openstack/tooz
Code Issues Proposed changes

Merge "Add TLS support for Memcached driver"

Browse Source
This commit is contained in:
Zuul
2025-05-28 04:47:33 +00:00
committed by Gerrit Code Review
parent e27ce8dd2e 68d297cb43
commit 8df645f382
2 changed files with 49 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
releasenotes/notes/memcached-tls-support_7dc1a652ff087b83.yaml Normal file
View File

@@ -0,0 +1,15 @@
---
features:
- |
Added TLS support for Memcached driver.
The following TLS-related options now can be specifed in the Memcached
connection URL as query parameters
- ``use_ssl``: enable SSL/TLS connection or not, default is "False"
- ``ca_cert``: CA file to use for authentication
- ``ssl_cert``: path to client public key certificate file
- ``ssl_key``: path to client private key file
- ``ssl_key_password``: password for decrypting the private key
- ``ssl_check_hostname``: verify server hostname against its certificate
- ``ssl_ciphers``: available ciphers, a string in the OpenSSL cipher list format

35
tooz/drivers/memcached.py
View File

@@ -18,7 +18,9 @@ import errno
import functools import functools
import logging import logging
import socket import socket
import ssl
from oslo_utils import strutils
from pymemcache import client as pymemcache_client from pymemcache import client as pymemcache_client
import tooz import tooz
@@ -205,6 +207,13 @@ class MemcachedDriver(coordination.CoordinationDriverCachedRunWatchers,
lock_timeout 30 lock_timeout 30
leader_timeout 30 leader_timeout 30
max_pool_size None max_pool_size None
use_ssl False
ca_cert None
ssl_key None
ssl_key_password None
ssl_cert None
ssl_ciphers None
ssl_check_hostname False
================== ======= ================== =======
General recommendations/usage considerations: General recommendations/usage considerations:
@@ -263,6 +272,29 @@ class MemcachedDriver(coordination.CoordinationDriverCachedRunWatchers,
else: else:
self.max_pool_size = None self.max_pool_size = None
self._acquired_locks = [] self._acquired_locks = []
self.ssl_context = None
use_ssl = self._options.get('use_ssl', 'False')
use_ssl = strutils.bool_from_string(use_ssl,
strict=False,
default=False)
if use_ssl:
ca_cert = self._options.get('ca_cert')
ssl_key = self._options.get('ssl_key')
ssl_cert = self._options.get('ssl_cert')
ssl_key_password = self._options.get('ssl_key_password')
ciphers = self._options.get('ssl_ciphers')
check_hostname = self._options.get('ssl_check_hostname', 'False')
check_hostname = strutils.bool_from_string(check_hostname,
strict=False,
default=False)
self.ssl_context = ssl.create_default_context(
ssl.Purpose.SERVER_AUTH, cafile=ca_cert)
if ciphers is not None:
self.ssl_context.set_ciphers(ciphers)
self.ssl_context.check_hostname = check_hostname
self.ssl_context.load_cert_chain(certfile=ssl_cert,
keyfile=ssl_key,
password=ssl_key_password)
@staticmethod @staticmethod
def _msgpack_serializer(key, value): def _msgpack_serializer(key, value):
@@ -288,7 +320,8 @@ class MemcachedDriver(coordination.CoordinationDriverCachedRunWatchers,
deserializer=self._msgpack_deserializer, deserializer=self._msgpack_deserializer,
timeout=self.timeout, timeout=self.timeout,
connect_timeout=self.timeout, connect_timeout=self.timeout,
max_pool_size=self.max_pool_size) max_pool_size=self.max_pool_size,
tls_context=self.ssl_context)
# Run heartbeat here because pymemcache use a lazy connection # Run heartbeat here because pymemcache use a lazy connection
# method and only connect once you do an operation. # method and only connect once you do an operation.
self.heartbeat() self.heartbeat()