Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
|
litespeed_wiki:lsmcd:sasl_secure_user_data [2018/07/24 15:20] Lisa Clarke |
litespeed_wiki:lsmcd:sasl_secure_user_data [2019/07/03 17:52] Robert Perper [Use] |
||
|---|---|---|---|
| Line 3: | Line 3: | ||
| SASL (Simple Application and Security Layer) is the method used to secure data in LSMCD and Memcached. For details on the use of SASL in LSMCD see [[litespeed_wiki:lsmcd:new_sasl|LSMCD Security Using SASL]]. | SASL (Simple Application and Security Layer) is the method used to secure data in LSMCD and Memcached. For details on the use of SASL in LSMCD see [[litespeed_wiki:lsmcd:new_sasl|LSMCD Security Using SASL]]. | ||
| - | This wiki discusses a feature of LSMCD which is not available in traditional Memcached: separation of individual users' data. This means that data saved by one user is not visible to any other users. You must have LSMCD v1.2 or higher to use this feature. In Memcached and traditional LSMCD, any data stored is available to all users, which allows fast population of the cache and high utilization. However, it is insecure and thus can't be used to cache any data which is deemed to be sensitive. | + | This wiki discusses a feature of LSMCD which is not available in traditional Memcached: separation of individual users' data. This means that data saved by one user is not visible to any other users. You must have LSMCD v1.2 or higher to use this feature. In Memcached and traditional LSMCD, any data stored is available to all users (all authorized users if you have SASL enabled), which allows fast population of the cache and high utilization. However, it is insecure and thus can't be used to cache any data which is deemed to be sensitive to a specific user. |
| This new option allows data to be available to only the user authorized to access it. Thus the advantages of Memcached performance becomes available to sensitive data. | This new option allows data to be available to only the user authorized to access it. Thus the advantages of Memcached performance becomes available to sensitive data. | ||
| Line 23: | Line 23: | ||
| LSMCD can be used once configured and activated using the traditional Memcached protocols and user commands. However, any data visible will only be visible to the authenticated user that created it. This means that the same data may be stored multiple times for separate users, but each user will only see the data created by that user. Expiration and deletion will again by based on the criteria set when the user created the data or on the parameters for the system as a whole. | LSMCD can be used once configured and activated using the traditional Memcached protocols and user commands. However, any data visible will only be visible to the authenticated user that created it. This means that the same data may be stored multiple times for separate users, but each user will only see the data created by that user. Expiration and deletion will again by based on the criteria set when the user created the data or on the parameters for the system as a whole. | ||
| - | The default size for a user cache is by design set quite low to 1000 bytes to avoid the memory and disk overhead with a large number of users. You can specify the size in bytes with the parameter ''Cached.UserSize''. You can also use the ''Cached.MemMaxSz'' parameter to have the cache begin aging out data when it reaches your specified size. | + | You can also use the ''Cached.MemMaxSz'' parameter to have the cache begin aging out data when it reaches your specified size. |
| If you specify a realm qualified name (a name with a ''@hostname'' suffix) in your application, then that name will be used for storage. If you then specify a non-realm qualified name then the unqualified name will be resolved as a different name. This is so that names that appear different are handled differently. | If you specify a realm qualified name (a name with a ''@hostname'' suffix) in your application, then that name will be used for storage. If you then specify a non-realm qualified name then the unqualified name will be resolved as a different name. This is so that names that appear different are handled differently. | ||