Merge "Support SASL for memcached"

2025-02-07 16:06:49 +00:00
parent ef54c0ed83 6679503551
commit 557d173eee
7 changed files with 62 additions and 11 deletions
--- a/doc/requirements.txt
+++ b/doc/requirements.txt
@@ -12,6 +12,7 @@ sphinxcontrib-svg2pdfconverter>=0.1.0 # BSD
 oslotest>=3.2.0 # Apache-2.0
 requests-mock>=1.2.0 # Apache-2.0
 testresources>=2.0.0 # Apache-2.0/BSD
+python-binary-memcached>=0.29.0 # MIT
 python-memcached>=1.56 # PSF
 WebTest>=2.0.27 # MIT
 oslo.messaging>=5.29.0 # Apache-2.0
--- a/keystonemiddleware/auth_token/init.py
+++ b/keystonemiddleware/auth_token/init.py
@@ -872,6 +872,9 @@ class AuthProtocol(BaseAuthProtocol):
            unused_timeout=self._conf.get('memcache_pool_unused_timeout'),
            conn_get_timeout=self._conf.get('memcache_pool_conn_get_timeout'),
            socket_timeout=self._conf.get('memcache_pool_socket_timeout'),
+            sasl_enabled=self._conf.get('memcache_sasl_enabled'),
+            username=self._conf.get('memcache_username'),
+            password=self._conf.get('memcache_password'),
        )

        if security_strategy.lower() != 'none':
--- a/keystonemiddleware/auth_token/_cache.py
+++ b/keystonemiddleware/auth_token/_cache.py
@@ -52,8 +52,11 @@ class _EnvCachePool(object):
 class _CachePool(list):
    """A lazy pool of cache references."""

-    def __init__(self, memcached_servers, log):
+    def __init__(self, memcached_servers, log, arguments):
        self._memcached_servers = memcached_servers
+        self._sasl_enabled = arguments.get("sasl_enabled", False)
+        self._username = arguments.get("username", None)
+        self._password = arguments.get("password", None)
        if not self._memcached_servers:
            log.warning(
                "Using the in-process token cache is deprecated as of the "
@@ -73,8 +76,13 @@ class _CachePool(list):
        except IndexError:
            # the pool is empty, so we need to create a new client
            if self._memcached_servers:
-                import memcache
-                c = memcache.Client(self._memcached_servers, debug=0)
+                if self._sasl_enabled:
+                    import bmemcached
+                    c = bmemcached.Client(self._memcached_servers,
+                                          self._username, self._password)
+                else:
+                    import memcache
+                    c = memcache.Client(self._memcached_servers, debug=0)
            else:
                c = _FakeClient()

@@ -88,12 +96,22 @@ class _MemcacheClientPool(object):
    """An advanced memcached client pool that is eventlet safe."""

    def __init__(self, memcache_servers, arguments, **kwargs):
-        # NOTE(sileht): This will import python-memcached, we don't want
-        # it as hard dependency, so lazy load it.
-        from oslo_cache import _memcache_pool
-        self._pool = _memcache_pool.MemcacheClientPool(memcache_servers,
-                                                       arguments,
-                                                       **kwargs)
+        # NOTE(sileht): This will import python-memcached and
+        # python-binary-memcached , we don't want it as hard
+        # dependency, so lazy load it.
+        self._sasl_enabled = arguments.pop("sasl_enabled", False)
+        if self._sasl_enabled:
+            from oslo_cache import _bmemcache_pool
+            self._pool = _bmemcache_pool.BMemcacheClientPool(memcache_servers,
+                                                             arguments,
+                                                             **kwargs)
+        else:
+            from oslo_cache import _memcache_pool
+            arguments.pop("username", None)
+            arguments.pop("password", None)
+            self._pool = _memcache_pool.MemcacheClientPool(memcache_servers,
+                                                           arguments,
+                                                           **kwargs)

    @contextlib.contextmanager
    def reserve(self):
@@ -132,7 +150,10 @@ class TokenCache(object):
        self._use_advanced_pool = use_advanced_pool
        self._arguments = {
            'dead_retry': dead_retry,
-            'socket_timeout': socket_timeout
+            'socket_timeout': socket_timeout,
+            'sasl_enabled': kwargs.pop("sasl_enabled", False),
+            'username': kwargs.pop("username", None),
+            'password': kwargs.pop("password", None)
        }
        self._memcache_pool_options = kwargs

@@ -156,7 +177,8 @@ class TokenCache(object):
                    "implementation from oslo.cache. This can be enabled"
                    "through config option memcache_use_advanced_pool = True")

-            return _CachePool(self._memcached_servers, self._LOG)
+            return _CachePool(self._memcached_servers, self._LOG,
+                              self._arguments)

    def initialize(self, env):
        if self._initialized:
--- a/keystonemiddleware/auth_token/_opts.py
+++ b/keystonemiddleware/auth_token/_opts.py
@@ -181,6 +181,16 @@ _OPTS = [
               help='The name or type of the service as it appears in the'
               ' service catalog. This is used to validate tokens that have'
               ' restricted access rules.'),
+    cfg.BoolOpt('memcache_sasl_enabled',
+                default=False,
+                help='Enable the SASL(Simple Authentication and Security'
+                     ' Layer) if the SASL_enable is true, else disable.'),
+    cfg.StrOpt('memcache_username',
+               default='',
+               help='the user name for the SASL'),
+    cfg.StrOpt('memcache_password',
+               default='',
+               help='the username password for SASL'),
 ]


--- a/keystonemiddleware/tests/unit/test_opts.py
+++ b/keystonemiddleware/tests/unit/test_opts.py
@@ -63,6 +63,9 @@ class OptsTestCase(utils.TestCase):
            'memcache_pool_unused_timeout',
            'memcache_pool_conn_get_timeout',
            'memcache_pool_socket_timeout',
+            'memcache_sasl_enabled',
+            'memcache_username',
+            'memcache_password',
            'include_service_catalog',
            'enforce_token_bind',
            'auth_type',
@@ -108,6 +111,9 @@ class OptsTestCase(utils.TestCase):
            'memcache_pool_unused_timeout',
            'memcache_pool_conn_get_timeout',
            'memcache_pool_socket_timeout',
+            'memcache_sasl_enabled',
+            'memcache_username',
+            'memcache_password',
            'include_service_catalog',
            'enforce_token_bind',
            'auth_type',
--- a/releasenotes/notes/enable-sasl-protocol-946149083f604216.yaml
+++ b/releasenotes/notes/enable-sasl-protocol-946149083f604216.yaml
@@ -0,0 +1,8 @@
+---
+features:
+  - |
+    Add the feature to support SASL for keystonemiddleware to improve
+    the security of authority.
+    memcache_sasl_enabled: enable the SASL option or not.
+    memcache_username: the user name for the SASL
+    memcache_password: the user password for SASL
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -10,6 +10,7 @@ requests-mock>=1.2.0 # Apache-2.0
 stestr>=2.0.0  # Apache-2.0
 testresources>=2.0.0 # Apache-2.0/BSD
 testtools>=2.2.0 # MIT
+python-binary-memcached>=0.29.0 # MIT
 python-memcached>=1.59 # PSF
 WebTest>=2.0.27 # MIT
 oslo.messaging>=5.29.0 # Apache-2.0