views:

44

answers:

1

Here's how my servers (in Amazon EC2) would look like:

        Server 1                    Server 2                  Server 3
__________________________     _____________________      _______________
|  Cloud Monitor Daemon  |    |  Memcached daemon  |      |  beanstalkd  |
|                        |    |  Memcached daemon  |      ________________
| "Hostile" user process | /  |  Memcached daemon  |
| "Hostile" user process | /  |  Memcached daemon  |
| "Hostile" user process | /  |  Memcached daemon  |
| "Hostile" user process | /   ______________________
| "Hostile" user process | /
__________________________

There's multiple user processes on one server. Each user then has their own memcached instance running on a (separate) server (with many other memcached instances). Without any sort of security (as it is by default), user process B could guess the port of the memcached instance of user A and access it. How can I secure this system so that user C could only access memcached instance C and no other (even though the memcached instances are all on the same server)? My user should not have to do anything to make use of the security (just continue connecting to the memcached port as usual), it should all happen automatically by the system.

Also, the Cloud Monitor Daemon on the server along with the "hostile" user processes needs to be able to access a remote beanstalkd server. Beanstalkd has no authentication either, so if my Monitor Daemon can access beanstalkd, so can the "hostile" user processes, and I don't want that. How can I secure this part?

+1  A: 

I mentioned some tips on securing memcached in a blog post recently. For your case, SASL will probably help a lot.

I don't know if beanstalk ever got SASL support, but that's kind of a different app.

You could build a VPN or enable IPSEC to control access to all services on all machines at the node level, of course.

Dustin
I spent a few hours yesterday trying to build a client, and found that SASL+memcached binary protocol is extraordinarily hard to work with. Also, beanstalkd does not have SASL support, so I thought of creating a server "proxy" wrapper around beanstalkd (only the proxy could access the beanstalkd server directly). I'll probably do the same for memcached and disable SASL. That would handle the authentication consistently throughout the platform.
dkulchenko
What client were you trying? We obviously want to make them easier to work with, but we haven't hit all of them yet. Similarly, we have moxi connecting localhost unauthenticated clients to remote authenticated servers (though it obviously slows you down).
Dustin
Well, I'm using Perl, and none of the Perl memcached clients currently have SASL support.
dkulchenko
moxi looks really cool, I'll check it out.
dkulchenko