Consult this section before deploying the
InnoDB memcached plugin on
any production servers, or even test servers if the MySQL
instance contains any sensitive information.
Because memcached does not use an
authentication mechanism by default, and the optional SASL
authentication is not as strong as traditional DBMS security
measures, make sure to keep only non-sensitive data in the MySQL
instance using the
memcached plugin, and wall off any servers
using this configuration from potential intruders. Do not allow
memcached access to such servers from the
Internet, only from within a firewalled intranet, ideally from a
subnet whose membership you can restrict.
SASL support gives you the capability to protect your MySQL database from unauthenticated access through memcached clients. This section explains the steps to enable this option. The steps to enable such support are almost identical to those you would do to enable SASL for a traditional memcached server.
SASL stands for “Simple Authentication and Security Layer”, a standard for adding authentication support to connection-based protocols. memcached added SASL support starting in its 1.4.3 release.
SASL authentication is only supported with the binary protocol.
For the InnoDB + memcached combination, the
table that stores the memcached data must be
registered in the
container system table. And
memcached clients can only access such a
registered table. Even though the DBA can add access
restrictions on a table that is registered with the
memcached plugin, they have no control over
who can access it through memcached
applications. This is why we provide a means (through SASL) to
control who can access
associated with the memcached plugin.
The following section shows how to build, enable, and test an
By default, SASL-enabled
memcached is not included in the release
package, since it relies on building
memcached with SASL libraries. To enable this
feature, download the MySQL source and rebuild the
InnoDB memcached plugin
after downloading the SASL libraries:
First, get the SASL development and utility libraries. For example, on Ubuntu, you can get these libraries through:
sudo apt-get -f install libsasl2-2 sasl2-bin libsasl2-2 libsasl2-dev libsasl2-modules
Then build the
memcached plugin (shared libraries) with
SASL capability, by adding
ENABLE_MEMCACHED_SASL=1 to the
cmake options. In addition,
memcached provides a simple plaintext
password support, which is easier to use for testing. To
enable this, set the option
Overall, you will add following three options to the cmake:
cmake ... -DWITH_INNODB_MEMCACHED=1 -DENABLE_MEMCACHED_SASL=1 -DENABLE_MEMCACHED_SASL_PWDB=1
The third step is to install the
memcached plugin as before, as explained
in Section 22.214.171.124, “Getting Started with InnoDB Memcached Plugin”.
As previously mentioned, memcached provides a simple plaintext password support through SASL, which will be used for this demo.
Create a user named
testname and its
testpasswd in a file:
echo "testname:testpasswd:::::::" >/home/jy/memcached-sasl-db
Let memcached know about it by
setting the environment variable
Also tell memcached that it is a plaintext password:
echo "mech_list: plain" > /home/jy/work2/msasl/clients/memcached.conf export SASL_CONF_PATH=/home/jy/work2/msasl/clients/memcached.conf
Then reboot the server, and add a
-S to enable SASL:
mysqld ... --daemon_memcached_option="-S"
Now the setup is complete. To test it, you might need an SASL-enabled client, such as this SASL-enabled libmemcached.
memcp --servers=localhost:11211 --binary --username=testname --password=testpasswd myfile.txt memcat --servers=localhost:11211 --binary --username=testname --password=testpasswd myfile.txt
Without appropriate user name or password, the above
operation is rejected with the error message
memcache error AUTHENTICATION FAILURE.
Otherwise, the operation succeed. You can also examine the
plaintext password set in the
memcached-sasl-db file to verify it.
There are other methods to test SASL authentication with memcached. But the one described above is the most straightforward.