Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
litespeed_wiki:lsmcd:sasl_secure_user_data [2018/06/29 18:55]
Robert Perper [Use]
litespeed_wiki:lsmcd:sasl_secure_user_data [2019/11/27 14:29] (current)
Robert Perper [Anonymous User]
Line 1: Line 1:
 ====== LSMCD Secure User Data Using SASL ====== ====== LSMCD Secure User Data Using SASL ======
  
-SASL (Simple Application and Security Layer) is the method used to secure data in LSMCD and Memcached. For details on the use of SASL in LSMCD see https://​www.litespeedtech.com/​support/​wiki/​doku.php/​litespeed_wiki:​lsmcd:​new_sasl+SASL (Simple Application and Security Layer) is the method used to secure data in LSMCD and Memcached. For details on the use of SASL in LSMCD see [[litespeed_wiki:​lsmcd:​new_sasl|LSMCD Security Using SASL]].
  
-This wiki discusses a feature of LSMCD which is not available in traditional ​memcached: separation of individual ​user'data.  This means that data saved by one user is not visible to any other users. ​ In memcached ​and traditional LSMCD, any data stored is available to all users which allows fast population of the cache and high utilization. ​ However, it is insecure and thus can't be used to cache any data which is deemed to be sensitive.  You must have LSMCD v1.2 or higher ​to use this feature.+This wiki discusses a feature of LSMCD which is not available in traditional ​Memcached: separation of individual ​users' data.  This means that data saved by one user is not visible to any other users.  ​You must have LSMCD v1.2 or higher to use this feature. ​In Memcached ​and traditional LSMCD, any data stored is available to all users (all authorized users if you have SASL enabled), ​which allows fast population of the cache and high utilization. ​ However, it is insecure and thus can't be used to cache any data which is deemed to be sensitive to a specific user 
  
-This option allows data to be available to only the user authorized to access it.  Thus the advantages of memcached ​performance becomes available to sensitive data.+This new option allows data to be available to only the user authorized to access it.  Thus the advantages of Memcached ​performance becomes available to sensitive data.
  
 Enabling SASL user protection is database wide. Once SASL user protection is enabled, all non-SASL user protected databases will need to be regenerated. You will also need to regenerate your databases (the files stored in the ''​Cached.ShmDir''​ parameter of your node.conf file) if you wish to remove SASL or SASL user protection. Enabling SASL user protection is database wide. Once SASL user protection is enabled, all non-SASL user protected databases will need to be regenerated. You will also need to regenerate your databases (the files stored in the ''​Cached.ShmDir''​ parameter of your node.conf file) if you wish to remove SASL or SASL user protection.
  
 +There is a user interface for CloudLinux/​cPanel. ​ Installation and use is described at [[litespeed_wiki:​lsmcd:​user_cpanel|LSMCD Secure User Data CloudLinux/​cPanel Interface]].
  
 ===== Configuration ===== ===== Configuration =====
Line 15: Line 16:
   Cached.DataByUser=true   Cached.DataByUser=true
  
-As mentioned above, once you have made this change you must delete your existing databases or LSMCD will refuse to come up as it will notice the changed data condition.+As mentioned above, once you have made this change you must delete your existing databases or LSMCD will refuse to come upas it will notice the changed data condition.
  
-The default is false so that data created by all users is visible to all users. ​ Once this is enabled ​each user's data can only be visible to that user.+The default is ''​false'' ​so that data created by all users is visible to all users. ​ Once it is set to ''​true'', ​each user's data can only be visible to that user.  Note that you must enable SASL to enable DataByUser.
  
 ==== Use ==== ==== Use ====
-LSMCD can be used once configured and activated using the traditional ​memcached ​protocols and user commands. ​ However, any data visible will only be visible to the authenticated user that created it.  This means that the same data may be stored multiple times for separate users, but each user will only see the data created by that user.  Expiration and deletion will again by based on the criteria set when the user created the data or on the parameters for the system as a whole.+LSMCD can be used once configured and activated using the traditional ​Memcached ​protocols and user commands. ​ However, any data visible will only be visible to the authenticated user that created it.  This means that the same data may be stored multiple times for separate users, but each user will only see the data created by that user.  Expiration and deletion will again by based on the criteria set when the user created the data or on the parameters for the system as a whole.
  
-The default size for a user cache is by design set quite low to 1000 bytes to avoid the memory and disk overhead with a large number of users. ​ You can specify the size in bytes with the parameter ''​Cached.UserSize''​.  ​You can also use the ''​Cached.MemMaxSz''​ parameter to have the cache begin aging out data when it reaches ​you specified size.+You can also use the ''​Cached.MemMaxSz''​ parameter to have the cache begin aging out data when it reaches ​your specified size.
  
-If you specify a realm qualified name (a name with a @hostname suffix) in your application,​ then that name will be used for storage. ​ If you then specify a non-realm qualified name then the unqualified name will be resolved as a different name.  This is so that names that appear different are handled differently.+If you specify a realm qualified name (a name with a ''​@hostname'' ​suffix) in your application,​ then that name will be used for storage. ​ If you then specify a non-realm qualified name then the unqualified name will be resolved as a different name.  This is so that names that appear different are handled differently.
  
 Each user is designated a slice and all traffic will be sent to that slice. ​ However, the size of the hash is determined individually for each user.  So ''​Cached.MemMaxSz''​ can be specified to a non-zero value to limit the number of bytes a given user will be allowed to store before least recently used techniques will be used to reduce the data in the cache. Each user is designated a slice and all traffic will be sent to that slice. ​ However, the size of the hash is determined individually for each user.  So ''​Cached.MemMaxSz''​ can be specified to a non-zero value to limit the number of bytes a given user will be allowed to store before least recently used techniques will be used to reduce the data in the cache.
Line 35: Line 36:
 This does not create a security hole as the data stored and accessed by unauthenticated users is totally separate from data stored for authenticated users when ''​Cached.DataByUser''​ is enabled. This does not create a security hole as the data stored and accessed by unauthenticated users is totally separate from data stored for authenticated users when ''​Cached.DataByUser''​ is enabled.
  
-The default is false so that you do not mistakenly allow unauthenticated users access to memcached ​facilities (even though the data would be separated).  ​+The default is ''​false'' ​so that you do not mistakenly allow unauthenticated users access to Memcached ​facilities (even though the data would be separated).   
 + 
 +If you turn the anonymous user on, then telnet and other ASCII activity will be re-enabled. ​ As mentioned above if you have ''​Cached.DataByUser''​ enabled, this data is written to a separate area in the database from binary data secured with SASL.  ​
  • Admin
  • Last modified: 2018/06/29 18:55
  • by Robert Perper