SASL Support

[johnbburg]

Is there an existing issue for this?

• I have searched the existing issues

Is your feature request related to a problem?

I was looking into adding authentication to our memcached instance (even though it is in a closed network), it shows up in pen test scans as an issue. Authentication for memcached is handled through SASL, I'm a bit new to this myself, and I'm wondering if it's worth providing the ability to use SASL authentication in ddev-memcached. At the very least, it could provide some convenience where the same configuration code gets used between ddev and remote environments, and we use dotenv to inject credentials in each, instead of writing code like if (ddev) {... to conditionally include these lines. At best, it would more accurately recreate conditions in live environments that use authentication for memcached.

Describe your solution

Some clear documentation on how SASL-based authentication support can be added in ddev-memcached would be awesome.

Describe alternatives

No response

Additional context

No response

[rfay]

A casual glance says that there are many forms of SASL. Do you have an idea what you want? An idea how it would work? Is it being used in your production network?

And why does it matter in local dev?

[stasadev]

Example:

Create a new .ddev/docker-compose.memcached_extra.yaml file:

# .ddev/docker-compose.memcached_extra.yaml
services:
  memcached:
    command: ["-m", "128", "-S", "-vv"]
    environment:
      - SASL_CONF_PATH=/etc/sasl2
      - MEMCACHED_SASL_PWDB=/etc/sasl2/memcached-sasl-pwdb
    configs:
      - source: memcached-sasl-pwdb
        target: /etc/sasl2/memcached-sasl-pwdb
        mode: "0444"
      - source: memcached.conf
        target: /etc/sasl2/memcached.conf
        mode: "0444"

configs:
  memcached-sasl-pwdb:
    content: |
      testname:testpasswd

  memcached.conf:
    content: |
      mech_list: plain

Run ddev restart, and check logs:

$ ddev logs -s memcached
Reading configuration from: </etc/sasl2>
Initialized SASL.
...

[johnbburg]

It's not something I've thought about before this afternoon. We did a pen test, and this came up as a recommendation, even though memcached only exists in a closed network here. I'm just looking at what would be used in a standard memcached installation on an Ubuntu environment. We are not yet using it in production, that's what I'm looking into. I'm wondering about applying it in ddev for two reasons. It would simplify the configuration between envionments, using phpdotenv to add credentials in much the same way we would add database credentials, and also just maintaining feature parity between local ddev environments, and the environments running remotely.

[johnbburg]

Amazing, thanks for the quick response.