Bug 1252087 - Secure memcached installation for overcloud
Secure memcached installation for overcloud
Status: CLOSED CANTFIX
Product: Red Hat OpenStack
Classification: Red Hat
Component: rhosp-director (Show other bugs)
8.0 (Liberty)
Unspecified Unspecified
urgent Severity unspecified
: ga
: 8.0 (Liberty)
Assigned To: Yanis Guenane
Alexander Chuzhoy
: Security, ZStream
Depends On: 1263696 1304473 1304493
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-10 12:48 EDT by Giulio Fidente
Modified: 2016-02-03 17:44 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1252083
Environment:
Last Closed: 2016-02-03 17:44:28 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Giulio Fidente 2015-08-10 12:48:19 EDT
Description of problem:
Memcached instances running at overcloud can be accessed by anyone who knows their ips

Version-Release number of selected component (if applicable):
openstack-tripleo-heat-templates-0.8.6-46.el7ost.noarch
Comment 3 Yanis Guenane 2015-09-16 08:43:59 EDT
Based on the project documentation SASL is the mechanism to use to secure the memcached instances.

The memcached package provided in base isn't compiled with SASL support, hence blocking this ticket.

BZ posted https://bugzilla.redhat.com/show_bug.cgi?id=1263696
Comment 4 Mike Burns 2016-02-03 16:56:35 EST
This can't be fixed without significant work upstream in OpenStack.  The following components in OpenStack use memcached:

keystone
heat
nova
designate
zaqar

None of these currently have support for using a SASL configured memcached.  memcached explicitly disables non-SASL connections when it's running with SASL.  Also, SASL support would require a new python library which we currently don't ship (python-binary-memcached) because the current python-memcached doesn't support binary mode.

Basically, to do this, we need to fix *each* of the above components to be able to use SASL auth with memcached (probably upstream).

Note You need to log in before you can comment on or make changes to this bug.