In order to connect to a given bucket you need to run a SASL authentication to the memcached server. The SASL authentication for memcached is specified in SASLAuthProtocol (binary protocol only).
vbucketmigrator implements SASL Authentication by using libsasl in C if you want some example code.
We start the SASL authentication by asking the memcached server for the mechanisms it supports. This is achieved by sending the following packet:
Byte/ 0 | 1 | 2 | 3 | / | | | | |0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7| +---------------+---------------+---------------+---------------+ 0| 80 | 20 | 00 | 00 | +---------------+---------------+---------------+---------------+ 4| 00 | 00 | 00 | 00 | +---------------+---------------+---------------+---------------+ 8| 00 | 00 | 00 | 00 | +---------------+---------------+---------------+---------------+ 12| 00 | 00 | 00 | 00 | +---------------+---------------+---------------+---------------+ 16| 00 | 00 | 00 | 00 | +---------------+---------------+---------------+---------------+ 20| 00 | 00 | 00 | 00 |
Header breakdown Field (offset) (value) Magic (0): 0x80 (PROTOCOL_BINARY_REQ) Opcode (1): 0x20 (sasl list mechs) Key length (2-3): 0x0000 (0) Extra length (4): 0x00 Data type (5): 0x00 vbucket (6-7): 0x0000 (0) Total body (8-11): 0x00000000 (0) Opaque (12-15): 0x00000000 (0) CAS (16-23): 0x0000000000000000 (0)
If the server supports SASL authentication the following packet is returned:
Byte/ 0 | 1 | 2 | 3 | / | | | | |0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7| +---------------+---------------+---------------+---------------+ 0| 81 | 20 | 00 | 00 | +---------------+---------------+---------------+---------------+ 4| 00 | 00 | 00 | 00 | +---------------+---------------+---------------+---------------+ 8| 00 | 00 | 00 | 05 | +---------------+---------------+---------------+---------------+ 12| 00 | 00 | 00 | 00 | +---------------+---------------+---------------+---------------+ 16| 00 | 00 | 00 | 00 | +---------------+---------------+---------------+---------------+ 20| 00 | 00 | 00 | 00 | +---------------+---------------+---------------+---------------+ 24| 50 ('P') | 4c ('L') | 41 ('A') | 49 ('I') | +---------------+---------------+---------------+---------------+
28| 4e ('N') |
Header breakdown Field (offset) (value) Magic (0): 0x81 (PROTOCOL_BINARY_RES) Opcode (1): 0x20 (sasl list mechs) Key length (2-3): 0x0000 (0) Extra length (4): 0x00 Data type (5): 0x00 Status (6-7): 0x0000 (SUCCESS) Total body (8-11): 0x00000005 (5) Opaque (12-15): 0x00000000 (0) CAS (16-23): 0x0000000000000000 (0) Mechanisms (24-28): PLAIN
Please note that the server may support a different set of mechanisms. The list of mechanisms is a space-separated list of SASL mechanism names (e.g. "PLAIN CRAM-MD5 GSSAPI").
After choosing the desired mechanism (from the ones that the server supports), you need to create an authentication request packet and send it to the server. The following packet shows a packet using PLAIN authentication of "foo" with the password "bar":
Byte/ 0 | 1 | 2 | 3 | / | | | | |0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7| +---------------+---------------+---------------+---------------+ 0| 80 | 21 ('!') | 00 | 05 | +---------------+---------------+---------------+---------------+ 4| 00 | 00 | 00 | 00 | +---------------+---------------+---------------+---------------+ 8| 00 | 00 | 00 | 10 | +---------------+---------------+---------------+---------------+ 12| 00 | 00 | 00 | 00 | +---------------+---------------+---------------+---------------+ 16| 00 | 00 | 00 | 00 | +---------------+---------------+---------------+---------------+ 20| 00 | 00 | 00 | 00 | +---------------+---------------+---------------+---------------+ 24| 50 ('P') | 4c ('L') | 41 ('A') | 49 ('I') | +---------------+---------------+---------------+---------------+ 28| 4e ('N') | 66 ('f') | 6f ('o') | 6f ('o') | +---------------+---------------+---------------+---------------+ 32| 00 | 66 ('f') | 6f ('o') | 6f ('o') | +---------------+---------------+---------------+---------------+ 36| 00 | 62 ('b') | 61 ('a') | 72 ('r') |
Header breakdown Field (offset) (value) Magic (0): 0x80 (PROTOCOL_BINARY_REQ) Opcode (1): 0x21 (sasl auth) Key length (2-3): 0x0005 (5) Extra length (4): 0x00 Data type (5): 0x00 vbucket (6-7): 0x0000 (0) Total body (8-11): 0x00000010 (16) Opaque (12-15): 0x00000000 (0) CAS (16-23): 0x0000000000000000 (0) Mechanisms (24-28): PLAIN Auth token (29-39): foo0x00foo0x00bar
If the server accepts this username/password combination, it may return one of two status codes: Success or "Authentication Continuation". Success means that you're done
Byte/ 0 | 1 | 2 | 3 | / | | | | |0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7| +---------------+---------------+---------------+---------------+ 0| 81 | 21 ('!') | 00 | 00 | +---------------+---------------+---------------+---------------+ 4| 00 | 00 | 00 | 00 | +---------------+---------------+---------------+---------------+ 8| 00 | 00 | 00 | 0d | +---------------+---------------+---------------+---------------+ 12| 00 | 00 | 00 | 00 | +---------------+---------------+---------------+---------------+ 16| 00 | 00 | 00 | 00 | +---------------+---------------+---------------+---------------+ 20| 00 | 00 | 00 | 00 | +---------------+---------------+---------------+---------------+ 24| 41 ('A') | 75 ('u') | 74 ('t') | 68 ('h') | +---------------+---------------+---------------+---------------+ 28| 65 ('e') | 6e ('n') | 74 ('t') | 69 ('i') | +---------------+---------------+---------------+---------------+ 32| 63 ('c') | 61 ('a') | 74 ('t') | 65 ('e') | +---------------+---------------+---------------+---------------+ 36| 64 ('d') |
Header breakdown Field (offset) (value) Magic (0): 0x81 (PROTOCOL_BINARY_RES) Opcode (1): 0x21 (sasl auth) Key length (2-3): 0x0000 (0) Extra length (4): 0x00 Data type (5): 0x00 Status (6-7): 0x0000 (SUCCESS) Total body (8-11): 0x0000000d (13) Opaque (12-15): 0x00000000 (0) CAS (16-23): 0x0000000000000000 (0) Info (24-36): Authenticated