From d4f3cec629d230c4ed23b46e5057ffd8e794d3e0 Mon Sep 17 00:00:00 2001
From: Marek Zawadzki <mzawadzki@mirantis.com>
Date: Wed, 22 Feb 2017 11:13:42 +0100
Subject: [PATCH] Enable memcache protection for keystone

Done accordingly to:
* https://docs.openstack.org/developer/keystonemiddleware/middlewarearchitecture.html#memcache-protection
* https://docs.openstack.org/developer/keystonemiddleware/middlewarearchitecture.html

Change-Id: I91b279e5433569393275ff334d63b43b211a014d
---
 exports/keystone_authtoken.j2 | 4 ++++
 service/files/defaults.yaml   | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/exports/keystone_authtoken.j2 b/exports/keystone_authtoken.j2
index 2d712e7..7cddfaa 100644
--- a/exports/keystone_authtoken.j2
+++ b/exports/keystone_authtoken.j2
@@ -12,4 +12,8 @@ memcached_servers = {{ address("memcached", memcached.port) }}
 {% if keystone.tls.enabled %}
 cafile = /opt/ccp/etc/tls/ca.pem
 {% endif %}
+{% if keystone.encrypt_tokens_in_memcached.enabled %}
+memcache_security_strategy = ENCRYPT
+memcache_secret_key = {{ keystone.encrypt_tokens_in_memcached.secret_key }}
+{% endif %}
 {%- endmacro %}
diff --git a/service/files/defaults.yaml b/service/files/defaults.yaml
index 528b923..f3a78cb 100644
--- a/service/files/defaults.yaml
+++ b/service/files/defaults.yaml
@@ -27,6 +27,10 @@ configs:
       # format can be basic or cadf:
       format: cadf
 
+    encrypt_tokens_in_memcached:
+      enabled: true
+      secret_key: password
+
   openstack:
     user_password: password
     user_name: admin