SlideShare a Scribd company logo

Percona Live 2012PPT:mysql-security-privileges-and-user-management

M
mysqlops

Percona Live 2012PPT:mysql-security-privileges-and-user-management

TechnologyNews & Politics
1 of 55
MySQL Security, Privileges & User Management Kenny Gryp <kenny.gryp@percona.com> Percona Live Washington DC / 2012-01-11
Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 2
Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 3
Privilege System Users Grants mysql database Resource Limits Default Permissions www.percona.com 4
Users Identify users based on: user@host user: username host: hostname/ip of the client that connects different host, different user, different ‘grants’ Examples: ‘fred’@‘localhost’, ‘root’@‘localhost’ ‘lefred’@‘app0001’, ‘kampen’@‘192.168.%’ ‘lekampen’@‘192.168.1__’, ‘fred’@‘app.fq.dn’ Creating A User: >CREATE USER 'lefred'@'app0001'; Drop user: change CREATE into DROP www.percona.com 5
Grants Grant the user some kind of privilege Grant ... to: server, column, view, database, trigger, index table, stored procedure, Example: INSERT, SELECT, UPDATE, DELETE SQL Command: >GRANT SELECT ON db.* TO ‘lefred’@‘app0001’; >GRANT INSERT ON *.* TO ‘lefred’@‘app0001’; Revoking privileges: change GRANT into REVOKE www.percona.com 6
Table/Column Level Grants Possible: > GRANT SELECT ON db.table TO ‘lefred’@‘app’; > GRANT SELECT (col) ON db.table to ‘fr’@‘app’; Too much columns might make authentication slower www.percona.com 7
Password Examples: > SET PASSWORD FOR ‘lefred’@‘app0001’ = PASSWORD(‘pass’); > SELECT PASSWORD('pass')G PASSWORD('pass'): *196BDEDE2AE4F84CA44C47D54D78478C7E2BD7B7 > SET PASSWORD FOR ‘lefred’@‘app0001’ = ‘*196BDEDE2...’; > CREATE USER ‘lefred’@‘app0001’ IDENTIFIED BY ‘pass’; > CREATE USER ‘fred’@‘app’ IDENTIFIED BY PASSWORD ‘*196BDEDE2...’; > GRANT SELECT ON db.* TO ‘fred’@‘app’ IDENTIFIED BY ‘pass’; www.percona.com 8
Grants Complete list of grants: CREATE ALTER ROUTINE DROP CREATE ROUTINE GRANT OPTION EXECUTE LOCK TABLES FILE EVENT CREATE USER ALTER PROCESS DELETE PROXY INDEX RELOAD INSERT REPLICATION CLIENT SELECT REPLICATION SLAVE UPDATE SHOW DATABASES CREATE TEMPORARY TABLES SHUTDOWN TRIGGER SUPER CREATE VIEW ALL [PRIVILEGES] SHOW VIEW USAGE www.percona.com 9
Grants CREATE ALTER ROUTINE DROP CREATE ROUTINE GRANT OPTION EXECUTE LOCK TABLES FILE EVENT CREATE USER ALTER PROCESS DELETE PROXY INDEX RELOAD INSERT REPLICATION CLIENT SELECT REPLICATION SLAVE UPDATE SHOW DATABASES CREATE TEMPORARY TABLES SHUTDOWN TRIGGER SUPER CREATE VIEW ALL [PRIVILEGES] SHOW VIEW USAGE www.percona.com 10
SHOW GRANTS > SHOW GRANTS; +----------------------------------------------------------------+ | Grants for root@localhost | +----------------------------------------------------------------+ | GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY| |PASSWORD '*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B' WITH GRANT | | OPTION | +----------------------------------------------------------------+ > SHOW GRANTS FOR 'lefred'@'app0001'; +----------------------------------------------+ | Grants for lefred@app0001 | +----------------------------------------------+ | GRANT INSERT ON *.* TO 'lefred'@'app0001' | | GRANT SELECT ON `db`.* TO 'lefred'@'app0001' | +----------------------------------------------+ www.percona.com 11
GRANT OPTION User with ‘GRANT OPTION’ can give grants to other users only for the grants he has already www.percona.com 12
FILE Read/Write Files with: > SELECT ... INTO OUTFILE > LOAD DATA INFILE ... Are you sure you want to give FILE? Restrict with secure_file_priv=/path/ www.percona.com 13
FILE Example: > CREATE TABLE passwd(user varchar(255),pass varchar(255),userid integer,`group` integer,gecos varchar(255),home varchar(255),shell varchar(255)); Query OK, 0 rows affected (0.05 sec) > LOAD DATA INFILE '/etc/passwd' INTO TABLE passwd FIELDS TERMINATED BY ":"; Query OK, 40 rows affected (0.05 sec) > SELECT user, pass, userid, `group`, gecos FROM passwd; +-------------------+------+--------+-------+------------------------------------+ | user | pass | userid | group | gecos | +-------------------+------+--------+-------+------------------------------------+ | root |x | 0| 0 | root | | daemon |x | 1| 1 | daemon | | bin |x | 2| 2 | bin | | sys |x | 3| 3 | sys | | sync |x | 4 | 65534 | sync | | games |x | 5| 60 | games | | man |x | 6| 12 | man | | lp |x | 7| 7 | lp | | mail |x | 8| 8 | mail | | news |x | 9| 9 | news | www.percona.com 14
LOAD DATA LOCAL Just like LOAD DATA, but takes a file from the client Must have config on server: local-infile=0 More a security problem on the client: local-infile=0 to [client] recompile library with DENABLED_LOCAL_INFILE=1 www.percona.com 15
PROCESS See complete SHOW PROCESSLIST for every user > SHOW GRANTS; +-----------------------------------------------+ | Grants for process@localhost | +-----------------------------------------------+ | GRANT PROCESS ON *.* TO 'process'@'localhost' | +-----------------------------------------------+ >SHOW FULL PROCESSLISTG ... *************************** 3. row *************************** Id: 6163 User: root Host: localhost db: test Command: Query Time: 63 State: Locked Info: insert into passwd values ('lefred','iLikeDim0', null,null,null,null) www.percona.com 16
PROCESS And....: > SHOW ENGINE INNODB STATUSG ... ===================================== 120110 21:44:00 INNODB MONITOR OUTPUT ===================================== Per second averages calculated from the last 37 seconds ... ------------ TRANSACTIONS ------------ ... ---TRANSACTION 0, not started, process no 955, OS thread id 140712801937152 mysql tables in use 1, locked 1 MySQL thread id 6163, query id 273 localhost root Table lock insert into passwd values ('lefred','iLikeDim0', null,null,null,null) ... www.percona.com 17
RELOAD Reload all kinds of log files, not so bad... But: FLUSH MASTER: remove all binary logs FLUSH SLAVE: remove all slave configuration FLUSH TABLES WITH READ LOCK: lock tables www.percona.com 18
REPLICATION CLIENT SHOW MASTER STATUS; SHOW SLAVE STATUSG www.percona.com 19
REPLICATION SLAVE Required for slave to fetch binlogs Also gives: SHOW BINLOG EVENTSG ... Log_name: mysql-bin.000001 Pos: 175 Event_type: Query Server_id: 9999 End_log_pos: 312 Info: use `test`; insert into passwd values ('lefred','iLikeDim0', null,null,null,null,null) www.percona.com 20
SHUTDOWN # mysqladmin shutdown www.percona.com 21
SUPER Known to be given to app users & monitoring users However,it is very powerful: CHANGE MASTER TO, STOP SLAVE, START SLAVE KILL any thread SET GLOBAL ... BINLOG When read_only=on SUPER users can still write Set DEFINER with Stored Procedures/Views to account of choice Have the extra login when max_connections is reached www.percona.com 22
ALL Gives ALL privileges possible (on a certain level): > GRANT ALL ON *.* > GRANT ALL ON db.* > GRANT ALL ON db.table ... www.percona.com 23
USAGE Gives you the possibility to... login Possible to run: SHOW GLOBAL STATUS; SHOW GLOBAL VARIABLES; Set session buffers/variables (see next chapter) www.percona.com 24
mysql Database > SHOW TABLES; | plugin | +---------------------------+ | proc | | Tables_in_mysql | | procs_priv | +---------------------------+ | proxies_priv | | columns_priv | | servers | | db | | slow_log | | event | | tables_priv | | func | | time_zone | | general_log | | time_zone_leap_second | | help_category | | time_zone_name | | help_keyword | | time_zone_transition | | help_relation | | time_zone_transition_type | | help_topic | | user | | host | +---------------------------+ | ndb_binlog_index | 24 rows in set (0.00 sec) www.percona.com 25
mysql Database Do not give rights for app or general users DML statements are possible use FLUSH PRIVILEGES to apply www.percona.com 26
Resource Limits For every user: max_user_connections >GRANT USAGE ON db.* TO ‘lefred'@'localhost' WITH MAX_QUERIES_PER_HOUR 1000 MAX_UPDATES_PER_HOUR 999 MAX_CONNECTIONS_PER_HOUR 100 MAX_USER_CONNECTIONS 5; FLUSH USER_RESOURCES; Not commonly used www.percona.com 27
Default Permissions -- Grants dumped by pt-show-grants -- Dumped from server Localhost via UNIX socket, MySQL 5.5.17-55- log at 2012-01-11 03:36:25 -- Grants for 'root'@'127.0.0.1' GRANT ALL PRIVILEGES ON *.* TO 'root'@'127.0.0.1' WITH GRANT OPTION; -- Grants for 'root'@'desktop' GRANT ALL PRIVILEGES ON *.* TO 'root'@'desktop' WITH GRANT OPTION; -- Grants for 'root'@'localhost' GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION; -- Grants for ‘’@‘localhost’ GRANT USAGE ON *.* TO ‘’@‘localhost’; # mysql_secure_installation Set root password? [Y/n] y Remove anonymous users? [Y/n] y Disallow root login remotely? [Y/n] y Remove test database and access to it? [Y/n] y www.percona.com 28
Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 29
User Management Difficult to manage when having +1 MySQL server How to properly manage all those users? Version Control SecuRich Configuration Management www.percona.com 30
Version Control Put all grants in a .txt file and put in VC use pt-show-grants: orders grants, easy to VC generates revoke statements -- Grants dumped by pt-show-grants -- Dumped from server Localhost via UNIX socket, MySQL 5.5.17-55-log at 2012-01-10 23:52:18 -- Grants for 'debian-sys-maint'@'localhost' GRANT ALL PRIVILEGES ON *.* TO 'debian-sys-maint'@'localhost' IDENTIFIED BY PASSWORD '*C86BAB1C913CE0D310B662846E830230C51DA954' WITH GRANT OPTION; -- Grants for 'lefred'@'app0001' GRANT INSERT ON *.* TO 'lefred'@'app0001'; GRANT SELECT ON `db`.* TO 'lefred'@'app0001'; -- Grants for 'lefred'@'localhost' GRANT SELECT, SELECT (user) ON `test`.`passwd` TO 'lefred'@'localhost'; GRANT USAGE ON *.* TO 'lefred'@'localhost'; http://www.percona.com/doc/percona-toolkit/2.0/pt-show-grants.html www.percona.com 31
SecuRich Tool (scripts/stored procedures) to facilitate user management Has some features MySQL does _not_ have: password expiry block users (even throws out users) password history password complexity checks http://www.securich.com/ www.percona.com 32
Configuration Management Use your favorite configuration management tool Puppet example: https://github.com/DavidS/puppet-mysql www.percona.com 33
Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 34
Pluggable Authentication Feature Since MySQL 5.5 New Grant: PROXY: act like a user Percona PAM Plugin: http://www.mysqlperformanceblog.com/2011/12/05/announcing-pam-authentication- plugin-for-mysql-early-access-release/ Oracle PAM Plugin: commercial plugin Clear text password will be sent: use secure connections www.percona.com 35
Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 36
Application Security SQL Injections use mysql_real_escape_string() Use Prepared Statements Use different users in the application (read/write/...) Don’t give app users permissions they should not have (see this presentation) www.percona.com 37
Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 38
Network Security Port protection Traffic encryption DNS www.percona.com 39
Port Protection Firewall bind-address=127.0.0.1 No need for network connections (socket only): skip-networking www.percona.com 40
Traffic Encryption Problem: # tcpdump -w - -i lo port 3306 | strings ... insert into passwd values ('lefred','dim00tjen', null,null,null,null)H Solution: Built-in SSL Secure Tunnels www.percona.com 41
DNS Remember: authentication is user@host MySQL does Reverse DNS Lookup taking over DNS server can change grants Killing DNS server can cause stalls (next to the default dns cache in MySQL or nscd): both security and performance problem use skip-name-resolve www.percona.com 42
Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 43
OS Level Security Security profiles: AppArmor SELinux Chroot start mysqld with --chroot www.percona.com 44
Filesystem Encryption LUKS/ecryptfs/...: Disk/File/Directory encryption Protects against ‘disk-stealing’ No protection for user ‘root’ Gazzang ezNcrypt (http://www.gazzang.com) Commercial tool Uses ecryptfs Off-Site Key Management kernel module ACL Only certain binary, with a certain hash can access the encrypted files www.percona.com 45
Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 46
Other MySQL Security Features old-passwords: Insecure 4.1 hashing set secure-auth to avoid skip-symbolic-links max_connect_errors: default=10 Error: Host 'host_name' is blocked FLUSH HOSTS skip-grant-tables: ignore authentication recover lost root password Audit Plugin interface (since 5.5) www.percona.com 47
Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 48
Data Security Functions PASSWORD() Crypt: ENCRYPT()/DECRYPT() AES: AES_ENCRYPT()/AES_DECRYPT() DES: DES_ENCRYPT()/DES_DECRYPT() Hashing: MD5(), SHA2() Statement Based Replication includes the SQL statement in the binary log: Use Row Based Same counts for general/slowlog Maybe encrypt in application www.percona.com 49
Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 50
DoS mysql> show grants; +--------------------------------------+ | Grants for @localhost | +--------------------------------------+ | GRANT USAGE ON *.* TO ''@'localhost' | +--------------------------------------+ 1 row in set (0.00 sec) Disk: mysql> use information_schema; mysql> select a.* FROM CHARACTER_SETS a, CHARACTER_SETS b, -> CHARACTER_SETS c, CHARACTER_SETS d, CHARACTER_SETS e; Memory: mysql> SELECT REPEAT('a', 1024*1024) INTO @a1; Query OK, 1 row affected (0.01 sec) .. mysql> SELECT REPEAT('a', 1024*1024) INTO @a99; Query OK, 1 row affected (0.01 sec) www.percona.com 51
Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 52
PCI Compliance 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security http://en.wikipedia.org/wiki/PCI_DSS www.percona.com 53
Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 54
Kenny Gryp <kenny.gryp@percona.com> @gryp We're Hiring! www.percona.com/about-us/careers/

Recommended

Percona Live 2012PPT: introduction-to-mysql-replication
Percona Live 2012PPT: introduction-to-mysql-replicationPercona Live 2012PPT: introduction-to-mysql-replication
Percona Live 2012PPT: introduction-to-mysql-replicationmysqlops
 
Highload Perf Tuning
Highload Perf TuningHighload Perf Tuning
Highload Perf TuningHighLoad2009
 
MySQL 5.5 Guide to InnoDB Status
MySQL 5.5 Guide to InnoDB StatusMySQL 5.5 Guide to InnoDB Status
MySQL 5.5 Guide to InnoDB StatusKarwin Software Solutions LLC
 
MySQL Replication Basics -Ohio Linux Fest 2016
MySQL Replication Basics -Ohio Linux Fest 2016MySQL Replication Basics -Ohio Linux Fest 2016
MySQL Replication Basics -Ohio Linux Fest 2016Dave Stokes
 
MySQL Replication Update -- Zendcon 2016
MySQL Replication Update -- Zendcon 2016MySQL Replication Update -- Zendcon 2016
MySQL Replication Update -- Zendcon 2016Dave Stokes
 
How to migrate from MySQL to MariaDB without tears
How to migrate from MySQL to MariaDB without tearsHow to migrate from MySQL to MariaDB without tears
How to migrate from MySQL to MariaDB without tearsSveta Smirnova
 
Why MySQL Replication Fails, and How to Get it Back
Why MySQL Replication Fails, and How to Get it BackWhy MySQL Replication Fails, and How to Get it Back
Why MySQL Replication Fails, and How to Get it BackSveta Smirnova
 
Managing MariaDB Server operations with Percona Toolkit
Managing MariaDB Server operations with Percona ToolkitManaging MariaDB Server operations with Percona Toolkit
Managing MariaDB Server operations with Percona ToolkitSveta Smirnova
 

Recommended

Percona Live 2012PPT: introduction-to-mysql-replication
Percona Live 2012PPT: introduction-to-mysql-replicationPercona Live 2012PPT: introduction-to-mysql-replication
Percona Live 2012PPT: introduction-to-mysql-replicationmysqlops
 
Highload Perf Tuning
Highload Perf TuningHighload Perf Tuning
Highload Perf TuningHighLoad2009
 
MySQL 5.5 Guide to InnoDB Status
MySQL 5.5 Guide to InnoDB StatusMySQL 5.5 Guide to InnoDB Status
MySQL 5.5 Guide to InnoDB StatusKarwin Software Solutions LLC
 
MySQL Replication Basics -Ohio Linux Fest 2016
MySQL Replication Basics -Ohio Linux Fest 2016MySQL Replication Basics -Ohio Linux Fest 2016
MySQL Replication Basics -Ohio Linux Fest 2016Dave Stokes
 
MySQL Replication Update -- Zendcon 2016
MySQL Replication Update -- Zendcon 2016MySQL Replication Update -- Zendcon 2016
MySQL Replication Update -- Zendcon 2016Dave Stokes
 
How to migrate from MySQL to MariaDB without tears
How to migrate from MySQL to MariaDB without tearsHow to migrate from MySQL to MariaDB without tears
How to migrate from MySQL to MariaDB without tearsSveta Smirnova
 
Why MySQL Replication Fails, and How to Get it Back
Why MySQL Replication Fails, and How to Get it BackWhy MySQL Replication Fails, and How to Get it Back
Why MySQL Replication Fails, and How to Get it BackSveta Smirnova
 
Managing MariaDB Server operations with Percona Toolkit
Managing MariaDB Server operations with Percona ToolkitManaging MariaDB Server operations with Percona Toolkit
Managing MariaDB Server operations with Percona ToolkitSveta Smirnova
 
Performance Schema for MySQL Troubleshooting
Performance Schema for MySQL TroubleshootingPerformance Schema for MySQL Troubleshooting
Performance Schema for MySQL TroubleshootingSveta Smirnova
 
How to Avoid Pitfalls in Schema Upgrade with Percona XtraDB Cluster
How to Avoid Pitfalls in Schema Upgrade with Percona XtraDB ClusterHow to Avoid Pitfalls in Schema Upgrade with Percona XtraDB Cluster
How to Avoid Pitfalls in Schema Upgrade with Percona XtraDB ClusterSveta Smirnova
 
Introduction to MySQL Query Tuning for Dev[Op]s
Introduction to MySQL Query Tuning for Dev[Op]sIntroduction to MySQL Query Tuning for Dev[Op]s
Introduction to MySQL Query Tuning for Dev[Op]sSveta Smirnova
 
How to Avoid Pitfalls in Schema Upgrade with Galera
How to Avoid Pitfalls in Schema Upgrade with GaleraHow to Avoid Pitfalls in Schema Upgrade with Galera
How to Avoid Pitfalls in Schema Upgrade with GaleraSveta Smirnova
 
MySQL Performance Schema in Action
MySQL Performance Schema in ActionMySQL Performance Schema in Action
MySQL Performance Schema in ActionSveta Smirnova
 
Introduction to MySQL InnoDB Cluster
Introduction to MySQL InnoDB ClusterIntroduction to MySQL InnoDB Cluster
Introduction to MySQL InnoDB ClusterI Goo Lee
 
MySQL Performance Schema in 20 Minutes
MySQL Performance Schema in 20 Minutes MySQL Performance Schema in 20 Minutes
MySQL Performance Schema in 20 MinutesSveta Smirnova
 
MySQL Replication Troubleshooting for Oracle DBAs
MySQL Replication Troubleshooting for Oracle DBAsMySQL Replication Troubleshooting for Oracle DBAs
MySQL Replication Troubleshooting for Oracle DBAsSveta Smirnova
 
MySQL InnoDB Cluster 미리보기 (remote cluster test)
MySQL InnoDB Cluster 미리보기 (remote cluster test)MySQL InnoDB Cluster 미리보기 (remote cluster test)
MySQL InnoDB Cluster 미리보기 (remote cluster test)Seungmin Yu
 
Oracle upgrade
Oracle upgradeOracle upgrade
Oracle upgradeRaj p
 
Curso de MySQL 5.7
Curso de MySQL 5.7Curso de MySQL 5.7
Curso de MySQL 5.7Eduardo Legatti
 
Introduction into MySQL Query Tuning
Introduction into MySQL Query TuningIntroduction into MySQL Query Tuning
Introduction into MySQL Query TuningSveta Smirnova
 
MySQLinsanity
MySQLinsanityMySQLinsanity
MySQLinsanityStanley Huang
 
Introduction into MySQL Query Tuning for Dev[Op]s
Introduction into MySQL Query Tuning for Dev[Op]sIntroduction into MySQL Query Tuning for Dev[Op]s
Introduction into MySQL Query Tuning for Dev[Op]sSveta Smirnova
 
Lessons Learned: Troubleshooting Replication
Lessons Learned: Troubleshooting ReplicationLessons Learned: Troubleshooting Replication
Lessons Learned: Troubleshooting ReplicationSveta Smirnova
 
MySQL Binary Log API Presentation - OSCON 2011
MySQL Binary Log API Presentation - OSCON 2011MySQL Binary Log API Presentation - OSCON 2011
MySQL Binary Log API Presentation - OSCON 2011Mats Kindahl
 
Preparse Query Rewrite Plugins
Preparse Query Rewrite PluginsPreparse Query Rewrite Plugins
Preparse Query Rewrite PluginsSveta Smirnova
 
監査ログをもっと身近に!〜統合監査のすすめ〜
監査ログをもっと身近に!〜統合監査のすすめ〜監査ログをもっと身近に!〜統合監査のすすめ〜
監査ログをもっと身近に!〜統合監査のすすめ〜Michitoshi Yoshida
 
MySQL Document Store
MySQL Document StoreMySQL Document Store
MySQL Document StoreI Goo Lee
 
MySQL Performance Schema in Action
MySQL Performance Schema in ActionMySQL Performance Schema in Action
MySQL Performance Schema in ActionSveta Smirnova
 
MySQL应用优化实践
MySQL应用优化实践MySQL应用优化实践
MySQL应用优化实践mysqlops
 
分布式爬虫
分布式爬虫分布式爬虫
分布式爬虫mysqlops
 

More Related Content

What's hot

Performance Schema for MySQL Troubleshooting
Performance Schema for MySQL TroubleshootingPerformance Schema for MySQL Troubleshooting
Performance Schema for MySQL TroubleshootingSveta Smirnova
 
How to Avoid Pitfalls in Schema Upgrade with Percona XtraDB Cluster
How to Avoid Pitfalls in Schema Upgrade with Percona XtraDB ClusterHow to Avoid Pitfalls in Schema Upgrade with Percona XtraDB Cluster
How to Avoid Pitfalls in Schema Upgrade with Percona XtraDB ClusterSveta Smirnova
 
Introduction to MySQL Query Tuning for Dev[Op]s
Introduction to MySQL Query Tuning for Dev[Op]sIntroduction to MySQL Query Tuning for Dev[Op]s
Introduction to MySQL Query Tuning for Dev[Op]sSveta Smirnova
 
How to Avoid Pitfalls in Schema Upgrade with Galera
How to Avoid Pitfalls in Schema Upgrade with GaleraHow to Avoid Pitfalls in Schema Upgrade with Galera
How to Avoid Pitfalls in Schema Upgrade with GaleraSveta Smirnova
 
MySQL Performance Schema in Action
MySQL Performance Schema in ActionMySQL Performance Schema in Action
MySQL Performance Schema in ActionSveta Smirnova
 
Introduction to MySQL InnoDB Cluster
Introduction to MySQL InnoDB ClusterIntroduction to MySQL InnoDB Cluster
Introduction to MySQL InnoDB ClusterI Goo Lee
 
MySQL Performance Schema in 20 Minutes
MySQL Performance Schema in 20 Minutes MySQL Performance Schema in 20 Minutes
MySQL Performance Schema in 20 MinutesSveta Smirnova
 
MySQL Replication Troubleshooting for Oracle DBAs
MySQL Replication Troubleshooting for Oracle DBAsMySQL Replication Troubleshooting for Oracle DBAs
MySQL Replication Troubleshooting for Oracle DBAsSveta Smirnova
 
MySQL InnoDB Cluster 미리보기 (remote cluster test)
MySQL InnoDB Cluster 미리보기 (remote cluster test)MySQL InnoDB Cluster 미리보기 (remote cluster test)
MySQL InnoDB Cluster 미리보기 (remote cluster test)Seungmin Yu
 
Oracle upgrade
Oracle upgradeOracle upgrade
Oracle upgradeRaj p
 
Introduction into MySQL Query Tuning
Introduction into MySQL Query TuningIntroduction into MySQL Query Tuning
Introduction into MySQL Query TuningSveta Smirnova
 
Introduction into MySQL Query Tuning for Dev[Op]s
Introduction into MySQL Query Tuning for Dev[Op]sIntroduction into MySQL Query Tuning for Dev[Op]s
Introduction into MySQL Query Tuning for Dev[Op]sSveta Smirnova
 
Lessons Learned: Troubleshooting Replication
Lessons Learned: Troubleshooting ReplicationLessons Learned: Troubleshooting Replication
Lessons Learned: Troubleshooting ReplicationSveta Smirnova
 
MySQL Binary Log API Presentation - OSCON 2011
MySQL Binary Log API Presentation - OSCON 2011MySQL Binary Log API Presentation - OSCON 2011
MySQL Binary Log API Presentation - OSCON 2011Mats Kindahl
 
Preparse Query Rewrite Plugins
Preparse Query Rewrite PluginsPreparse Query Rewrite Plugins
Preparse Query Rewrite PluginsSveta Smirnova
 
監査ログをもっと身近に!〜統合監査のすすめ〜
監査ログをもっと身近に!〜統合監査のすすめ〜監査ログをもっと身近に!〜統合監査のすすめ〜
監査ログをもっと身近に!〜統合監査のすすめ〜Michitoshi Yoshida
 
MySQL Document Store
MySQL Document StoreMySQL Document Store
MySQL Document StoreI Goo Lee
 
MySQL Performance Schema in Action
MySQL Performance Schema in ActionMySQL Performance Schema in Action
MySQL Performance Schema in ActionSveta Smirnova
 

What's hot (20)

Performance Schema for MySQL Troubleshooting
Performance Schema for MySQL TroubleshootingPerformance Schema for MySQL Troubleshooting
Performance Schema for MySQL Troubleshooting
 
How to Avoid Pitfalls in Schema Upgrade with Percona XtraDB Cluster
How to Avoid Pitfalls in Schema Upgrade with Percona XtraDB ClusterHow to Avoid Pitfalls in Schema Upgrade with Percona XtraDB Cluster
How to Avoid Pitfalls in Schema Upgrade with Percona XtraDB Cluster
 
Introduction to MySQL Query Tuning for Dev[Op]s
Introduction to MySQL Query Tuning for Dev[Op]sIntroduction to MySQL Query Tuning for Dev[Op]s
Introduction to MySQL Query Tuning for Dev[Op]s
 
How to Avoid Pitfalls in Schema Upgrade with Galera
How to Avoid Pitfalls in Schema Upgrade with GaleraHow to Avoid Pitfalls in Schema Upgrade with Galera
How to Avoid Pitfalls in Schema Upgrade with Galera
 
MySQL Performance Schema in Action
MySQL Performance Schema in ActionMySQL Performance Schema in Action
MySQL Performance Schema in Action
 
Introduction to MySQL InnoDB Cluster
Introduction to MySQL InnoDB ClusterIntroduction to MySQL InnoDB Cluster
Introduction to MySQL InnoDB Cluster
 
MySQL Performance Schema in 20 Minutes
MySQL Performance Schema in 20 Minutes MySQL Performance Schema in 20 Minutes
MySQL Performance Schema in 20 Minutes
 
MySQL Replication Troubleshooting for Oracle DBAs
MySQL Replication Troubleshooting for Oracle DBAsMySQL Replication Troubleshooting for Oracle DBAs
MySQL Replication Troubleshooting for Oracle DBAs
 
MySQL InnoDB Cluster 미리보기 (remote cluster test)
MySQL InnoDB Cluster 미리보기 (remote cluster test)MySQL InnoDB Cluster 미리보기 (remote cluster test)
MySQL InnoDB Cluster 미리보기 (remote cluster test)
 
Oracle upgrade
Oracle upgradeOracle upgrade
Oracle upgrade
 
Curso de MySQL 5.7
Curso de MySQL 5.7Curso de MySQL 5.7
Curso de MySQL 5.7
 
Introduction into MySQL Query Tuning
Introduction into MySQL Query TuningIntroduction into MySQL Query Tuning
Introduction into MySQL Query Tuning
 
MySQLinsanity
MySQLinsanityMySQLinsanity
MySQLinsanity
 
Introduction into MySQL Query Tuning for Dev[Op]s
Introduction into MySQL Query Tuning for Dev[Op]sIntroduction into MySQL Query Tuning for Dev[Op]s
Introduction into MySQL Query Tuning for Dev[Op]s
 
Lessons Learned: Troubleshooting Replication
Lessons Learned: Troubleshooting ReplicationLessons Learned: Troubleshooting Replication
Lessons Learned: Troubleshooting Replication
 
MySQL Binary Log API Presentation - OSCON 2011
MySQL Binary Log API Presentation - OSCON 2011MySQL Binary Log API Presentation - OSCON 2011
MySQL Binary Log API Presentation - OSCON 2011
 
Preparse Query Rewrite Plugins
Preparse Query Rewrite PluginsPreparse Query Rewrite Plugins
Preparse Query Rewrite Plugins
 
監査ログをもっと身近に!〜統合監査のすすめ〜
監査ログをもっと身近に!〜統合監査のすすめ〜監査ログをもっと身近に!〜統合監査のすすめ〜
監査ログをもっと身近に!〜統合監査のすすめ〜
 
MySQL Document Store
MySQL Document StoreMySQL Document Store
MySQL Document Store
 
MySQL Performance Schema in Action
MySQL Performance Schema in ActionMySQL Performance Schema in Action
MySQL Performance Schema in Action
 

Viewers also liked

MySQL应用优化实践
MySQL应用优化实践MySQL应用优化实践
MySQL应用优化实践mysqlops
 
分布式爬虫
分布式爬虫分布式爬虫
分布式爬虫mysqlops
 
DBA新人的述职报告
DBA新人的述职报告DBA新人的述职报告
DBA新人的述职报告mysqlops
 
QQ聊天系统后台架构的演化与启示
QQ聊天系统后台架构的演化与启示QQ聊天系统后台架构的演化与启示
QQ聊天系统后台架构的演化与启示mysqlops
 
服务器性能测试介绍
服务器性能测试介绍服务器性能测试介绍
服务器性能测试介绍Paro Yin
 
Oracle数据库分析函数详解
Oracle数据库分析函数详解Oracle数据库分析函数详解
Oracle数据库分析函数详解mysqlops
 
The simplethebeautiful
The simplethebeautifulThe simplethebeautiful
The simplethebeautifulmysqlops
 

Viewers also liked (7)

MySQL应用优化实践
MySQL应用优化实践MySQL应用优化实践
MySQL应用优化实践
 
分布式爬虫
分布式爬虫分布式爬虫
分布式爬虫
 
DBA新人的述职报告
DBA新人的述职报告DBA新人的述职报告
DBA新人的述职报告
 
QQ聊天系统后台架构的演化与启示
QQ聊天系统后台架构的演化与启示QQ聊天系统后台架构的演化与启示
QQ聊天系统后台架构的演化与启示
 
服务器性能测试介绍
服务器性能测试介绍服务器性能测试介绍
服务器性能测试介绍
 
Oracle数据库分析函数详解
Oracle数据库分析函数详解Oracle数据库分析函数详解
Oracle数据库分析函数详解
 
The simplethebeautiful
The simplethebeautifulThe simplethebeautiful
The simplethebeautiful
 

Similar to Percona Live 2012PPT:mysql-security-privileges-and-user-management

Build your own private openstack cloud
Build your own private openstack cloudBuild your own private openstack cloud
Build your own private openstack cloudNUTC, imac
 
Automating everything with PowerShell, Terraform, and AWS
Automating everything with PowerShell, Terraform, and AWSAutomating everything with PowerShell, Terraform, and AWS
Automating everything with PowerShell, Terraform, and AWSChris Brown
 
TrinityCore server install guide
TrinityCore server install guideTrinityCore server install guide
TrinityCore server install guideSeungmin Shin
 
Percona University - ProxySQL para MySQL
Percona University - ProxySQL para MySQLPercona University - ProxySQL para MySQL
Percona University - ProxySQL para MySQLMarcelo Altmann
 
MySQL server security
MySQL server securityMySQL server security
MySQL server securityDamien Seguy
 
glance replicator
glance replicatorglance replicator
glance replicatoririx_jp
 
Bare-metal and Virtual Provisioning with Razor
Bare-metal and Virtual Provisioning with RazorBare-metal and Virtual Provisioning with Razor
Bare-metal and Virtual Provisioning with RazorKristian Reese
 
Mysql nowwhat
Mysql nowwhatMysql nowwhat
Mysql nowwhatsqlhjalp
 
Bare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and ChefBare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and ChefMatt Ray
 
DB Floripa - ProxySQL para MySQL
DB Floripa - ProxySQL para MySQLDB Floripa - ProxySQL para MySQL
DB Floripa - ProxySQL para MySQLMarcelo Altmann
 
How to install squid proxy on server or how to install squid proxy on centos o
How to install squid proxy on server or how to install squid proxy on centos oHow to install squid proxy on server or how to install squid proxy on centos o
How to install squid proxy on server or how to install squid proxy on centos oProxiesforrent
 
MySQL Audit using Percona audit plugin and ELK
MySQL Audit using Percona audit plugin and ELKMySQL Audit using Percona audit plugin and ELK
MySQL Audit using Percona audit plugin and ELKYoungHeon (Roy) Kim
 
Linux Containers From Scratch: Makfile MicroVPS
Linux Containers From Scratch: Makfile MicroVPSLinux Containers From Scratch: Makfile MicroVPS
Linux Containers From Scratch: Makfile MicroVPSjoshuasoundcloud
 
Facebook的缓存系统
Facebook的缓存系统Facebook的缓存系统
Facebook的缓存系统yiditushe
 
Service discovery and configuration provisioning
Service discovery and configuration provisioningService discovery and configuration provisioning
Service discovery and configuration provisioningSource Ministry
 
Cutting through the fog of cloud
Cutting through the fog of cloudCutting through the fog of cloud
Cutting through the fog of cloudKyle Rames
 
Linux Desktop Automation
Linux Desktop AutomationLinux Desktop Automation
Linux Desktop AutomationRui Lapa
 
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
파이썬 개발환경 구성하기의 끝판왕 - Docker Composeraccoony
 
MySQL 5.7 innodb_enhance_partii_20160527
MySQL 5.7 innodb_enhance_partii_20160527MySQL 5.7 innodb_enhance_partii_20160527
MySQL 5.7 innodb_enhance_partii_20160527Saewoong Lee
 
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012Scott Sutherland
 

Similar to Percona Live 2012PPT:mysql-security-privileges-and-user-management (20)

Build your own private openstack cloud
Build your own private openstack cloudBuild your own private openstack cloud
Build your own private openstack cloud
 
Automating everything with PowerShell, Terraform, and AWS
Automating everything with PowerShell, Terraform, and AWSAutomating everything with PowerShell, Terraform, and AWS
Automating everything with PowerShell, Terraform, and AWS
 
TrinityCore server install guide
TrinityCore server install guideTrinityCore server install guide
TrinityCore server install guide
 
Percona University - ProxySQL para MySQL
Percona University - ProxySQL para MySQLPercona University - ProxySQL para MySQL
Percona University - ProxySQL para MySQL
 
MySQL server security
MySQL server securityMySQL server security
MySQL server security
 
glance replicator
glance replicatorglance replicator
glance replicator
 
Bare-metal and Virtual Provisioning with Razor
Bare-metal and Virtual Provisioning with RazorBare-metal and Virtual Provisioning with Razor
Bare-metal and Virtual Provisioning with Razor
 
Mysql nowwhat
Mysql nowwhatMysql nowwhat
Mysql nowwhat
 
Bare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and ChefBare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and Chef
 
DB Floripa - ProxySQL para MySQL
DB Floripa - ProxySQL para MySQLDB Floripa - ProxySQL para MySQL
DB Floripa - ProxySQL para MySQL
 
How to install squid proxy on server or how to install squid proxy on centos o
How to install squid proxy on server or how to install squid proxy on centos oHow to install squid proxy on server or how to install squid proxy on centos o
How to install squid proxy on server or how to install squid proxy on centos o
 
MySQL Audit using Percona audit plugin and ELK
MySQL Audit using Percona audit plugin and ELKMySQL Audit using Percona audit plugin and ELK
MySQL Audit using Percona audit plugin and ELK
 
Linux Containers From Scratch: Makfile MicroVPS
Linux Containers From Scratch: Makfile MicroVPSLinux Containers From Scratch: Makfile MicroVPS
Linux Containers From Scratch: Makfile MicroVPS
 
Facebook的缓存系统
Facebook的缓存系统Facebook的缓存系统
Facebook的缓存系统
 
Service discovery and configuration provisioning
Service discovery and configuration provisioningService discovery and configuration provisioning
Service discovery and configuration provisioning
 
Cutting through the fog of cloud
Cutting through the fog of cloudCutting through the fog of cloud
Cutting through the fog of cloud
 
Linux Desktop Automation
Linux Desktop AutomationLinux Desktop Automation
Linux Desktop Automation
 
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
 
MySQL 5.7 innodb_enhance_partii_20160527
MySQL 5.7 innodb_enhance_partii_20160527MySQL 5.7 innodb_enhance_partii_20160527
MySQL 5.7 innodb_enhance_partii_20160527
 
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
 

More from mysqlops

Percona Live 2012PPT: MySQL Cluster And NDB Cluster
Percona Live 2012PPT: MySQL Cluster And NDB ClusterPercona Live 2012PPT: MySQL Cluster And NDB Cluster
Percona Live 2012PPT: MySQL Cluster And NDB Clustermysqlops
 
Percona Live 2012PPT: MySQL Query optimization
Percona Live 2012PPT: MySQL Query optimizationPercona Live 2012PPT: MySQL Query optimization
Percona Live 2012PPT: MySQL Query optimizationmysqlops
 
Pldc2012 innodb architecture and internals
Pldc2012 innodb architecture and internalsPldc2012 innodb architecture and internals
Pldc2012 innodb architecture and internalsmysqlops
 
eBay EDW元数据管理及应用
eBay EDW元数据管理及应用eBay EDW元数据管理及应用
eBay EDW元数据管理及应用mysqlops
 
基于协程的网络开发框架的设计与实现
基于协程的网络开发框架的设计与实现基于协程的网络开发框架的设计与实现
基于协程的网络开发框架的设计与实现mysqlops
 
eBay基于Hadoop平台的用户邮件数据分析
eBay基于Hadoop平台的用户邮件数据分析eBay基于Hadoop平台的用户邮件数据分析
eBay基于Hadoop平台的用户邮件数据分析mysqlops
 
对MySQL DBA的一些思考
对MySQL DBA的一些思考对MySQL DBA的一些思考
对MySQL DBA的一些思考mysqlops
 
腾讯即时聊天IM1.4亿在线背后的故事
腾讯即时聊天IM1.4亿在线背后的故事腾讯即时聊天IM1.4亿在线背后的故事
腾讯即时聊天IM1.4亿在线背后的故事mysqlops
 
分布式存储与TDDL
分布式存储与TDDL分布式存储与TDDL
分布式存储与TDDLmysqlops
 
MySQL数据库生产环境维护
MySQL数据库生产环境维护MySQL数据库生产环境维护
MySQL数据库生产环境维护mysqlops
 
MySQL数据库开发的三十六条军规
MySQL数据库开发的三十六条军规MySQL数据库开发的三十六条军规
MySQL数据库开发的三十六条军规mysqlops
 
Web请求异步处理和海量数据即时分析在淘宝开放平台的实践
Web请求异步处理和海量数据即时分析在淘宝开放平台的实践Web请求异步处理和海量数据即时分析在淘宝开放平台的实践
Web请求异步处理和海量数据即时分析在淘宝开放平台的实践mysqlops
 
新浪微博开放平台Redis实战
新浪微博开放平台Redis实战新浪微博开放平台Redis实战
新浪微博开放平台Redis实战mysqlops
 
MySQL Explain输出详解
MySQL Explain输出详解MySQL Explain输出详解
MySQL Explain输出详解mysqlops
 
MySQL Explain输出详解
MySQL Explain输出详解MySQL Explain输出详解
MySQL Explain输出详解mysqlops
 
如何写有效的Bug报告
如何写有效的Bug报告如何写有效的Bug报告
如何写有效的Bug报告mysqlops
 
如何写有效的Bug报告
如何写有效的Bug报告如何写有效的Bug报告
如何写有效的Bug报告mysqlops
 

More from mysqlops (20)

Percona Live 2012PPT: MySQL Cluster And NDB Cluster
Percona Live 2012PPT: MySQL Cluster And NDB ClusterPercona Live 2012PPT: MySQL Cluster And NDB Cluster
Percona Live 2012PPT: MySQL Cluster And NDB Cluster
 
Percona Live 2012PPT: MySQL Query optimization
Percona Live 2012PPT: MySQL Query optimizationPercona Live 2012PPT: MySQL Query optimization
Percona Live 2012PPT: MySQL Query optimization
 
Pldc2012 innodb architecture and internals
Pldc2012 innodb architecture and internalsPldc2012 innodb architecture and internals
Pldc2012 innodb architecture and internals
 
eBay EDW元数据管理及应用
eBay EDW元数据管理及应用eBay EDW元数据管理及应用
eBay EDW元数据管理及应用
 
基于协程的网络开发框架的设计与实现
基于协程的网络开发框架的设计与实现基于协程的网络开发框架的设计与实现
基于协程的网络开发框架的设计与实现
 
eBay基于Hadoop平台的用户邮件数据分析
eBay基于Hadoop平台的用户邮件数据分析eBay基于Hadoop平台的用户邮件数据分析
eBay基于Hadoop平台的用户邮件数据分析
 
对MySQL DBA的一些思考
对MySQL DBA的一些思考对MySQL DBA的一些思考
对MySQL DBA的一些思考
 
腾讯即时聊天IM1.4亿在线背后的故事
腾讯即时聊天IM1.4亿在线背后的故事腾讯即时聊天IM1.4亿在线背后的故事
腾讯即时聊天IM1.4亿在线背后的故事
 
分布式存储与TDDL
分布式存储与TDDL分布式存储与TDDL
分布式存储与TDDL
 
MySQL数据库生产环境维护
MySQL数据库生产环境维护MySQL数据库生产环境维护
MySQL数据库生产环境维护
 
Memcached
MemcachedMemcached
Memcached
 
DevOPS
DevOPSDevOPS
DevOPS
 
MySQL数据库开发的三十六条军规
MySQL数据库开发的三十六条军规MySQL数据库开发的三十六条军规
MySQL数据库开发的三十六条军规
 
Web请求异步处理和海量数据即时分析在淘宝开放平台的实践
Web请求异步处理和海量数据即时分析在淘宝开放平台的实践Web请求异步处理和海量数据即时分析在淘宝开放平台的实践
Web请求异步处理和海量数据即时分析在淘宝开放平台的实践
 
新浪微博开放平台Redis实战
新浪微博开放平台Redis实战新浪微博开放平台Redis实战
新浪微博开放平台Redis实战
 
MySQL Explain输出详解
MySQL Explain输出详解MySQL Explain输出详解
MySQL Explain输出详解
 
MySQL Explain输出详解
MySQL Explain输出详解MySQL Explain输出详解
MySQL Explain输出详解
 
Cbo100053
Cbo100053Cbo100053
Cbo100053
 
如何写有效的Bug报告
如何写有效的Bug报告如何写有效的Bug报告
如何写有效的Bug报告
 
如何写有效的Bug报告
如何写有效的Bug报告如何写有效的Bug报告
如何写有效的Bug报告
 

Recently uploaded

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 

Recently uploaded (20)

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 

Percona Live 2012PPT:mysql-security-privileges-and-user-management

  • 1. MySQL Security, Privileges & User Management Kenny Gryp <kenny.gryp@percona.com> Percona Live Washington DC / 2012-01-11
  • 2. Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 2
  • 3. Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 3
  • 4. Privilege System Users Grants mysql database Resource Limits Default Permissions www.percona.com 4
  • 5. Users Identify users based on: user@host user: username host: hostname/ip of the client that connects different host, different user, different ‘grants’ Examples: ‘fred’@‘localhost’, ‘root’@‘localhost’ ‘lefred’@‘app0001’, ‘kampen’@‘192.168.%’ ‘lekampen’@‘192.168.1__’, ‘fred’@‘app.fq.dn’ Creating A User: >CREATE USER 'lefred'@'app0001'; Drop user: change CREATE into DROP www.percona.com 5
  • 6. Grants Grant the user some kind of privilege Grant ... to: server, column, view, database, trigger, index table, stored procedure, Example: INSERT, SELECT, UPDATE, DELETE SQL Command: >GRANT SELECT ON db.* TO ‘lefred’@‘app0001’; >GRANT INSERT ON *.* TO ‘lefred’@‘app0001’; Revoking privileges: change GRANT into REVOKE www.percona.com 6
  • 7. Table/Column Level Grants Possible: > GRANT SELECT ON db.table TO ‘lefred’@‘app’; > GRANT SELECT (col) ON db.table to ‘fr’@‘app’; Too much columns might make authentication slower www.percona.com 7
  • 8. Password Examples: > SET PASSWORD FOR ‘lefred’@‘app0001’ = PASSWORD(‘pass’); > SELECT PASSWORD('pass')G PASSWORD('pass'): *196BDEDE2AE4F84CA44C47D54D78478C7E2BD7B7 > SET PASSWORD FOR ‘lefred’@‘app0001’ = ‘*196BDEDE2...’; > CREATE USER ‘lefred’@‘app0001’ IDENTIFIED BY ‘pass’; > CREATE USER ‘fred’@‘app’ IDENTIFIED BY PASSWORD ‘*196BDEDE2...’; > GRANT SELECT ON db.* TO ‘fred’@‘app’ IDENTIFIED BY ‘pass’; www.percona.com 8
  • 9. Grants Complete list of grants: CREATE ALTER ROUTINE DROP CREATE ROUTINE GRANT OPTION EXECUTE LOCK TABLES FILE EVENT CREATE USER ALTER PROCESS DELETE PROXY INDEX RELOAD INSERT REPLICATION CLIENT SELECT REPLICATION SLAVE UPDATE SHOW DATABASES CREATE TEMPORARY TABLES SHUTDOWN TRIGGER SUPER CREATE VIEW ALL [PRIVILEGES] SHOW VIEW USAGE www.percona.com 9
  • 10. Grants CREATE ALTER ROUTINE DROP CREATE ROUTINE GRANT OPTION EXECUTE LOCK TABLES FILE EVENT CREATE USER ALTER PROCESS DELETE PROXY INDEX RELOAD INSERT REPLICATION CLIENT SELECT REPLICATION SLAVE UPDATE SHOW DATABASES CREATE TEMPORARY TABLES SHUTDOWN TRIGGER SUPER CREATE VIEW ALL [PRIVILEGES] SHOW VIEW USAGE www.percona.com 10
  • 11. SHOW GRANTS > SHOW GRANTS; +----------------------------------------------------------------+ | Grants for root@localhost | +----------------------------------------------------------------+ | GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY| |PASSWORD '*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B' WITH GRANT | | OPTION | +----------------------------------------------------------------+ > SHOW GRANTS FOR 'lefred'@'app0001'; +----------------------------------------------+ | Grants for lefred@app0001 | +----------------------------------------------+ | GRANT INSERT ON *.* TO 'lefred'@'app0001' | | GRANT SELECT ON `db`.* TO 'lefred'@'app0001' | +----------------------------------------------+ www.percona.com 11
  • 12. GRANT OPTION User with ‘GRANT OPTION’ can give grants to other users only for the grants he has already www.percona.com 12
  • 13. FILE Read/Write Files with: > SELECT ... INTO OUTFILE > LOAD DATA INFILE ... Are you sure you want to give FILE? Restrict with secure_file_priv=/path/ www.percona.com 13
  • 14. FILE Example: > CREATE TABLE passwd(user varchar(255),pass varchar(255),userid integer,`group` integer,gecos varchar(255),home varchar(255),shell varchar(255)); Query OK, 0 rows affected (0.05 sec) > LOAD DATA INFILE '/etc/passwd' INTO TABLE passwd FIELDS TERMINATED BY ":"; Query OK, 40 rows affected (0.05 sec) > SELECT user, pass, userid, `group`, gecos FROM passwd; +-------------------+------+--------+-------+------------------------------------+ | user | pass | userid | group | gecos | +-------------------+------+--------+-------+------------------------------------+ | root |x | 0| 0 | root | | daemon |x | 1| 1 | daemon | | bin |x | 2| 2 | bin | | sys |x | 3| 3 | sys | | sync |x | 4 | 65534 | sync | | games |x | 5| 60 | games | | man |x | 6| 12 | man | | lp |x | 7| 7 | lp | | mail |x | 8| 8 | mail | | news |x | 9| 9 | news | www.percona.com 14
  • 15. LOAD DATA LOCAL Just like LOAD DATA, but takes a file from the client Must have config on server: local-infile=0 More a security problem on the client: local-infile=0 to [client] recompile library with DENABLED_LOCAL_INFILE=1 www.percona.com 15
  • 16. PROCESS See complete SHOW PROCESSLIST for every user > SHOW GRANTS; +-----------------------------------------------+ | Grants for process@localhost | +-----------------------------------------------+ | GRANT PROCESS ON *.* TO 'process'@'localhost' | +-----------------------------------------------+ >SHOW FULL PROCESSLISTG ... *************************** 3. row *************************** Id: 6163 User: root Host: localhost db: test Command: Query Time: 63 State: Locked Info: insert into passwd values ('lefred','iLikeDim0', null,null,null,null) www.percona.com 16
  • 17. PROCESS And....: > SHOW ENGINE INNODB STATUSG ... ===================================== 120110 21:44:00 INNODB MONITOR OUTPUT ===================================== Per second averages calculated from the last 37 seconds ... ------------ TRANSACTIONS ------------ ... ---TRANSACTION 0, not started, process no 955, OS thread id 140712801937152 mysql tables in use 1, locked 1 MySQL thread id 6163, query id 273 localhost root Table lock insert into passwd values ('lefred','iLikeDim0', null,null,null,null) ... www.percona.com 17
  • 18. RELOAD Reload all kinds of log files, not so bad... But: FLUSH MASTER: remove all binary logs FLUSH SLAVE: remove all slave configuration FLUSH TABLES WITH READ LOCK: lock tables www.percona.com 18
  • 19. REPLICATION CLIENT SHOW MASTER STATUS; SHOW SLAVE STATUSG www.percona.com 19
  • 20. REPLICATION SLAVE Required for slave to fetch binlogs Also gives: SHOW BINLOG EVENTSG ... Log_name: mysql-bin.000001 Pos: 175 Event_type: Query Server_id: 9999 End_log_pos: 312 Info: use `test`; insert into passwd values ('lefred','iLikeDim0', null,null,null,null,null) www.percona.com 20
  • 21. SHUTDOWN # mysqladmin shutdown www.percona.com 21
  • 22. SUPER Known to be given to app users & monitoring users However,it is very powerful: CHANGE MASTER TO, STOP SLAVE, START SLAVE KILL any thread SET GLOBAL ... BINLOG When read_only=on SUPER users can still write Set DEFINER with Stored Procedures/Views to account of choice Have the extra login when max_connections is reached www.percona.com 22
  • 23. ALL Gives ALL privileges possible (on a certain level): > GRANT ALL ON *.* > GRANT ALL ON db.* > GRANT ALL ON db.table ... www.percona.com 23
  • 24. USAGE Gives you the possibility to... login Possible to run: SHOW GLOBAL STATUS; SHOW GLOBAL VARIABLES; Set session buffers/variables (see next chapter) www.percona.com 24
  • 25. mysql Database > SHOW TABLES; | plugin | +---------------------------+ | proc | | Tables_in_mysql | | procs_priv | +---------------------------+ | proxies_priv | | columns_priv | | servers | | db | | slow_log | | event | | tables_priv | | func | | time_zone | | general_log | | time_zone_leap_second | | help_category | | time_zone_name | | help_keyword | | time_zone_transition | | help_relation | | time_zone_transition_type | | help_topic | | user | | host | +---------------------------+ | ndb_binlog_index | 24 rows in set (0.00 sec) www.percona.com 25
  • 26. mysql Database Do not give rights for app or general users DML statements are possible use FLUSH PRIVILEGES to apply www.percona.com 26
  • 27. Resource Limits For every user: max_user_connections >GRANT USAGE ON db.* TO ‘lefred'@'localhost' WITH MAX_QUERIES_PER_HOUR 1000 MAX_UPDATES_PER_HOUR 999 MAX_CONNECTIONS_PER_HOUR 100 MAX_USER_CONNECTIONS 5; FLUSH USER_RESOURCES; Not commonly used www.percona.com 27
  • 28. Default Permissions -- Grants dumped by pt-show-grants -- Dumped from server Localhost via UNIX socket, MySQL 5.5.17-55- log at 2012-01-11 03:36:25 -- Grants for 'root'@'127.0.0.1' GRANT ALL PRIVILEGES ON *.* TO 'root'@'127.0.0.1' WITH GRANT OPTION; -- Grants for 'root'@'desktop' GRANT ALL PRIVILEGES ON *.* TO 'root'@'desktop' WITH GRANT OPTION; -- Grants for 'root'@'localhost' GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION; -- Grants for ‘’@‘localhost’ GRANT USAGE ON *.* TO ‘’@‘localhost’; # mysql_secure_installation Set root password? [Y/n] y Remove anonymous users? [Y/n] y Disallow root login remotely? [Y/n] y Remove test database and access to it? [Y/n] y www.percona.com 28
  • 29. Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 29
  • 30. User Management Difficult to manage when having +1 MySQL server How to properly manage all those users? Version Control SecuRich Configuration Management www.percona.com 30
  • 31. Version Control Put all grants in a .txt file and put in VC use pt-show-grants: orders grants, easy to VC generates revoke statements -- Grants dumped by pt-show-grants -- Dumped from server Localhost via UNIX socket, MySQL 5.5.17-55-log at 2012-01-10 23:52:18 -- Grants for 'debian-sys-maint'@'localhost' GRANT ALL PRIVILEGES ON *.* TO 'debian-sys-maint'@'localhost' IDENTIFIED BY PASSWORD '*C86BAB1C913CE0D310B662846E830230C51DA954' WITH GRANT OPTION; -- Grants for 'lefred'@'app0001' GRANT INSERT ON *.* TO 'lefred'@'app0001'; GRANT SELECT ON `db`.* TO 'lefred'@'app0001'; -- Grants for 'lefred'@'localhost' GRANT SELECT, SELECT (user) ON `test`.`passwd` TO 'lefred'@'localhost'; GRANT USAGE ON *.* TO 'lefred'@'localhost'; http://www.percona.com/doc/percona-toolkit/2.0/pt-show-grants.html www.percona.com 31
  • 32. SecuRich Tool (scripts/stored procedures) to facilitate user management Has some features MySQL does _not_ have: password expiry block users (even throws out users) password history password complexity checks http://www.securich.com/ www.percona.com 32
  • 33. Configuration Management Use your favorite configuration management tool Puppet example: https://github.com/DavidS/puppet-mysql www.percona.com 33
  • 34. Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 34
  • 35. Pluggable Authentication Feature Since MySQL 5.5 New Grant: PROXY: act like a user Percona PAM Plugin: http://www.mysqlperformanceblog.com/2011/12/05/announcing-pam-authentication- plugin-for-mysql-early-access-release/ Oracle PAM Plugin: commercial plugin Clear text password will be sent: use secure connections www.percona.com 35
  • 36. Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 36
  • 37. Application Security SQL Injections use mysql_real_escape_string() Use Prepared Statements Use different users in the application (read/write/...) Don’t give app users permissions they should not have (see this presentation) www.percona.com 37
  • 38. Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 38
  • 39. Network Security Port protection Traffic encryption DNS www.percona.com 39
  • 40. Port Protection Firewall bind-address=127.0.0.1 No need for network connections (socket only): skip-networking www.percona.com 40
  • 41. Traffic Encryption Problem: # tcpdump -w - -i lo port 3306 | strings ... insert into passwd values ('lefred','dim00tjen', null,null,null,null)H Solution: Built-in SSL Secure Tunnels www.percona.com 41
  • 42. DNS Remember: authentication is user@host MySQL does Reverse DNS Lookup taking over DNS server can change grants Killing DNS server can cause stalls (next to the default dns cache in MySQL or nscd): both security and performance problem use skip-name-resolve www.percona.com 42
  • 43. Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 43
  • 44. OS Level Security Security profiles: AppArmor SELinux Chroot start mysqld with --chroot www.percona.com 44
  • 45. Filesystem Encryption LUKS/ecryptfs/...: Disk/File/Directory encryption Protects against ‘disk-stealing’ No protection for user ‘root’ Gazzang ezNcrypt (http://www.gazzang.com) Commercial tool Uses ecryptfs Off-Site Key Management kernel module ACL Only certain binary, with a certain hash can access the encrypted files www.percona.com 45
  • 46. Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 46
  • 47. Other MySQL Security Features old-passwords: Insecure 4.1 hashing set secure-auth to avoid skip-symbolic-links max_connect_errors: default=10 Error: Host 'host_name' is blocked FLUSH HOSTS skip-grant-tables: ignore authentication recover lost root password Audit Plugin interface (since 5.5) www.percona.com 47
  • 48. Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 48
  • 49. Data Security Functions PASSWORD() Crypt: ENCRYPT()/DECRYPT() AES: AES_ENCRYPT()/AES_DECRYPT() DES: DES_ENCRYPT()/DES_DECRYPT() Hashing: MD5(), SHA2() Statement Based Replication includes the SQL statement in the binary log: Use Row Based Same counts for general/slowlog Maybe encrypt in application www.percona.com 49
  • 50. Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 50
  • 51. DoS mysql> show grants; +--------------------------------------+ | Grants for @localhost | +--------------------------------------+ | GRANT USAGE ON *.* TO ''@'localhost' | +--------------------------------------+ 1 row in set (0.00 sec) Disk: mysql> use information_schema; mysql> select a.* FROM CHARACTER_SETS a, CHARACTER_SETS b, -> CHARACTER_SETS c, CHARACTER_SETS d, CHARACTER_SETS e; Memory: mysql> SELECT REPEAT('a', 1024*1024) INTO @a1; Query OK, 1 row affected (0.01 sec) .. mysql> SELECT REPEAT('a', 1024*1024) INTO @a99; Query OK, 1 row affected (0.01 sec) www.percona.com 51
  • 52. Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 52
  • 53. PCI Compliance 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security http://en.wikipedia.org/wiki/PCI_DSS www.percona.com 53
  • 54. Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 54
  • 55. Kenny Gryp <kenny.gryp@percona.com> @gryp We're Hiring! www.percona.com/about-us/careers/