Spec-Zone .ru
спецификации, руководства, описания, API

14.2.9.4. Security Considerations for the InnoDB memcached Plugin

Caution

Consult this section before deploying the InnoDB memcached plugin on any production servers, or even test servers if the MySQL instance contains any sensitive information.

Because memcached does not use an authentication mechanism by default, and the optional SASL authentication is not as strong as traditional DBMS security measures, make sure to keep only non-sensitive data in the MySQL instance using the InnoDB memcached plugin, and wall off any servers using this configuration from potential intruders. Do not allow memcached access to such servers from the Internet, only from within a firewalled intranet, ideally from a subnet whose membership you can restrict.

14.2.9.4.1. Password-Protecting the memcached Interface throughSASL

SASL support gives you the capability to protect your MySQL database from unauthenticated access through memcached clients. This section explains the steps to enable this option. The steps to enable such support are almost identical to those you would do to enable SASL for a traditional memcached server.

Background Info:

SASL stands for "Simple Authentication and Security Layer", a standard for adding authentication support to connection-based protocols. memcached added SASL support starting in its 1.4.3 release.

For the InnoDB + memcached combination, the table that stores the memcached data must be registered in the container system table. And memcached clients can only access such a registered table. Even though the DBA can add access restrictions on a table that is registered with the memcached plugin, they have no control over who can access it through memcached applications. This is why we provide a means (through SASL) to control who can access InnoDB tables associated with the memcached plugin.

The following section shows how to build, enable, and test an SASL-enabled InnoDB memcached plugin.

Steps to Build and Enable SASL in InnoDB Memcached Plugin:

By default, SASL-enabled InnoDB memcached is not included in the release package, since it relies on building memcached with SASL libraries. To enable this feature, download the MySQL source and rebuild the InnoDB memcached plugin after downloading the SASL libraries:

  1. First, get the SASL development and utility libraries. For example, on Ubuntu, you can get these libraries through:

    sudo apt-get -f install libsasl2-2 sasl2-bin libsasl2-2 libsasl2-dev libsasl2-modules
  2. Then build the InnoDB memcached plugin (shared libraries) with SASL capability, by adding ENABLE_MEMCACHED_SASL=1 to the cmake options. In addition, memcached provides a simple plaintext password support, which is easier to use for testing. To enable this, set the option ENABLE_MEMCACHED_SASL_PWDB=1.

    Overall, you will add following three options to the cmake:

    cmake ... -DWITH_INNODB_MEMCACHED=1  -DENABLE_MEMCACHED_SASL=1 -DENABLE_MEMCACHED_SASL_PWDB=1
  3. The third step is to install the InnoDB memcached plugin as before, as explained in Section 14.2.9.3, "Getting Started with InnoDB Memcached Plugin".

  4. As previously mentioned, memcached provides a simple plaintext password support through SASL, which will be used for this demo.

    1. Create a user named testname and its password as testpasswd in a file:

      echo "testname:testpasswd:::::::" >/home/jy/memcached-sasl-db
    2. Let memcached know about it by setting the environment variable MEMCACHED_SASL_PWDB:

      export MEMCACHED_SASL_PWDB=/home/jy/memcached-sasl-db
    3. Also tell memcached that it is a plaintext password:

      echo "mech_list: plain" > /home/jy/work2/msasl/clients/memcached.confexport SASL_CONF_PATH=/home/jy/work2/msasl/clients/memcached.conf
  5. Then reboot the server, and add a daemon_memcached_option option -S to enable SASL:

    mysqld ... --daemon_memcached_option="-S"
  6. Now the setup is complete. To test it, you might need an SASL-enabled client, such as this SASL-enabled libmemcached.

    memcp --servers=localhost:11211 --binary  --username=testname  --password=testpasswd myfile.txtmemcat --servers=localhost:11211 --binary --username=testname  --password=testpasswd myfile.txt

    Without appropriate user name or password, the above operation is rejected with the error message memcache error AUTHENTICATION FAILURE. Otherwise, the operation succeed. You can also examine the plaintext password set in the memcached-sasl-db file to verify it.

There are other methods to test SASL authentication with memcached. But the one described above is the most straightforward.