Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision Last revision Both sides next revision | ||
|
litespeed_wiki:lsmcd:sasl_secure_user_data [2018/06/18 12:50] Robert Perper created |
litespeed_wiki:lsmcd:sasl_secure_user_data [2019/10/22 16:29] Robert Perper [Configuration] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== LSMCD Secure User Data Using SASL ====== | ====== LSMCD Secure User Data Using SASL ====== | ||
| - | SASL (Simple Application and Security Layer) is the method used to secure data in LSMCD and Memcached. There are various subtle differences in configuration between the two. This section describes the configuration you need to perform to allow LSMCD to operate in a SASL environment. | + | SASL (Simple Application and Security Layer) is the method used to secure data in LSMCD and Memcached. For details on the use of SASL in LSMCD see [[litespeed_wiki:lsmcd:new_sasl|LSMCD Security Using SASL]]. |
| - | Enabling SASL is database wide. Once SASL is enabled, all non-SASL databases will need to be regenerated. You will also need to regenerate your databases (the files stored in the ''Cached.ShmDir'' parameter of your node.conf file) if you wish to remove SASL. | + | This wiki discusses a feature of LSMCD which is not available in traditional Memcached: separation of individual users' data. This means that data saved by one user is not visible to any other users. You must have LSMCD v1.2 or higher to use this feature. In Memcached and traditional LSMCD, any data stored is available to all users (all authorized users if you have SASL enabled), which allows fast population of the cache and high utilization. However, it is insecure and thus can't be used to cache any data which is deemed to be sensitive to a specific user. |
| - | You can also | + | This new option allows data to be available to only the user authorized to access it. Thus the advantages of Memcached performance becomes available to sensitive data. |
| - | As for memcached, if you enable SASL, text telnet commands will no longer work as there is no security mechanism in telnet. | + | |
| - | ===== Configuring SASL ===== | + | Enabling SASL user protection is database wide. Once SASL user protection is enabled, all non-SASL user protected databases will need to be regenerated. You will also need to regenerate your databases (the files stored in the ''Cached.ShmDir'' parameter of your node.conf file) if you wish to remove SASL or SASL user protection. |
| - | There are a number steps to configuring LSMCD to operate with SASL: | + | There is a user interface for CloudLinux/cPanel. Installation and use is described at [[litespeed_wiki:lsmcd:user_cpanel|LSMCD Secure User Data CloudLinux/cPanel Interface]]. |
| - | * Enable SASL in your ''lsmcd.conf'' file. | + | |
| - | * Create and configure a user database. | + | |
| - | * Configure any additional settings needed for PHP. | + | |
| - | ==== Enable SASL in Your Configuration File ==== | + | ===== Configuration ===== |
| - | This is discussed in [[litespeed_wiki:lsmcd:configuration|LSCMD Configuration]], which also discusses overall configuration. | + | To enable separating data by users, you need to specify in your ''node.conf'' file: |
| + | Cached.DataByUser=true | ||
| - | In particular you need to specify in your ''node.conf'' file: | + | As mentioned above, once you have made this change you must delete your existing databases or LSMCD will refuse to come up, as it will notice the changed data condition. |
| - | CACHED.USESASL=TRUE | + | |
| - | ==== Create and Configure a User Database ==== | + | The default is ''false'' so that data created by all users is visible to all users. Once it is set to ''true'', each user's data can only be visible to that user. Note that you must enable SASL to enable DataByUser. |
| - | A user database is required. The recommended method uses saslauthd, which is provided as part of Cyrus SASL to create a sasldb managed database. In prior versions there was only the MEMCACHED_SASL_PWDB environment variable method. | + | |
| - | No matter the method you choose, you become the security administrator for these accounts. | + | ==== Use ==== |
| + | LSMCD can be used once configured and activated using the traditional Memcached protocols and user commands. However, any data visible will only be visible to the authenticated user that created it. This means that the same data may be stored multiple times for separate users, but each user will only see the data created by that user. Expiration and deletion will again by based on the criteria set when the user created the data or on the parameters for the system as a whole. | ||
| - | === Option #1 (Recommended): sasldb Managed Database === | + | You can also use the ''Cached.MemMaxSz'' parameter to have the cache begin aging out data when it reaches your specified size. |
| - | A sasldb database is typically stored in ''/etc/sasldb2'' and is managed using the saslpasswd2 program. You must be root to manage users with saslpasswd2. | + | |
| - | To create a user named ''user1'' enter ''saslpasswd2 user1''. You will be prompted for the password twice for that user. That information will then need to be coded in your memcached program. Details on the use of saslpasswd2 can be found in numerous places on the internet including [[https://www.gsp.com/cgi-bin/man.cgi?section=8&topic=saslpasswd2|gsp.com]]. | + | If you specify a realm qualified name (a name with a ''@hostname'' suffix) in your application, then that name will be used for storage. If you then specify a non-realm qualified name then the unqualified name will be resolved as a different name. This is so that names that appear different are handled differently. |
| - | === Option #2: MEMCACHED_SASL_PWDB Environment Variable === | + | Each user is designated a slice and all traffic will be sent to that slice. However, the size of the hash is determined individually for each user. So ''Cached.MemMaxSz'' can be specified to a non-zero value to limit the number of bytes a given user will be allowed to store before least recently used techniques will be used to reduce the data in the cache. |
| - | If there is no ''MEMCACHED_SASL_PWDB'' defined, then the default SASL database is ''/etc/sasl/sasldb.conf'' and will be used if it exists. To specify the location of the SASL database, export the ''MEMCACHED_SASL_PWDB'' environment variable, which is active when LSMCD is started. | + | ==== Anonymous User ==== |
| + | To support the use of code that does not include authentication information (old code or code which wishes to use the facility but does not wish to deal with authentication), you can allow unauthenticated (anonymous) users to create and access data on your server that is distinct and separate from that created by authenticated users. | ||
| - | If, for example, you create a file named ''/etc/sasl/sasldb.conf'' you would need to export ''MEMCACHED_SASL_PWDB=/etc/sasl/sasldb.conf'' before starting LSMCD. It is considered good practice to have this file owned by the LSMCD user and readable by only that user (''chmod 600''). | + | To enable separating data by users, you need to specify in your ''node.conf'' file: |
| + | Cached.Anonymous=true | ||
| - | Each line in your user database is a user name, a colon ('':''), and a password. For example if you had two users (user and sasluser) you might create a ''/etc/sasl/sasldb.conf'' with the following lines in it: | + | This does not create a security hole as the data stored and accessed by unauthenticated users is totally separate from data stored for authenticated users when ''Cached.DataByUser'' is enabled. |
| - | user:password | + | The default is ''false'' so that you do not mistakenly allow unauthenticated users access to Memcached facilities (even though the data would be separated). |
| - | sasluser:saslpassword | + | |
| - | + | ||
| - | You will also need to create a SASL Configuration File if you are using this method. | + | |
| - | + | ||
| - | == Create and Configure a SASL Configuration File == | + | |
| - | + | ||
| - | A SASL configuration file must be given one of the following names: ''/etc/sasl/memcached.conf'', ''/tmp/memcached.conf'' or it may be saved to any file or location that you wish via the ''SASL_CONF_PATH'' environment variable. Note that this environment variable must be set in the system environment or in the environment where you started LSMCD (using lsmcdctrl). Regardless of its name or location the LSMCD user must have read permission to access your configuration file. | + | |
| - | + | ||
| - | As of v1.2, there is only one parameter and value supported: | + | |
| - | mech_list: PLAIN | + | |
| - | + | ||
| - | Other SASL parameters can be specified in this file however, they are not supported by LSMCD and will generally be ignored. | + | |
| - | + | ||
| - | ==== Configure for PHP ==== | + | |
| - | The procedures for the Memcached extension to PHP are documented at [[http://php.net/manual/en/memcached.setup.phpphp.net]]. You know you have it right if ''phpinfo'' displays a **Memcached** section. | + | |
| - | + | ||
| - | The following is a sample PHP script you could create (named ''memcached.php'') to validate that LSMCD is correctly installed and configured to work with SASL. You'll need to place it in the HTML directory of your server and adjust the user/password and other settings for your environment. | + | |
| - | + | ||
| - | Some notes for all programming environments: | + | |
| - | * You must instantiate an instance of the Memcached object (Memcache no longer works). | + | |
| - | * You must use the binary protocol. | + | |
| - | * You must make the call to set the SASL authentication information (user/password) before you add the server. | + | |
| - | * Once you add the server successfully, you can perform all standard Memcached operations (get, put, etc.). | + | |
| - | + | ||
| - | <code> | + | |
| - | <?php | + | |
| - | $mem_var = new Memcached(); | + | |
| - | $mem_var->setSaslAuthData('user', 'password'); | + | |
| - | $mem_var->setOption(Memcached::OPT_BINARY_PROTOCOL, true); | + | |
| - | $mem_var->setOption(Memcached::OPT_COMPRESSION, false); | + | |
| - | $mem_var->addServer("127.0.0.1", 11211); | + | |
| - | $response = $mem_var->get("SampleKey"); | + | |
| - | if ($response) { | + | |
| - | echo "get(SampleKey) => " . $response; | + | |
| - | } else if ($mem_var->getResultCode() == Memcached::RES_NOTFOUND) { | + | |
| - | echo "Adding a key/value: SampleKey/SampleValue"; | + | |
| - | $mem_var->set("SampleKey", "SampleValue") or | + | |
| - | die("SampleKey Couldn't be Created: '( " . $mem_var->getResultMessage() . | + | |
| - | " )' "); | + | |
| - | } else die ("Error in get: " . $mem_var->getResultCode() . ": " . | + | |
| - | $mem_var->getResultMessage()); | + | |
| - | ?> | + | |
| - | </code> | + | |
| - | + | ||
| - | Start LiteSpeed and LSMCD and point your browser to the web page you created. If the user or password are incorrect you'll see a message like ''Error in get: 41: AUTHENTICATION FAILURE''. However if you have it right you'll see the first time you access the page ''Adding a key/value: SampleKey/SampleValue'' and subsequent accesses will show ''get(SampleKey) => SampleValue''. | + | |
| - | + | ||
| - | If you do not use the ''$mem_var->setSaslAuthData('user', 'password');'' line, then this example will work for non-SASL environments as well. | + | |