settings: Support optional memcached authentication.

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>

puppet/zulip/manifests/app_frontend_base.pp

@@ -3,6 +3,7 @@
 class zulip::app_frontend_base {
   include zulip::common
   include zulip::nginx
+  include zulip::sasl_modules
   include zulip::supervisor
 
   if $::osfamily == 'debian' {
@@ -153,4 +154,15 @@ class zulip::app_frontend_base {
     mode    => '0755',
     source  => 'puppet:///modules/zulip/nagios_plugins/zulip_app_frontend',
   }
+
+  if $::osfamily == 'debian' {
+    # The pylibmc wheel looks for SASL plugins in the wrong place.
+    file { '/usr/lib64':
+      ensure => directory,
+    }
+    file { '/usr/lib64/sasl2':
+      ensure => link,
+      target => "/usr/lib/${::rubyplatform}/sasl2",
+    }
+  }
 }

puppet/zulip/manifests/sasl_modules.pp

@@ -0,0 +1,7 @@
+class zulip::sasl_modules {
+  $sasl_module_packages = $::osfamily ? {
+    'debian' => [ 'libsasl2-modules' ],
+    'redhat' => [ 'cyrus-sasl-plain' ],
+  }
+  package { $sasl_module_packages: ensure => 'installed' }
+}

scripts/setup/flush-memcached

@@ -12,5 +12,8 @@ import pylibmc
 
 pylibmc.Client(
     [settings.MEMCACHED_LOCATION],
+    binary=True,
+    username=settings.MEMCACHED_USERNAME,
+    password=settings.MEMCACHED_PASSWORD,
     behaviors=settings.CACHES["default"]["OPTIONS"]  # type: ignore # settings not typed properly
 ).flush_all()

zilencer/management/commands/populate_db.py

@@ -57,7 +57,10 @@ def clear_database() -> None:
     if default_cache['BACKEND'] == 'django_pylibmc.memcached.PyLibMCCache':
         pylibmc.Client(
             [default_cache['LOCATION']],
-            behaviors=default_cache["OPTIONS"]  # type: ignore # settings not typed properly
+            binary=True,
+            username=default_cache["USERNAME"],
+            password=default_cache["PASSWORD"],
+            behaviors=default_cache["OPTIONS"],
         ).flush_all()
 
     model = None  # type: Any # Hack because mypy doesn't know these are model classes

zproject/default_settings.py

@@ -108,6 +108,7 @@ BOT_CONFIG_SIZE_LIMIT = 10000
 # External service configuration
 CAMO_URI = ''
 MEMCACHED_LOCATION = '127.0.0.1:11211'
+MEMCACHED_USERNAME = None if get_secret("memcached_password") is None else "zulip"
 RABBITMQ_HOST = '127.0.0.1'
 RABBITMQ_USERNAME = 'zulip'
 REDIS_HOST = '127.0.0.1'

zproject/dev_settings.py

@@ -166,3 +166,5 @@ USE_X_FORWARDED_PORT = True
 
 # Override the default SAML entity ID
 SOCIAL_AUTH_SAML_SP_ENTITY_ID = "http://localhost:9991/"
+
+MEMCACHED_USERNAME = None

zproject/prod_settings_template.py

@@ -571,6 +571,9 @@ CAMO_URI = '/external_content/'
 # to use a remote Memcached instance, set MEMCACHED_LOCATION here.
 # Format HOST:PORT
 # MEMCACHED_LOCATION = 127.0.0.1:11211
+# To authenticate to memcached, set memcached_password in zulip-secrets.conf,
+# and optionally change the default username 'zulip' here.
+# MEMCACHED_USERNAME = 'zulip'
 
 # Redis configuration
 #

zproject/settings.py

@@ -313,13 +313,17 @@ SESSION_ENGINE = "django.contrib.sessions.backends.cached_db"
 PYLIBMC_MIN_COMPRESS_LEN = 100 * 1024
 PYLIBMC_COMPRESS_LEVEL = 1
 
+MEMCACHED_PASSWORD = get_secret("memcached_password")
+
 CACHES = {
     'default': {
         'BACKEND': 'django_pylibmc.memcached.PyLibMCCache',
         'LOCATION': MEMCACHED_LOCATION,
         'TIMEOUT': 3600,
+        'BINARY': True,
+        'USERNAME': MEMCACHED_USERNAME,
+        'PASSWORD': MEMCACHED_PASSWORD,
         'OPTIONS': {
-            'verify_keys': True,
             'tcp_nodelay': True,
             'retry_timeout': 1,
         }