Merge "Add TLS support for Memcached driver"

2025-05-28 04:47:33 +00:00
parent e27ce8dd2e 68d297cb43
commit 8df645f382
2 changed files with 49 additions and 1 deletions
--- a/releasenotes/notes/memcached-tls-support_7dc1a652ff087b83.yaml
+++ b/releasenotes/notes/memcached-tls-support_7dc1a652ff087b83.yaml
@ -0,0 +1,15 @@
+---
+features:
+  - |
+    Added TLS support for Memcached driver.
+
+    The following TLS-related options now can be specifed in the Memcached
+    connection URL as query parameters
+
+    - ``use_ssl``: enable SSL/TLS connection or not, default is "False"
+    - ``ca_cert``: CA file to use for authentication
+    - ``ssl_cert``: path to client public key certificate file
+    - ``ssl_key``: path to client private key file
+    - ``ssl_key_password``: password for decrypting the private key
+    - ``ssl_check_hostname``: verify server hostname against its certificate
+    - ``ssl_ciphers``: available ciphers, a string in the OpenSSL cipher list format
--- a/tooz/drivers/memcached.py
+++ b/tooz/drivers/memcached.py
@ -18,7 +18,9 @@ import errno
 import functools
 import logging
 import socket
+import ssl

+from oslo_utils import strutils
 from pymemcache import client as pymemcache_client

 import tooz
@ -205,6 +207,13 @@ class MemcachedDriver(coordination.CoordinationDriverCachedRunWatchers,
    lock_timeout        30
    leader_timeout      30
    max_pool_size       None
+    use_ssl             False
+    ca_cert             None
+    ssl_key             None
+    ssl_key_password    None
+    ssl_cert            None
+    ssl_ciphers         None
+    ssl_check_hostname  False
    ==================  =======

    General recommendations/usage considerations:
@ -263,6 +272,29 @@ class MemcachedDriver(coordination.CoordinationDriverCachedRunWatchers,
        else:
            self.max_pool_size = None
        self._acquired_locks = []
+        self.ssl_context = None
+        use_ssl = self._options.get('use_ssl', 'False')
+        use_ssl = strutils.bool_from_string(use_ssl,
+                                            strict=False,
+                                            default=False)
+        if use_ssl:
+            ca_cert = self._options.get('ca_cert')
+            ssl_key = self._options.get('ssl_key')
+            ssl_cert = self._options.get('ssl_cert')
+            ssl_key_password = self._options.get('ssl_key_password')
+            ciphers = self._options.get('ssl_ciphers')
+            check_hostname = self._options.get('ssl_check_hostname', 'False')
+            check_hostname = strutils.bool_from_string(check_hostname,
+                                                       strict=False,
+                                                       default=False)
+            self.ssl_context = ssl.create_default_context(
+                               ssl.Purpose.SERVER_AUTH, cafile=ca_cert)
+            if ciphers is not None:
+                self.ssl_context.set_ciphers(ciphers)
+            self.ssl_context.check_hostname = check_hostname
+            self.ssl_context.load_cert_chain(certfile=ssl_cert,
+                                             keyfile=ssl_key,
+                                             password=ssl_key_password)

    @staticmethod
    def _msgpack_serializer(key, value):
@ -288,7 +320,8 @@ class MemcachedDriver(coordination.CoordinationDriverCachedRunWatchers,
            deserializer=self._msgpack_deserializer,
            timeout=self.timeout,
            connect_timeout=self.timeout,
-            max_pool_size=self.max_pool_size)
+            max_pool_size=self.max_pool_size,
+            tls_context=self.ssl_context)
        # Run heartbeat here because pymemcache use a lazy connection
        # method and only connect once you do an operation.
        self.heartbeat()