10bet网址
MySQL 8.0 Reference Manual
Related Documentation
MySQL 8.0 Release Notes
MySQL 8.0 Source Code Documentation
Download this Manual
PDF (US Ltr)- 41.6Mb
PDF (A4)- 41.7Mb
HTML Download (TGZ)- 9.3Mb
HTML Download (Zip)- 9.4Mb
Man Pages (TGZ)- 262.1Kb
Man Pages (Zip)- 372.2Kb
Info (Gzip)- 4.0Mb
Info (Zip)- 4.0Mb
Excerpts from this Manual
MySQL Backup and Recovery
MySQL Globalization
MySQL Information Schema
MySQL Installation Guide
Security in MySQL
Starting and Stopping MySQL
MySQL and Linux/Unix
MySQL and Windows
MySQL and macOS
MySQL and Solaris
Building MySQL from Source
MySQL Restrictions and Limitations
MySQL Partitioning
MySQL Tutorial
MySQL Performance Schema
MySQL Replication
Using the MySQL Yum Repository
MySQL NDB Cluster 8.0


MySQL 8.0 Reference Manual/.../ Security Considerations for the InnoDB memcached Plugin

15.20.5 Security Considerations for the InnoDB memcached Plugin

Caution

Consult this section before deploying thedaemon_memcachedplugin on a production server, or even on a test server if the MySQL instance contains sensitive data.

Becausememcacheddoes not use an authentication mechanism by default, and the optional SASL authentication is not as strong as traditional DBMS security measures, only keep non-sensitive data in the MySQL instance that uses thedaemon_memcachedplugin, and wall off any servers that use this configuration from potential intruders. Do not allowmemcachedaccess to these servers from the Internet; only allow access from within a firewalled intranet, ideally from a subnet whose membership you can restrict.

Password-Protecting memcached Using SASL

SASL support provides the capability to protect your MySQL database from unauthenticated access throughmemcachedclients. This section explains how to enable SASL with thedaemon_memcachedplugin. The steps are almost identical to those performed to enabled SASL for a traditionalmemcachedserver.

SASL stands forSimple Authentication and Security Layer, a standard for adding authentication support to connection-based protocols.memcachedadded SASL support in version 1.4.3.

SASL authentication is only supported with the binary protocol.

memcachedclients are only able to accessInnoDBtables that are registered in theinnodb_memcache.containerstable. Even though a DBA can place access restrictions on such tables, access throughmemcachedapplications cannot be controlled. For this reason, SASL support is provided to control access toInnoDBtables associated with thedaemon_memcachedplugin.

The following section shows how to build, enable, and test an SASL-enableddaemon_memcachedplugin.

Building and Enabling SASL with the InnoDB memcached Plugin

By default, an SASL-enableddaemon_memcachedplugin is not included in MySQL release packages, since an SASL-enableddaemon_memcachedplugin requires buildingmemcachedwith SASL libraries. To enable SASL support, download the MySQL source and rebuild thedaemon_memcachedplugin after downloading the SASL libraries:

  1. Install the SASL development and utility libraries. For example, on Ubuntu, useapt-getto obtain the libraries:

    sudo apt-get -f install libsasl2-2 sasl2-bin libsasl2-2 libsasl2-dev libsasl2-modules

  2. Build thedaemon_memcachedplugin shared libraries with SASL capability by addingENABLE_MEMCACHED_SASL=1to yourcmakeoptions.memcachedalso providessimple cleartext password support, which facilitates testing. To enable simple cleartext password support, specify theENABLE_MEMCACHED_SASL_PWDB=1cmakeoption.

    In summary, add following threecmakeoptions:

    cmake ... -DWITH_INNODB_MEMCACHED=1 -DENABLE_MEMCACHED_SASL=1 -DENABLE_MEMCACHED_SASL_PWDB=1

  3. Install thedaemon_memcachedplugin, as described inSection 15.20.3, “Setting Up the InnoDB memcached Plugin”.

  4. Configure a user name and password file. (This example usesmemcachedsimple cleartext password support.)

    1. In a file, create a user namedtestnameand define the password astestpasswd:

      echo "testname:testpasswd:::::::" >/home/jy/memcached-sasl-db

    2. Configure theMEMCACHED_SASL_PWDBenvironment variable to informmemcachedof the user name and password file:

      export MEMCACHED_SASL_PWDB=/home/jy/memcached-sasl-db

    3. Informmemcachedthat a cleartext password is used:

      echo "mech_list: plain" > /home/jy/work2/msasl/clients/memcached.conf export SASL_CONF_PATH=/home/jy/work2/msasl/clients

  5. 使SASL通过重启ing the MySQL server with thememcached-Soption encoded in thedaemon_memcached_optionconfiguration parameter:

    mysqld ... --daemon_memcached_option="-S"

  6. To test the setup, use an SASL-enabled client such asSASL-enabled libmemcached.

    memcp --servers=localhost:11211 --binary --username=testname --password=passwordmyfile.txt memcat --servers=localhost:11211 --binary --username=testname --password=passwordmyfile.txt

    If you specify an incorrect user name or password, the operation is rejected with amemcache error AUTHENTICATION FAILUREmessage. In this case, examine the cleartext password set in thememcached-sasl-dbfile to verify that the credentials you supplied are correct.

There are other methods to test SASL authentication withmemcached, but the method described above is the most straightforward.


PREV HOME UP NEXT
Related Documentation
MySQL 8.0 Release Notes
MySQL 8.0 Source Code Documentation
Download this Manual
PDF (US Ltr)- 41.6Mb
PDF (A4)- 41.7Mb
HTML Download (TGZ)- 9.3Mb
HTML Download (Zip)- 9.4Mb
Man Pages (TGZ)- 262.1Kb
Man Pages (Zip)- 372.2Kb
Info (Gzip)- 4.0Mb
Info (Zip)- 4.0Mb
Excerpts from this Manual
MySQL Backup and Recovery
MySQL Globalization
MySQL Information Schema
MySQL Installation Guide
Security in MySQL
Starting and Stopping MySQL
MySQL and Linux/Unix
MySQL and Windows
MySQL and macOS
MySQL and Solaris
Building MySQL from Source
MySQL Restrictions and Limitations
MySQL Partitioning
MySQL Tutorial
MySQL Performance Schema
MySQL Replication
Using the MySQL Yum Repository
MySQL NDB Cluster 8.0