Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
litespeed_wiki:lsmcd:user_cpanel [2018/07/24 15:12] Lisa Clarke Proofreading |
litespeed_wiki:lsmcd:user_cpanel [2020/07/07 15:42] (current) Jackson Zhang [LSMCD Secure User Data CloudLinux/cPanel Interface] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== LSMCD Secure User Data Using SASL ====== | + | ====== LSMCD Secure User Data CloudLinux/cPanel Interface ====== |
| - | SASL (Simple Application and Security Layer) is the method used to secure data in LSMCD and Memcached. For details on the use of SASL in LSMCD see [[https://www.litespeedtech.com/support/wiki/doku.php/litespeed_wiki:lsmcd:new_sasl|LSMCD Security Using SASL]]. | + | This facility provides a user interface for those CloudLinux/cPanel users using LSMCD configured with SASL and User-Level security. See [[litespeed_wiki:lsmcd:sasl_secure_user_data|LSMCD Secure User Data Using SASL]]. |
| - | This wiki discusses a feature of LSMCD which is not available in traditional Memcached: separation of individual users' data. This means that data saved by one user is not visible to any other users. You must have LSMCD v1.2 or higher to use this feature. In Memcached and traditional LSMCD, any data stored is available to all users, which allows fast population of the cache and high utilization. However, it is insecure and thus can't be used to cache any data which is deemed to be sensitive. | + | This interface is intended for cPanel end-users. This panel lets a user change their own password and see statistics for their specific data in their user-managed LSMCD space. |
| - | This new option allows data to be available to only the user authorized to access it. Thus the advantages of Memcached performance becomes available to sensitive data. | + | WHM Administrators will need to use the command line SASL to create and delete users. Users must be created in advance and must match their cPanel user names. There is a way to automatically create a user for each cPanel user for WHM administrator explained later in this article. |
| - | Enabling SASL user protection is database wide. Once SASL user protection is enabled, all non-SASL user protected databases will need to be regenerated. You will also need to regenerate your databases (the files stored in the ''Cached.ShmDir'' parameter of your node.conf file) if you wish to remove SASL or SASL user protection. | + | ===== Installation ===== |
| - | There is a user interface for CloudLinux/cPanel. Installation and use is described at [[https://www.litespeedtech.com/support/wiki/doku.php/litespeed_wiki:lsmcd:user_cpanel|LSMCD Secure User Data CloudLinux/cPanel Interface]]. | + | Installation must be performed on the system running as root. The process is: |
| - | ===== Configuration ===== | + | - Download the software |
| + | - Run the installation script. | ||
| - | To enable separating data by users, you need to specify in your ''node.conf'' file: | + | ==== Download the Software ==== |
| - | Cached.DataByUser=true | + | |
| - | As mentioned above, once you have made this change you must delete your existing databases or LSMCD will refuse to come up, as it will notice the changed data condition. | + | The easiest way to download the software is to clone the specific git repository. This is done from a root command prompt, after changing to a directory where the software can be stored (''cd /tmp'' is often used): |
| + | git clone https://github.com/rperper/lsmcd_cpanel_plugin.git | ||
| + | |||
| + | ==== Install the Software ==== | ||
| - | The default is ''false'' so that data created by all users is visible to all users. Once it is set to ''true'', each user's data can only be visible to that user. | + | To install the software you will need to change to the correct directory where the installation script is stored and execute the script: |
| + | cd lsmcd_cpanel_plugin/res/lsmcd_usermgr | ||
| + | ./install.sh | ||
| + | The install should run without errors, but any significant ones will be displayed on the screen. It will determine if lsmcd has been installed and install it if it's not already there. | ||
| - | ==== Use ==== | + | If you see missing dependencies, particularly concerning Perl and Git, check your ''/etc/yum.conf'' file. You must not have ''perl*'' in the exclude list. If it's there, temporarily remove it and try the install script again. |
| - | LSMCD can be used once configured and activated using the traditional Memcached protocols and user commands. However, any data visible will only be visible to the authenticated user that created it. This means that the same data may be stored multiple times for separate users, but each user will only see the data created by that user. Expiration and deletion will again by based on the criteria set when the user created the data or on the parameters for the system as a whole. | + | |
| - | The default size for a user cache is by design set quite low to 1000 bytes to avoid the memory and disk overhead with a large number of users. You can specify the size in bytes with the parameter ''Cached.UserSize''. You can also use the ''Cached.MemMaxSz'' parameter to have the cache begin aging out data when it reaches your specified size. | + | ===== Administration ===== |
| - | If you specify a realm qualified name (a name with a ''@hostname'' suffix) in your application, then that name will be used for storage. If you then specify a non-realm qualified name then the unqualified name will be resolved as a different name. This is so that names that appear different are handled differently. | + | You must configure LSMCD and SASL using the sasldb method which uses the ''saslpasswd2'' program. This is described at [[litespeed_wiki:lsmcd:new_sasl|LSMCD Security Using SASL]] |
| - | Each user is designated a slice and all traffic will be sent to that slice. However, the size of the hash is determined individually for each user. So ''Cached.MemMaxSz'' can be specified to a non-zero value to limit the number of bytes a given user will be allowed to store before least recently used techniques will be used to reduce the data in the cache. | + | Users must be created in advance and must match their cPanel user names. Passwords and stats can be managed by the users themselves using the cPanel plugin described here. |
| - | ==== Anonymous User ==== | + | |
| - | To support the use of code that does not include authentication information (old code or code which wishes to use the facility but does not wish to deal with authentication), you can allow unauthenticated (anonymous) users to create and access data on your server that is distinct and separate from that created by authenticated users. | + | |
| - | To enable separating data by users, you need to specify in your ''node.conf'' file: | + | There is a way to automatically create a user for each cPanel user for WHM administrator. You may use a script like the following when you ssh login as a root user: |
| - | Cached.Anonymous=true | + | |
| + | <code> | ||
| + | #!/bin/bash | ||
| + | |||
| + | user_list=$(sasldblistusers2 /etc/sasllsmcd | cut -d@ -f1) | ||
| + | #get current user list | ||
| + | |||
| + | for name in $(ls /home/); | ||
| + | do | ||
| + | if [[ -d /home/$name/public_html ]] ; then | ||
| + | #check public_html existance to make sure it's vhost user instead of cPanel created dir | ||
| + | if ! echo $user_list | grep -i -q $name ; then | ||
| + | #check if user already in the list to avoid override existing users | ||
| + | passwd=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 10 ; echo '') | ||
| + | echo $passwd | saslpasswd2 -p -f /etc/sasllsmcd $name | ||
| + | # use -p to set a random password without prompt | ||
| + | echo "$name added into LSMCD" | ||
| + | else | ||
| + | echo "$name already in the list..." | ||
| + | fi | ||
| + | fi | ||
| + | done | ||
| + | </code> | ||
| + | |||
| + | You can also use the similar commands to create a custom script, and hook up with cPanel user creation to auto-run it. | ||
| + | |||
| + | passwd=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 10 ; echo '') | ||
| + | echo $passwd | saslpasswd2 -p -f /etc/sasllsmcd $name | ||
| + | ===== Use ===== | ||
| + | Once the software is installed, cPanel users will see a new option in their **Advanced** group: | ||
| + | |||
| + | {{:litespeed_wiki:lsmcd:lsmcdmenuitem.jpg?400|}} | ||
| + | |||
| + | When the item has been selected users will be brought to the main menu: | ||
| + | |||
| + | {{:litespeed_wiki:lsmcd:lsmcdcpanelmain.jpg?400|}} | ||
| + | |||
| + | This screen has 3 groups of data: | ||
| + | - Who you are: | ||
| + | - User to be used for LSMCD (the logged on user) | ||
| + | - LSMCD server address extracted from ''/usr/local/lsmcd/conf/node.conf''. Can be an IP address/port or UDS (Unix Domain Socket). | ||
| + | - Whether SASL security is enabled (the setting of ''Cached.UseSasl'' in node.conf) | ||
| + | - Whether User Level Security is enabled (the setting of ''Cached.DataByUser'' in node.conf). | ||
| + | - A button to change the password. Will only be enabled if SASL and User Level Security is enabled. | ||
| + | - A button to display stats. If user level security is enabled, the stats will be only for the user. If no security is enabled, the stats are system wide. Otherwise the button is disabled. | ||
| + | |||
| + | ==== Change Password ==== | ||
| + | |||
| + | The ''Change Password'' button will only be enabled if both SASL and user level security is enabled. This facility is provided as access to a command prompt for running saslpasswd2 is not available to regular users, and regular users need the ability to keep the SASL password consistent with company policy. Press the button to enter the **Change Password** screen. | ||
| + | |||
| + | {{:litespeed_wiki:lsmcd:lsmcdcpanelchangepassword.jpg?400|}} | ||
| + | |||
| + | As is common with password change facilities, the new password must be entered twice and must match. Other than requiring a password, no additional password restrictions are placed on the password. When the user enters the new password in both text boxes and presses **Change Password**, the ''saslpasswd2'' program is run and it is up to that program to validate the new password with system restrictions. | ||
| + | |||
| + | If there are errors, they are displayed in this screen and the user can fix the problem and try again. If the password change is successful, that fact is displayed and the text of the button is changed to **Ok**. When the user presses the button, the main window is redisplayed. | ||
| + | |||
| + | ==== Display Stats ==== | ||
| + | To display the Memcached statistics for the user (or the system as a whole if security is disabled), the user can press the **Display Stats** button. | ||
| + | |||
| + | Stats are displayed in the format below, the format determined by LSMCD, and are basically identical to those available from Memcached. The primary difference being that the stats only reflect activity for those transactions done by the user validated by SASL and LSMCD. | ||
| + | |||
| + | {{:litespeed_wiki:lsmcd:lsmcdcpanelstats.jpg?400|}} | ||
| + | |||
| + | Use the browser **Back** button to return to the main window. | ||
| - | This does not create a security hole as the data stored and accessed by unauthenticated users is totally separate from data stored for authenticated users when ''Cached.DataByUser'' is enabled. | ||
| - | The default is ''false'' so that you do not mistakenly allow unauthenticated users access to Memcached facilities (even though the data would be separated). | ||