LSMCD Secure User Data Using SASL

SASL (Simple Application and Security Layer) is the method used to secure data in LSMCD and Memcached. For details on the use of SASL in LSMCD see https://www.litespeedtech.com/support/wiki/doku.php/litespeed_wiki:lsmcd:new_sasl

This wiki discusses a feature of LSMCD which is not available in traditional memcached: separation of individual user's data. This means that data saved by one user is not visible to any other users. In memcached and traditional LSMCD, any data stored is available to all users which allows fast population of the cache and high utilization. However, it is insecure and thus can't be used to cache any data which is deemed to be sensitive. You must have LSMCD v1.2 or higher to use this feature.

This option allows data to be available to only the user authorized to access it. Thus the advantages of memcached performance becomes available to sensitive data.

Enabling SASL user protection is database wide. Once SASL user protection is enabled, all non-SASL user protected databases will need to be regenerated. You will also need to regenerate your databases (the files stored in the Cached.ShmDir parameter of your node.conf file) if you wish to remove SASL or SASL user protection.

Configuration is quite simple. You need to specify in your node.conf file:

Cached.SaslUser=true

As mentioned above, once you have made this change you must delete your existing databases or LSMCD will refuse to come up as it will notice the changed data condition.

LSMCD can be used once configured and activated using the traditional memcached protocols and user commands. However, any data visible will only be visible to the authenticated user that created it. This means that the same data may be stored multiple times for separate users, but each user will only see the data created by that user. Expiration and deletion will again by based on the criteria set when the user created the data or on the parameters for the system as a whole.