openstack/puppet-tripleo
Code Issues Proposed changes

Merge "Add authtoken security options" into stable/train

Browse Source
This commit is contained in:
Zuul 2021-02-24 03:42:06 +00:00 committed by Gerrit Code Review
commit cecdba0997
16 changed files with 397 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
manifests/profile/base/aodh/authtoken.pp
View File

@ -25,9 +25,25 @@
# (Optional) Array of ipv4 or ipv6 addresses for memcache. # (Optional) Array of ipv4 or ipv6 addresses for memcache.
# Defaults to hiera('memcached_node_ips') # Defaults to hiera('memcached_node_ips')
# #
# [*memcached_port*]
# (Optional) Memcached port to use.
# Defaults to hiera('memcached_authtoken_port', 11211)
#
# [*security_strategy*]
# (Optional) Memcached (authtoken) security strategy.
# Defaults to hiera('memcached_authtoken_security_strategy', undef)
#
# [*secret_key*]
# (Optional) Memcached (authtoken) secret key, used with security_strategy.
# The key is hashed with a salt, to isolate services.
# Defaults to hiera('memcached_authtoken_secret_key', undef)
#
class tripleo::profile::base::aodh::authtoken ( class tripleo::profile::base::aodh::authtoken (
$step = Integer(hiera('step')), $step = Integer(hiera('step')),
$memcached_ips = hiera('memcached_node_ips'), $memcached_ips = hiera('memcached_node_ips', []),
$memcached_port = hiera('memcached_authtoken_port', 11211),
$security_strategy = hiera('memcached_authtoken_security_strategy', undef),
$secret_key = hiera('memcached_authtoken_secret_key', undef),
) { ) {
if $step >= 3 { if $step >= 3 {
@ -37,8 +53,16 @@ class tripleo::profile::base::aodh::authtoken (
$memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211') $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211')
} }
if $secret_key {
$hashed_secret_key = sha256("${secret_key}+aodh")
} else {
$hashed_secret_key = undef
}
class { '::aodh::keystone::authtoken': class { '::aodh::keystone::authtoken':
memcached_servers => $memcache_servers memcached_servers => $memcache_servers,
memcache_security_strategy => $security_strategy,
memcache_secret_key => $hashed_secret_key,
} }
} }
} }

28
manifests/profile/base/barbican/authtoken.pp
View File

@ -25,9 +25,25 @@
# (Optional) Array of ipv4 or ipv6 addresses for memcache. # (Optional) Array of ipv4 or ipv6 addresses for memcache.
# Defaults to hiera('memcached_node_ips') # Defaults to hiera('memcached_node_ips')
# #
# [*memcached_port*]
# (Optional) Memcached port to use.
# Defaults to hiera('memcached_authtoken_port', [])
#
# [*security_strategy*]
# (Optional) Memcached (authtoken) security strategy.
# Defaults to hiera('memcached_authtoken_security_strategy', undef)
#
# [*secret_key*]
# (Optional) Memcached (authtoken) secret key, used with security_strategy.
# The key is hashed with a salt, to isolate services.
# Defaults to hiera('memcached_authtoken_secret_key', undef)
#
class tripleo::profile::base::barbican::authtoken ( class tripleo::profile::base::barbican::authtoken (
$step = Integer(hiera('step')), $step = Integer(hiera('step')),
$memcached_ips = hiera('memcached_node_ips'), $memcached_ips = hiera('memcached_node_ips', []),
$memcached_port = hiera('memcached_authtoken_port', 11211),
$security_strategy = hiera('memcached_authtoken_security_strategy', undef),
$secret_key = hiera('memcached_authtoken_secret_key', undef),
) { ) {
if $step >= 3 { if $step >= 3 {
@ -37,8 +53,16 @@ class tripleo::profile::base::barbican::authtoken (
$memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211') $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211')
} }
if $secret_key {
$hashed_secret_key = sha256("${secret_key}+barbican")
} else {
$hashed_secret_key = undef
}
class { '::barbican::keystone::authtoken': class { '::barbican::keystone::authtoken':
memcached_servers => $memcache_servers memcached_servers => $memcache_servers,
memcache_security_strategy => $security_strategy,
memcache_secret_key => $hashed_secret_key,
} }
} }
} }

28
manifests/profile/base/cinder/authtoken.pp
View File

@ -25,9 +25,25 @@
# (Optional) Array of ipv4 or ipv6 addresses for memcache. # (Optional) Array of ipv4 or ipv6 addresses for memcache.
# Defaults to hiera('memcached_node_ips') # Defaults to hiera('memcached_node_ips')
# #
# [*memcached_port*]
# (Optional) Memcached port to use.
# Defaults to hiera('memcached_authtoken_port', 11211)
#
# [*security_strategy*]
# (Optional) Memcached (authtoken) security strategy.
# Defaults to hiera('memcached_authtoken_security_strategy', undef)
#
# [*secret_key*]
# (Optional) Memcached (authtoken) secret key, used with security_strategy.
# The key is hashed with a salt, to isolate services.
# Defaults to hiera('memcached_authtoken_secret_key', undef)
#
class tripleo::profile::base::cinder::authtoken ( class tripleo::profile::base::cinder::authtoken (
$step = Integer(hiera('step')), $step = Integer(hiera('step')),
$memcached_ips = hiera('memcached_node_ips'), $memcached_ips = hiera('memcached_node_ips', []),
$memcached_port = hiera('memcached_authtoken_port', 11211),
$security_strategy = hiera('memcached_authtoken_security_strategy', undef),
$secret_key = hiera('memcached_authtoken_secret_key', undef),
) { ) {
if $step >= 3 { if $step >= 3 {
@ -37,8 +53,16 @@ class tripleo::profile::base::cinder::authtoken (
$memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211') $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211')
} }
if $secret_key {
$hashed_secret_key = sha256("${secret_key}+cinder")
} else {
$hashed_secret_key = undef
}
class { '::cinder::keystone::authtoken': class { '::cinder::keystone::authtoken':
memcached_servers => $memcache_servers memcached_servers => $memcache_servers,
memcache_security_strategy => $security_strategy,
memcache_secret_key => $hashed_secret_key,
} }
} }
} }

28
manifests/profile/base/designate/authtoken.pp
View File

@ -25,9 +25,25 @@
# (Optional) Array of ipv4 or ipv6 addresses for memcache. # (Optional) Array of ipv4 or ipv6 addresses for memcache.
# Defaults to hiera('memcached_node_ips') # Defaults to hiera('memcached_node_ips')
# #
# [*memcached_port*]
# (Optional) Memcached port to use.
# Defaults to hiera('memcached_authtoken_port', 11211)
#
# [*security_strategy*]
# (Optional) Memcached (authtoken) security strategy.
# Defaults to hiera('memcached_authtoken_security_strategy', undef)
#
# [*secret_key*]
# (Optional) Memcached (authtoken) secret key, used with security_strategy.
# The key is hashed with a salt, to isolate services.
# Defaults to hiera('memcached_authtoken_secret_key', undef)
#
class tripleo::profile::base::designate::authtoken ( class tripleo::profile::base::designate::authtoken (
$step = Integer(hiera('step')), $step = Integer(hiera('step')),
$memcached_ips = hiera('memcached_node_ips'), $memcached_ips = hiera('memcached_node_ips', []),
$memcached_port = hiera('memcached_authtoken_port', 11211),
$security_strategy = hiera('memcached_authtoken_security_strategy', undef),
$secret_key = hiera('memcached_authtoken_secret_key', undef),
) { ) {
if $step >= 3 { if $step >= 3 {
@ -37,8 +53,16 @@ class tripleo::profile::base::designate::authtoken (
$memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211') $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211')
} }
if $secret_key {
$hashed_secret_key = sha256("${secret_key}+designate")
} else {
$hashed_secret_key = undef
}
class { '::designate::keystone::authtoken': class { '::designate::keystone::authtoken':
memcached_servers => $memcache_servers memcached_servers => $memcache_servers,
memcache_security_strategy => $security_strategy,
memcache_secret_key => $hashed_secret_key,
} }
} }
} }

28
manifests/profile/base/glance/authtoken.pp
View File

@ -25,9 +25,25 @@
# (Optional) Array of ipv4 or ipv6 addresses for memcache. # (Optional) Array of ipv4 or ipv6 addresses for memcache.
# Defaults to hiera('memcached_node_ips') # Defaults to hiera('memcached_node_ips')
# #
# [*memcached_port*]
# (Optional) Memcached port to use.
# Defaults to hiera('memcached_authtoken_port', 11211)
#
# [*security_strategy*]
# (Optional) Memcached (authtoken) security strategy.
# Defaults to hiera('memcached_authtoken_security_strategy', undef)
#
# [*secret_key*]
# (Optional) Memcached (authtoken) secret key, used with security_strategy.
# The key is hashed with a salt, to isolate services.
# Defaults to hiera('memcached_authtoken_secret_key', undef)
#
class tripleo::profile::base::glance::authtoken ( class tripleo::profile::base::glance::authtoken (
$step = Integer(hiera('step')), $step = Integer(hiera('step')),
$memcached_ips = hiera('memcached_node_ips'), $memcached_ips = hiera('memcached_node_ips', []),
$memcached_port = hiera('memcached_authtoken_port', 11211),
$security_strategy = hiera('memcached_authtoken_security_strategy', undef),
$secret_key = hiera('memcached_authtoken_secret_key', undef),
) { ) {
if $step >= 3 { if $step >= 3 {
@ -37,8 +53,16 @@ class tripleo::profile::base::glance::authtoken (
$memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211') $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211')
} }
if $secret_key {
$hashed_secret_key = sha256("${secret_key}+glance")
} else {
$hashed_secret_key = undef
}
class { '::glance::api::authtoken': class { '::glance::api::authtoken':
memcached_servers => $memcache_servers memcached_servers => $memcache_servers,
memcache_security_strategy => $security_strategy,
memcache_secret_key => $hashed_secret_key,
} }
} }
} }

28
manifests/profile/base/gnocchi/authtoken.pp
View File

@ -25,9 +25,25 @@
# (Optional) Array of ipv4 or ipv6 addresses for memcache. # (Optional) Array of ipv4 or ipv6 addresses for memcache.
# Defaults to hiera('memcached_node_ips') # Defaults to hiera('memcached_node_ips')
# #
# [*memcached_port*]
# (Optional) Memcached port to use.
# Defaults to hiera('memcached_authtoken_port', 11211)
#
# [*security_strategy*]
# (Optional) Memcached (authtoken) security strategy.
# Defaults to hiera('memcached_authtoken_security_strategy', undef)
#
# [*secret_key*]
# (Optional) Memcached (authtoken) secret key, used with security_strategy.
# The key is hashed with a salt, to isolate services.
# Defaults to hiera('memcached_authtoken_secret_key', undef)
#
class tripleo::profile::base::gnocchi::authtoken ( class tripleo::profile::base::gnocchi::authtoken (
$step = Integer(hiera('step')), $step = Integer(hiera('step')),
$memcached_ips = hiera('memcached_node_ips'), $memcached_ips = hiera('memcached_node_ips', []),
$memcached_port = hiera('memcached_authtoken_port', 11211),
$security_strategy = hiera('memcached_authtoken_security_strategy', undef),
$secret_key = hiera('memcached_authtoken_secret_key', undef),
) { ) {
if $step >= 3 { if $step >= 3 {
@ -37,8 +53,16 @@ class tripleo::profile::base::gnocchi::authtoken (
$memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211') $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211')
} }
if $secret_key {
$hashed_secret_key = sha256("${secret_key}+gnocchi")
} else {
$hashed_secret_key = undef
}
class { '::gnocchi::keystone::authtoken': class { '::gnocchi::keystone::authtoken':
memcached_servers => $memcache_servers memcached_servers => $memcache_servers,
memcache_security_strategy => $security_strategy,
memcache_secret_key => $hashed_secret_key,
} }
} }
} }

28
manifests/profile/base/heat/authtoken.pp
View File

@ -25,9 +25,25 @@
# (Optional) Array of ipv4 or ipv6 addresses for memcache. # (Optional) Array of ipv4 or ipv6 addresses for memcache.
# Defaults to hiera('memcached_node_ips') # Defaults to hiera('memcached_node_ips')
# #
# [*memcached_port*]
# (Optional) Memcached port to use.
# Defaults to hiera('memcached_authtoken_port', 11211)
#
# [*security_strategy*]
# (Optional) Memcached (authtoken) security strategy.
# Defaults to hiera('memcached_authtoken_security_strategy', undef)
#
# [*secret_key*]
# (Optional) Memcached (authtoken) secret key, used with security_strategy.
# The key is hashed with a salt, to isolate services.
# Defaults to hiera('memcached_authtoken_secret_key', undef)
#
class tripleo::profile::base::heat::authtoken ( class tripleo::profile::base::heat::authtoken (
$step = Integer(hiera('step')), $step = Integer(hiera('step')),
$memcached_ips = hiera('memcached_node_ips'), $memcached_ips = hiera('memcached_node_ips', []),
$memcached_port = hiera('memcached_authtoken_port', 11211),
$security_strategy = hiera('memcached_authtoken_security_strategy', undef),
$secret_key = hiera('memcached_authtoken_secret_key', undef),
) { ) {
if $step >= 3 { if $step >= 3 {
@ -37,8 +53,16 @@ class tripleo::profile::base::heat::authtoken (
$memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211') $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211')
} }
if $secret_key {
$hashed_secret_key = sha256("${secret_key}+heat")
} else {
$hashed_secret_key = undef
}
class { '::heat::keystone::authtoken': class { '::heat::keystone::authtoken':
memcached_servers => $memcache_servers memcached_servers => $memcache_servers,
memcache_security_strategy => $security_strategy,
memcache_secret_key => $hashed_secret_key,
} }
} }
} }

28
manifests/profile/base/ironic/authtoken.pp
View File

@ -25,9 +25,25 @@
# (Optional) Array of ipv4 or ipv6 addresses for memcache. # (Optional) Array of ipv4 or ipv6 addresses for memcache.
# Defaults to hiera('memcached_node_ips') # Defaults to hiera('memcached_node_ips')
# #
# [*memcached_port*]
# (Optional) Memcached port to use.
# Defaults to hiera('memcached_authtoken_port', 11211)
#
# [*security_strategy*]
# (Optional) Memcached (authtoken) security strategy.
# Defaults to hiera('memcached_authtoken_security_strategy', undef)
#
# [*secret_key*]
# (Optional) Memcached (authtoken) secret key, used with security_strategy.
# The key is hashed with a salt, to isolate services.
# Defaults to hiera('memcached_authtoken_secret_key', undef)
#
class tripleo::profile::base::ironic::authtoken ( class tripleo::profile::base::ironic::authtoken (
$step = Integer(hiera('step')), $step = Integer(hiera('step')),
$memcached_ips = hiera('memcached_node_ips'), $memcached_ips = hiera('memcached_node_ips', []),
$memcached_port = hiera('memcached_authtoken_port', 11211),
$security_strategy = hiera('memcached_authtoken_security_strategy', undef),
$secret_key = hiera('memcached_authtoken_secret_key', undef),
) { ) {
if $step >= 3 { if $step >= 3 {
@ -37,8 +53,16 @@ class tripleo::profile::base::ironic::authtoken (
$memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211') $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211')
} }
if $secret_key {
$hashed_secret_key = sha256("${secret_key}+ironic")
} else {
$hashed_secret_key = undef
}
class { '::ironic::api::authtoken': class { '::ironic::api::authtoken':
memcached_servers => $memcache_servers memcached_servers => $memcache_servers,
memcache_security_strategy => $security_strategy,
memcache_secret_key => $hashed_secret_key,
} }
} }
} }

28
manifests/profile/base/ironic_inspector/authtoken.pp
View File

@ -25,9 +25,25 @@
# (Optional) Array of ipv4 or ipv6 addresses for memcache. # (Optional) Array of ipv4 or ipv6 addresses for memcache.
# Defaults to hiera('memcached_node_ips') # Defaults to hiera('memcached_node_ips')
# #
# [*memcached_port*]
# (Optional) Memcached port to use.
# Defaults to hiera('memcached_authtoken_port', 11211)
#
# [*security_strategy*]
# (Optional) Memcached (authtoken) security strategy.
# Defaults to hiera('memcached_authtoken_security_strategy', undef)
#
# [*secret_key*]
# (Optional) Memcached (authtoken) secret key, used with security_strategy.
# The key is hashed with a salt, to isolate services.
# Defaults to hiera('memcached_authtoken_secret_key', undef)
#
class tripleo::profile::base::ironic_inspector::authtoken ( class tripleo::profile::base::ironic_inspector::authtoken (
$step = Integer(hiera('step')), $step = Integer(hiera('step')),
$memcached_ips = hiera('memcached_node_ips'), $memcached_ips = hiera('memcached_node_ips', []),
$memcached_port = hiera('memcached_authtoken_port', 11211),
$security_strategy = hiera('memcached_authtoken_security_strategy', undef),
$secret_key = hiera('memcached_authtoken_secret_key', undef),
) { ) {
if $step >= 3 { if $step >= 3 {
@ -37,8 +53,16 @@ class tripleo::profile::base::ironic_inspector::authtoken (
$memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211') $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211')
} }
if $secret_key {
$hashed_secret_key = sha256("${secret_key}+ironic_inspector")
} else {
$hashed_secret_key = undef
}
class { '::ironic::inspector::authtoken': class { '::ironic::inspector::authtoken':
memcached_servers => $memcache_servers memcached_servers => $memcache_servers,
memcache_security_strategy => $security_strategy,
memcache_secret_key => $hashed_secret_key,
} }
} }
} }

28
manifests/profile/base/manila/authtoken.pp
View File

@ -25,9 +25,25 @@
# (Optional) Array of ipv4 or ipv6 addresses for memcache. # (Optional) Array of ipv4 or ipv6 addresses for memcache.
# Defaults to hiera('memcached_node_ips') # Defaults to hiera('memcached_node_ips')
# #
# [*memcached_port*]
# (Optional) Memcached port to use.
# Defaults to hiera('memcached_authtoken_port', 11211)
#
# [*security_strategy*]
# (Optional) Memcached (authtoken) security strategy.
# Defaults to hiera('memcached_authtoken_security_strategy', undef)
#
# [*secret_key*]
# (Optional) Memcached (authtoken) secret key, used with security_strategy.
# The key is hashed with a salt, to isolate services.
# Defaults to hiera('memcached_authtoken_secret_key', undef)
#
class tripleo::profile::base::manila::authtoken ( class tripleo::profile::base::manila::authtoken (
$step = Integer(hiera('step')), $step = Integer(hiera('step')),
$memcached_ips = hiera('memcached_node_ips'), $memcached_ips = hiera('memcached_node_ips', []),
$memcached_port = hiera('memcached_authtoken_port', 11211),
$security_strategy = hiera('memcached_authtoken_security_strategy', undef),
$secret_key = hiera('memcached_authtoken_secret_key', undef),
) { ) {
if $step >= 3 { if $step >= 3 {
@ -37,8 +53,16 @@ class tripleo::profile::base::manila::authtoken (
$memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211') $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211')
} }
if $secret_key {
$hashed_secret_key = sha256("${secret_key}+manila")
} else {
$hashed_secret_key = undef
}
class { '::manila::keystone::authtoken': class { '::manila::keystone::authtoken':
memcached_servers => $memcache_servers memcached_servers => $memcache_servers,
memcache_security_strategy => $security_strategy,
memcache_secret_key => $hashed_secret_key,
} }
} }
} }

28
manifests/profile/base/neutron/authtoken.pp
View File

@ -25,9 +25,25 @@
# (Optional) Array of ipv4 or ipv6 addresses for memcache. # (Optional) Array of ipv4 or ipv6 addresses for memcache.
# Defaults to hiera('memcached_node_ips') # Defaults to hiera('memcached_node_ips')
# #
# [*memcached_port*]
# (Optional) Memcached port to use.
# Defaults to hiera('memcached_authtoken_port', 11211)
#
# [*security_strategy*]
# (Optional) Memcached (authtoken) security strategy.
# Defaults to hiera('memcached_authtoken_security_strategy', undef)
#
# [*secret_key*]
# (Optional) Memcached (authtoken) secret key, used with security_strategy.
# The key is hashed with a salt, to isolate services.
# Defaults to hiera('memcached_authtoken_secret_key', undef)
#
class tripleo::profile::base::neutron::authtoken ( class tripleo::profile::base::neutron::authtoken (
$step = Integer(hiera('step')), $step = Integer(hiera('step')),
$memcached_ips = hiera('memcached_node_ips'), $memcached_ips = hiera('memcached_node_ips', []),
$memcached_port = hiera('memcached_authtoken_port', 11211),
$security_strategy = hiera('memcached_authtoken_security_strategy', undef),
$secret_key = hiera('memcached_authtoken_secret_key', undef),
) { ) {
if $step >= 3 { if $step >= 3 {
@ -37,8 +53,16 @@ class tripleo::profile::base::neutron::authtoken (
$memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211') $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211')
} }
if $secret_key {
$hashed_secret_key = sha256("${secret_key}+neutron")
} else {
$hashed_secret_key = undef
}
class { '::neutron::keystone::authtoken': class { '::neutron::keystone::authtoken':
memcached_servers => $memcache_servers memcached_servers => $memcache_servers,
memcache_security_strategy => $security_strategy,
memcache_secret_key => $hashed_secret_key,
} }
} }
} }

28
manifests/profile/base/nova/authtoken.pp
View File

@ -25,9 +25,25 @@
# (Optional) Array of ipv4 or ipv6 addresses for memcache. # (Optional) Array of ipv4 or ipv6 addresses for memcache.
# Defaults to hiera('memcached_node_ips') # Defaults to hiera('memcached_node_ips')
# #
# [*memcached_port*]
# (Optional) Memcached port to use.
# Defaults to hiera('memcached_authtoken_port', 11211)
#
# [*security_strategy*]
# (Optional) Memcached (authtoken) security strategy.
# Defaults to hiera('memcached_authtoken_security_strategy', undef)
#
# [*secret_key*]
# (Optional) Memcached (authtoken) secret key, used with security_strategy.
# The key is hashed with a salt, to isolate services.
# Defaults to hiera('memcached_authtoken_secret_key', undef)
#
class tripleo::profile::base::nova::authtoken ( class tripleo::profile::base::nova::authtoken (
$step = Integer(hiera('step')), $step = Integer(hiera('step')),
$memcached_ips = hiera('memcached_node_ips'), $memcached_ips = hiera('memcached_node_ips', []),
$memcached_port = hiera('memcached_authtoken_port', 11211),
$security_strategy = hiera('memcached_authtoken_security_strategy', undef),
$secret_key = hiera('memcached_authtoken_secret_key', undef),
) { ) {
if $step >= 3 { if $step >= 3 {
@ -37,8 +53,16 @@ class tripleo::profile::base::nova::authtoken (
$memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211') $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211')
} }
if $secret_key {
$hashed_secret_key = sha256("${secret_key}+nova")
} else {
$hashed_secret_key = undef
}
class { '::nova::keystone::authtoken': class { '::nova::keystone::authtoken':
memcached_servers => $memcache_servers memcached_servers => $memcache_servers,
memcache_security_strategy => $security_strategy,
memcache_secret_key => $hashed_secret_key,
} }
} }
} }

28
manifests/profile/base/octavia/authtoken.pp
View File

@ -25,9 +25,25 @@
# (Optional) Array of ipv4 or ipv6 addresses for memcache. # (Optional) Array of ipv4 or ipv6 addresses for memcache.
# Defaults to hiera('memcached_node_ips') # Defaults to hiera('memcached_node_ips')
# #
# [*memcached_port*]
# (Optional) Memcached port to use.
# Defaults to hiera('memcached_authtoken_port', 11211)
#
# [*security_strategy*]
# (Optional) Memcached (authtoken) security strategy.
# Defaults to hiera('memcached_authtoken_security_strategy', undef)
#
# [*secret_key*]
# (Optional) Memcached (authtoken) secret key, used with security_strategy.
# The key is hashed with a salt, to isolate services.
# Defaults to hiera('memcached_authtoken_secret_key', undef)
#
class tripleo::profile::base::octavia::authtoken ( class tripleo::profile::base::octavia::authtoken (
$step = Integer(hiera('step')), $step = Integer(hiera('step')),
$memcached_ips = hiera('memcached_node_ips'), $memcached_ips = hiera('memcached_node_ips', []),
$memcached_port = hiera('memcached_authtoken_port', 11211),
$security_strategy = hiera('memcached_authtoken_security_strategy', undef),
$secret_key = hiera('memcached_authtoken_secret_key', undef),
) { ) {
if $step >= 3 { if $step >= 3 {
@ -37,8 +53,16 @@ class tripleo::profile::base::octavia::authtoken (
$memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211') $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211')
} }
if $secret_key {
$hashed_secret_key = sha256("${secret_key}+octavia")
} else {
$hashed_secret_key = undef
}
class { '::octavia::keystone::authtoken': class { '::octavia::keystone::authtoken':
memcached_servers => $memcache_servers memcached_servers => $memcache_servers,
memcache_security_strategy => $security_strategy,
memcache_secret_key => $hashed_secret_key,
} }
} }
} }

28
manifests/profile/base/panko/authtoken.pp
View File

@ -25,9 +25,25 @@
# (Optional) Array of ipv4 or ipv6 addresses for memcache. # (Optional) Array of ipv4 or ipv6 addresses for memcache.
# Defaults to hiera('memcached_node_ips') # Defaults to hiera('memcached_node_ips')
# #
# [*memcached_port*]
# (Optional) Memcached port to use.
# Defaults to hiera('memcached_authtoken_port', 11211)
#
# [*security_strategy*]
# (Optional) Memcached (authtoken) security strategy.
# Defaults to hiera('memcached_authtoken_security_strategy', undef)
#
# [*secret_key*]
# (Optional) Memcached (authtoken) secret key, used with security_strategy.
# The key is hashed with a salt, to isolate services.
# Defaults to hiera('memcached_authtoken_secret_key', undef)
#
class tripleo::profile::base::panko::authtoken ( class tripleo::profile::base::panko::authtoken (
$step = Integer(hiera('step')), $step = Integer(hiera('step')),
$memcached_ips = hiera('memcached_node_ips'), $memcached_ips = hiera('memcached_node_ips', []),
$memcached_port = hiera('memcached_authtoken_port', 11211),
$security_strategy = hiera('memcached_authtoken_security_strategy', undef),
$secret_key = hiera('memcached_authtoken_secret_key', undef),
) { ) {
if $step >= 3 { if $step >= 3 {
@ -37,8 +53,16 @@ class tripleo::profile::base::panko::authtoken (
$memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211') $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211')
} }
if $secret_key {
$hashed_secret_key = sha256("${secret_key}+zaqar")
} else {
$hashed_secret_key = undef
}
class { '::panko::keystone::authtoken': class { '::panko::keystone::authtoken':
memcached_servers => $memcache_servers memcached_servers => $memcache_servers,
memcache_security_strategy => $security_strategy,
memcache_secret_key => $hashed_secret_key,
} }
} }
} }

28
manifests/profile/base/placement/authtoken.pp
View File

@ -25,9 +25,25 @@
# (Optional) Array of ipv4 or ipv6 addresses for memcache. # (Optional) Array of ipv4 or ipv6 addresses for memcache.
# Defaults to hiera('memcached_node_ips') # Defaults to hiera('memcached_node_ips')
# #
# [*memcached_port*]
# (Optional) Memcached port to use.
# Defaults to hiera('memcached_authtoken_port', 11211)
#
# [*security_strategy*]
# (Optional) Memcached (authtoken) security strategy.
# Defaults to hiera('memcached_authtoken_security_strategy', undef)
#
# [*secret_key*]
# (Optional) Memcached (authtoken) secret key, used with security_strategy.
# The key is hashed with a salt, to isolate services.
# Defaults to hiera('memcached_authtoken_secret_key', undef)
#
class tripleo::profile::base::placement::authtoken ( class tripleo::profile::base::placement::authtoken (
$step = Integer(hiera('step')), $step = Integer(hiera('step')),
$memcached_ips = hiera('memcached_node_ips'), $memcached_ips = hiera('memcached_node_ips', []),
$memcached_port = hiera('memcached_authtoken_port', 11211),
$security_strategy = hiera('memcached_authtoken_security_strategy', undef),
$secret_key = hiera('memcached_authtoken_secret_key', undef),
) { ) {
if $step >= 3 { if $step >= 3 {
@ -37,8 +53,16 @@ class tripleo::profile::base::placement::authtoken (
$memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211') $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211')
} }
if $secret_key {
$hashed_secret_key = sha256("${secret_key}+placement")
} else {
$hashed_secret_key = undef
}
class { '::placement::keystone::authtoken': class { '::placement::keystone::authtoken':
memcached_servers => $memcache_servers, memcached_servers => $memcache_servers,
memcache_security_strategy => $security_strategy,
memcache_secret_key => $hashed_secret_key,
} }
} }
} }

7
releasenotes/notes/add-memcache-security-92060c4fe540774c.yaml Normal file
View File

@ -0,0 +1,7 @@
---
features:
- |
Add ability to specify the memcache_security_strategy and
memcache_secret_key for keystone authtoken middleware. The keys
used by individual services are hashed with a salt (the service
name), to isolate them.