On Wed, Jan 6, 2010 at 2:48 AM, pub crawler <pubcrawler....@gmail.com> wrote: > Obviously dissecting a memcached instance up into separate user > kingdoms would have implied effect of slowing memcached down and > adding unnecessary complexity. Unsure how much either would truly > impact it however. Someone might want to substantiate this point. > > If you have a memcached need for multiple clients or different sites > you are best running separate instances and using other 3rd party > methods for attempting to secure memcached. > > Needless to say, permissions and authentication is a feature set that > is going to re-requested for addition now and in the future. It opens > the door for someone to create a memcached variation with such a > feature set - anyone?
Please don't. Please nobody even think of doing that. Really. Don't. > On Wed, Jan 6, 2010 at 5:35 AM, Henrik Schröder <skro...@gmail.com> wrote: >> Access controls on a per-key basis is insane for lots of reasons. If you >> need separate applications to only be able to access their own keys, set up >> a separate memcached instance for each app. Problem solved without incurring >> the access control overhead, without introducing access control syntax, and >> without enabling apps to break each other by accidentally reserving each >> other's keys. >> >> >> /Henrik Schröder >> >> 2010/1/6 KaiGai Kohei <kai...@ak.jp.nec.com> >>> >>> (2010/01/06 15:14), Dustin wrote: >>> > >>> > On Jan 5, 10:06 pm, KaiGai Kohei<kai...@ak.jp.nec.com> wrote: >>> >> Is these any design proposals? >>> >> Or, could you introduce me who is working on this efforts? >>> >> >>> >> I've worked on development of secure web application platform using >>> >> SELinux >>> >> for a few years. Nowadays, memcached becomes a significant facility for >>> >> various kind of web applications, so we cannot ignore access controls >>> >> on >>> >> the key-value store shared by multiple web applications. >>> >> >>> >> So, I'm interested in the description on the roadmap, and looking for >>> >> more >>> >> detailed information about this project. >>> > >>> > I suppose we should update those docs a bit: >>> > >>> > http://code.google.com/p/memcached/wiki/SASLHowto >>> > >>> > Let me know how that goes. >>> >>> Thanks for the information. >>> >>> Hmm, indeed, memcached already provides authentication feature, but it is >>> different from what I would like to do. >>> >>> It seems to me it allows authenticated clients to access all the objects >>> stored in this memcached server. However, we cannot control accesses on >>> certain objects like filesystem permissions, although SASL support enables >>> to identify the client. >>> (BTW, access control does not always require authentication. For example, >>> we can assume a security model based on the source ip addresses.) >>> >>> Is there any activity to support access controls, not only authentication? >>> Or, is it open for new idea or proposition? :) >>> >>> Thanks, >>> -- >>> OSS Platform Development Division, NEC >>> KaiGai Kohei <kai...@ak.jp.nec.com> >> >> >
