -42,8 +53,16 @@ class tripleo::profile::base::placement::authtoken (
       $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ":${memcached_port}")
     }
 
+    if $secret_key {
+      $hashed_secret_key = sha256("${secret_key}+placement")
+    } else {
+      $hashed_secret_key = undef
+    }
+
     class { 'placement::keystone::authtoken':
-      memcached_servers => $memcache_servers,
+      memcached_servers          => $memcache_servers,
+      memcache_security_strategy => $security_strategy,
+      memcache_secret_key        => $hashed_secret_key,
     }
   }
 }
diff --git a/manifests/profile/base/zaqar/authtoken.pp b/manifests/profile/base/zaqar/authtoken.pp
index f3e95d804..ab44e21bb 100644
--- a/manifests/profile/base/zaqar/authtoken.pp
+++ b/manifests/profile/base/zaqar/authtoken.pp
@@ -29,10 +29,21 @@
 #   (Optional) Memcached port to use.
 #   Defaults to hiera('memcached_authtoken_port', 11211)
 #
+# [*security_strategy*]
+#   (Optional) Memcached (authtoken) security strategy.
+#   Defaults to hiera('memcached_authtoken_security_strategy', undef)
+#
+# [*secret_key*]
+#   (Optional) Memcached (authtoken) secret key, used with security_strategy.
+#   The key is hashed with a salt, to isolate services.
+#   Defaults to hiera('memcached_authtoken_secret_key', undef)
+#
 class tripleo::profile::base::zaqar::authtoken (
   $step                = Integer(hiera('step')),
   $memcached_ips       = hiera('memcached_node_ips', []),
   $memcached_port      = hiera('memcached_authtoken_port', 11211),
+  $security_strategy   = hiera('memcached_authtoken_security_strategy', undef),
+  $secret_key          = hiera('memcached_authtoken_secret_key', undef),
 ) {
 
   if $step >= 3 {
@@ -42,8 +53,16 @@ class tripleo::profile::base::zaqar::authtoken (
       $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ":${memcached_port}")
     }
 
+    if $secret_key {
+      $hashed_secret_key = sha256("${secret_key}+zaqar")
+    } else {
+      $hashed_secret_key = undef
+    }
+
     class { 'zaqar::keystone::authtoken':
-      memcached_servers => $memcache_servers
+      memcached_servers          => $memcache_servers,
+      memcache_security_strategy => $security_strategy,
+      memcache_secret_key        => $hashed_secret_key,
     }
   }
 }
diff --git a/releasenotes/notes/add-memcache-security-92060c4fe540774c.yaml b/releasenotes/notes/add-memcache-security-92060c4fe540774c.yaml
new file mode 100644
index 000000000..68ccbab9e
--- /dev/null
+++ b/releasenotes/notes/add-memcache-security-92060c4fe540774c.yaml
@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Add ability to specify the memcache_security_strategy and
+    memcache_secret_key for keystone authtoken middleware. The keys
+    used by individual services are hashed with a salt (the service
+    name), to isolate them.