Awesome! Thanks for clarifying things. Makes sense considering the growing popularity of shared networks. However, here's my humble comment on this use-case... can't people just use iptables for protecting their memcached host/port in a shared network? or is this feature intended for people that has very limited freedom over the infrastructure?
Cheers, Toru On Tue, Oct 27, 2009 at 1:09 AM, Dustin <[email protected]> wrote: > > > On Oct 26, 1:33 am, Toru Maesaka <[email protected]> wrote: > >> From chasing the commit log and reading Trond's blog entry, I noticed >> that we're throwing in SASL support to memcached. >> >> I guess this is to make it friendlier to deploy memcached on an >> untrusted network (e.g. Amazon's EC2) but I wanted to hear what the >> actual deciding factor was. You know, personal curiosity and to keep >> record of this feature discussion in the community mailing list. > > Hey, > > Thanks for starting this. I was trying to get a few things together > on the wiki and had pretty much forgotten about the list. :/ > > Your guess is pretty much it, though... there have been some really > awful deployments. The worst I've personally heard of was at an ISP > that offers both VPS and shared web hosting services where customers > would apparently commonly get a VPS instance just to run memcached and > connect to it from the shared web servers. Effectively, anyone with > access to this service (i.e. anyone) can fairly easily rummage > through / manipulate anyone else's cache. > > As a bonus, the code already existed. We'd talked about it a long > time ago and I built some stuff that worked then, but just got around > to cleaning it up enough to go (you can see the commits are from early > May). > > I don't think the documentation is *awesome* yet, but I've got the > higher level howto and protocol spec on the wiki: > > http://code.google.com/p/memcached/wiki/SASLHowto > http://code.google.com/p/memcached/wiki/SASLAuthProtocol > -- Toru Maesaka <[email protected]>
