(2010/01/07 8:32), Aaron Stone wrote:
On Wed, Jan 6, 2010 at 2:48 AM, pub crawler<pubcrawler....@gmail.com> wrote:
Obviously dissecting a memcached instance up into separate user
kingdoms would have implied effect of slowing memcached down and
adding unnecessary complexity. Unsure how much either would truly
impact it however. Someone might want to substantiate this point.
If you have a memcached need for multiple clients or different sites
you are best running separate instances and using other 3rd party
methods for attempting to secure memcached.
Needless to say, permissions and authentication is a feature set that
is going to re-requested for addition now and in the future. It opens
the door for someone to create a memcached variation with such a
feature set - anyone?
Please don't. Please nobody even think of doing that. Really. Don't.
Sorry, It is unclear for me what you opposed to.
(Sorry for the stupid reply, since English is not my native language...)
If you opposed to making my own branch for access control purpose,
I can understand its reason.
If you opposed to add (optional) access control feature in the memcached,
I'd like to see the reason why.
Thanks,
On Wed, Jan 6, 2010 at 5:35 AM, Henrik Schröder<skro...@gmail.com> wrote:
Access controls on a per-key basis is insane for lots of reasons. If you
need separate applications to only be able to access their own keys, set up
a separate memcached instance for each app. Problem solved without incurring
the access control overhead, without introducing access control syntax, and
without enabling apps to break each other by accidentally reserving each
other's keys.
/Henrik Schröder
2010/1/6 KaiGai Kohei<kai...@ak.jp.nec.com>
(2010/01/06 15:14), Dustin wrote:
On Jan 5, 10:06 pm, KaiGai Kohei<kai...@ak.jp.nec.com> wrote:
Is these any design proposals?
Or, could you introduce me who is working on this efforts?
I've worked on development of secure web application platform using
SELinux
for a few years. Nowadays, memcached becomes a significant facility for
various kind of web applications, so we cannot ignore access controls
on
the key-value store shared by multiple web applications.
So, I'm interested in the description on the roadmap, and looking for
more
detailed information about this project.
I suppose we should update those docs a bit:
http://code.google.com/p/memcached/wiki/SASLHowto
Let me know how that goes.
Thanks for the information.
Hmm, indeed, memcached already provides authentication feature, but it is
different from what I would like to do.
It seems to me it allows authenticated clients to access all the objects
stored in this memcached server. However, we cannot control accesses on
certain objects like filesystem permissions, although SASL support enables
to identify the client.
(BTW, access control does not always require authentication. For example,
we can assume a security model based on the source ip addresses.)
Is there any activity to support access controls, not only authentication?
Or, is it open for new idea or proposition? :)
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei<kai...@ak.jp.nec.com>
--
OSS Platform Development Division, NEC
KaiGai Kohei <kai...@ak.jp.nec.com>
