Bug 1252087

Summary: Secure memcached installation for overcloud
Product: Red Hat OpenStack Reporter: Giulio Fidente <gfidente>
Component: rhosp-directorAssignee: Yanis Guenane <yguenane>
Status: CLOSED CANTFIX QA Contact: Alexander Chuzhoy <sasha>
Severity: unspecified Docs Contact:
Priority: urgent    
Version: 8.0 (Liberty)CC: emacchi, hbrock, mburns, rhel-osp-director-maint, security-response-team, yeylon, yprokule
Target Milestone: gaKeywords: Security, ZStream
Target Release: 8.0 (Liberty)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1252083 Environment:
Last Closed: 2016-02-03 22:44:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1263696, 1304473, 1304493    
Bug Blocks:    

Description Giulio Fidente 2015-08-10 16:48:19 UTC
Description of problem:
Memcached instances running at overcloud can be accessed by anyone who knows their ips

Version-Release number of selected component (if applicable):
openstack-tripleo-heat-templates-0.8.6-46.el7ost.noarch

Comment 3 Yanis Guenane 2015-09-16 12:43:59 UTC
Based on the project documentation SASL is the mechanism to use to secure the memcached instances.

The memcached package provided in base isn't compiled with SASL support, hence blocking this ticket.

BZ posted https://bugzilla.redhat.com/show_bug.cgi?id=1263696

Comment 4 Mike Burns 2016-02-03 21:56:35 UTC
This can't be fixed without significant work upstream in OpenStack.  The following components in OpenStack use memcached:

keystone
heat
nova
designate
zaqar

None of these currently have support for using a SASL configured memcached.  memcached explicitly disables non-SASL connections when it's running with SASL.  Also, SASL support would require a new python library which we currently don't ship (python-binary-memcached) because the current python-memcached doesn't support binary mode.

Basically, to do this, we need to fix *each* of the above components to be able to use SASL auth with memcached (probably upstream).