Description of problem: Memcached instances running at overcloud can be accessed by anyone who knows their ips Version-Release number of selected component (if applicable): openstack-tripleo-heat-templates-0.8.6-46.el7ost.noarch
Based on the project documentation SASL is the mechanism to use to secure the memcached instances. The memcached package provided in base isn't compiled with SASL support, hence blocking this ticket. BZ posted https://bugzilla.redhat.com/show_bug.cgi?id=1263696
This can't be fixed without significant work upstream in OpenStack. The following components in OpenStack use memcached: keystone heat nova designate zaqar None of these currently have support for using a SASL configured memcached. memcached explicitly disables non-SASL connections when it's running with SASL. Also, SASL support would require a new python library which we currently don't ship (python-binary-memcached) because the current python-memcached doesn't support binary mode. Basically, to do this, we need to fix *each* of the above components to be able to use SASL auth with memcached (probably upstream).