Comment #3 on issue 184 by [email protected]: Add command's whitelist and blacklist related with SASL
http://code.google.com/p/memcached/issues/detail?id=184
Unfortunately, we've been unbearably slow to get a release out containing the engine, but Trond has some documentation up on how to write engines here: http://trondn.blogspot.com/2010/10/writing-your-own-storage-engine-for.html (there's a series up somewhere).
Basically, your engine can register to receive a callback on connect, disconnect, and auth (among others, but that's all you really need here). You can stash away user data in the connection (such as an op ACL) which you can verify on every subsequent request. With this you can decide whether to service a request and how to respond to it (including requesting the server hang up on the client) with as much information as you've gained about the client up to that point.
You can do this without any modifications to the server and you can wrap an existing engine (such as default) with little additional work. I did this with the bucket engine to add multi-tenancy with homogenous inferior engines here: https://github.com/membase/bucket_engine
