Bug 1304473

Summary: Memcached not built with SASL support
Product: Red Hat OpenStack Reporter: Mike Burns <mburns>
Component: memcachedAssignee: Lon Hohberger <lhh>
Status: CLOSED WONTFIX QA Contact: yeylon <yeylon>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0 (Kilo)CC: apevec, hbrock, jschluet, lars, lhh, markmc, mburns, mlichvar, qe-baseos-daemons, srevivo, yeylon, yguenane
Target Milestone: z4Keywords: ZStream
Target Release: 7.0 (Kilo)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1263696
: 1304493 (view as bug list) Environment:
Last Closed: 2016-02-03 22:06:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1263696    
Bug Blocks: 1252087, 1304493    

Description Mike Burns 2016-02-03 17:59:00 UTC
Because RHEL won't update quick enough, cloning to OSP for our version until RHEL picks this up.

+++ This bug was initially created as a clone of Bug #1263696 +++

Description of problem:

Currently memcached in base is not build with SASL support preventing to secure the memcached instance.


Version-Release number of selected component (if applicable):

memcached-1.4.15-9.el7.x86_64


How reproducible:

always


Steps to Reproduce:
1. Spawn a C7 node
2. yum install memcached
3. vi /etc/sysconfig/memcached (add '-S' in OPTIONS="")
4. start memcached 

Actual results:

Service fails to start with error message :

memcached[18804]: This server is not built with SASL support.


Expected results:

Service should start manually

Additional info:

--- Additional comment from Lars Kellogg-Stedman on 2015-09-16 09:18:40 EDT ---

Should this be against RHEL rather than RDO?  That's where the memcache package lives.

--- Additional comment from Hugh Brock on 2016-02-03 12:11:57 EST ---

We'll need this package rebuilt for secure memcached support in RHELOSP 8.

Comment 3 Lon Hohberger 2016-02-03 21:37:02 UTC
There are a number of potential worries about implementing SASL support in memcached:

a) The python-memcached client does not appear to support SASL, so
   any python application using it will not benefit from running
   memcached with SASL turned on

b) The python-binary-memcached client is not part of RHEL OSP
   
c) Clients written to the python-memcached APIs may not work with
   python-binary-memcached.  While several APIs match up fairly well,
   several do not.

   At a quick glance, this may affect at minimum:
     openstack-heat (openstack-heat-common)
     openstack-keystone (python-keystone)
     openstack-nova (python-nova)

Comment 4 Lon Hohberger 2016-02-03 21:38:40 UTC
Also openstack-designate (python-designate)

Comment 5 Lon Hohberger 2016-02-03 21:54:56 UTC
The above clients all seem to use the standard python-memcache API, and do not appear to have SASL support.

Comment 6 Lon Hohberger 2016-02-03 21:57:11 UTC
It also appears that memcached when run with SASL enabled will not work with non-SASL clients.

Comment 7 RHEL Program Management 2016-02-03 22:06:00 UTC
Development Management has reviewed and declined this request.
You may appeal this decision by reopening this request.