Documentation Home
MySQL 5.7 Reference Manual
Related Documentation Download this Manual Excerpts from this Manual Password-Protecting the memcached Interface through SASL

SASL support gives you the capability to protect your MySQL database from unauthenticated access through memcached clients. This section explains the steps to enable this option. The steps to enable such support are almost identical to those you would do to enable SASL for a traditional memcached server.

Background Info

SASL stands for Simple Authentication and Security Layer, a standard for adding authentication support to connection-based protocols. memcached added SASL support starting in its 1.4.3 release.

SASL authentication is only supported with the binary protocol.

For the InnoDB + memcached combination, the table that stores the memcached data must be registered in the container system table. And memcached clients can only access such a registered table. Even though the DBA can add access restrictions on a table that is registered with the memcached plugin, they have no control over who can access it through memcached applications. This is why we provide a means (through SASL) to control who can access InnoDB tables associated with the memcached plugin.

The following section shows how to build, enable, and test an SASL-enabled InnoDB memcached plugin.

Steps to Build and Enable SASL in InnoDB Memcached Plugin

By default, SASL-enabled InnoDB memcached is not included in the release package, since it relies on building memcached with SASL libraries. To enable this feature, download the MySQL source and rebuild the InnoDB memcached plugin after downloading the SASL libraries:

  1. First, get the SASL development and utility libraries. For example, on Ubuntu, you can get these libraries through:

    sudo apt-get -f install libsasl2-2 sasl2-bin libsasl2-2 libsasl2-dev libsasl2-modules
  2. Then build the InnoDB memcached plugin (shared libraries) with SASL capability, by adding ENABLE_MEMCACHED_SASL=1 to the cmake options. In addition, memcached provides a simple cleartext password support, which is easier to use for testing. To enable this, set the option ENABLE_MEMCACHED_SASL_PWDB=1.

    Overall, you will add following three options to the cmake:

  3. The third step is to install the InnoDB memcached plugin as before, as explained in Section 14.17.3, “Getting Started with InnoDB Memcached Plugin”.

  4. As previously mentioned, memcached provides a simple cleartext password support through SASL, which will be used for this demo.

    1. Create a user named testname and its password as testpasswd in a file:

      echo "testname:testpasswd:::::::" >/home/jy/memcached-sasl-db
    2. Let memcached know about it by setting the environment variable MEMCACHED_SASL_PWDB:

      export MEMCACHED_SASL_PWDB=/home/jy/memcached-sasl-db
    3. Also tell memcached that it is a cleartext password:

      echo "mech_list: plain" > /home/jy/work2/msasl/clients/memcached.conf
      export SASL_CONF_PATH=/home/jy/work2/msasl/clients
  5. Then reboot the server, and add a daemon_memcached_option option -S to enable SASL:

    mysqld ... --daemon_memcached_option="-S"
  6. Now the setup is complete. To test it, you might need an SASL-enabled client, such as this SASL-enabled libmemcached.

    memcp --servers=localhost:11211 --binary  --username=testname
      --password=testpasswd myfile.txt
    memcat --servers=localhost:11211 --binary --username=testname
      --password=testpasswd myfile.txt

    Without appropriate user name or password, the above operation is rejected with the error message memcache error AUTHENTICATION FAILURE. Otherwise, the operation succeed. You can also examine the cleartext password set in the memcached-sasl-db file to verify it.

There are other methods to test SASL authentication with memcached. But the one described above is the most straightforward.

Download this Manual
User Comments
Sign Up Login You must be logged in to post a comment.