SlideShare una empresa de Scribd logo

Percona Live 2012PPT:mysql-security-privileges-and-user-management

M
mysqlops

Percona Live 2012PPT:mysql-security-privileges-and-user-management

TecnologíaNoticias y política
1 de 55
MySQL Security, Privileges & User Management Kenny Gryp <kenny.gryp@percona.com> Percona Live Washington DC / 2012-01-11
Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 2
Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 3
Privilege System Users Grants mysql database Resource Limits Default Permissions www.percona.com 4
Users Identify users based on: user@host user: username host: hostname/ip of the client that connects different host, different user, different ‘grants’ Examples: ‘fred’@‘localhost’, ‘root’@‘localhost’ ‘lefred’@‘app0001’, ‘kampen’@‘192.168.%’ ‘lekampen’@‘192.168.1__’, ‘fred’@‘app.fq.dn’ Creating A User: >CREATE USER 'lefred'@'app0001'; Drop user: change CREATE into DROP www.percona.com 5
Grants Grant the user some kind of privilege Grant ... to: server, column, view, database, trigger, index table, stored procedure, Example: INSERT, SELECT, UPDATE, DELETE SQL Command: >GRANT SELECT ON db.* TO ‘lefred’@‘app0001’; >GRANT INSERT ON *.* TO ‘lefred’@‘app0001’; Revoking privileges: change GRANT into REVOKE www.percona.com 6
Table/Column Level Grants Possible: > GRANT SELECT ON db.table TO ‘lefred’@‘app’; > GRANT SELECT (col) ON db.table to ‘fr’@‘app’; Too much columns might make authentication slower www.percona.com 7
Password Examples: > SET PASSWORD FOR ‘lefred’@‘app0001’ = PASSWORD(‘pass’); > SELECT PASSWORD('pass')G PASSWORD('pass'): *196BDEDE2AE4F84CA44C47D54D78478C7E2BD7B7 > SET PASSWORD FOR ‘lefred’@‘app0001’ = ‘*196BDEDE2...’; > CREATE USER ‘lefred’@‘app0001’ IDENTIFIED BY ‘pass’; > CREATE USER ‘fred’@‘app’ IDENTIFIED BY PASSWORD ‘*196BDEDE2...’; > GRANT SELECT ON db.* TO ‘fred’@‘app’ IDENTIFIED BY ‘pass’; www.percona.com 8
Grants Complete list of grants: CREATE ALTER ROUTINE DROP CREATE ROUTINE GRANT OPTION EXECUTE LOCK TABLES FILE EVENT CREATE USER ALTER PROCESS DELETE PROXY INDEX RELOAD INSERT REPLICATION CLIENT SELECT REPLICATION SLAVE UPDATE SHOW DATABASES CREATE TEMPORARY TABLES SHUTDOWN TRIGGER SUPER CREATE VIEW ALL [PRIVILEGES] SHOW VIEW USAGE www.percona.com 9
Grants CREATE ALTER ROUTINE DROP CREATE ROUTINE GRANT OPTION EXECUTE LOCK TABLES FILE EVENT CREATE USER ALTER PROCESS DELETE PROXY INDEX RELOAD INSERT REPLICATION CLIENT SELECT REPLICATION SLAVE UPDATE SHOW DATABASES CREATE TEMPORARY TABLES SHUTDOWN TRIGGER SUPER CREATE VIEW ALL [PRIVILEGES] SHOW VIEW USAGE www.percona.com 10
SHOW GRANTS > SHOW GRANTS; +----------------------------------------------------------------+ | Grants for root@localhost | +----------------------------------------------------------------+ | GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY| |PASSWORD '*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B' WITH GRANT | | OPTION | +----------------------------------------------------------------+ > SHOW GRANTS FOR 'lefred'@'app0001'; +----------------------------------------------+ | Grants for lefred@app0001 | +----------------------------------------------+ | GRANT INSERT ON *.* TO 'lefred'@'app0001' | | GRANT SELECT ON `db`.* TO 'lefred'@'app0001' | +----------------------------------------------+ www.percona.com 11
GRANT OPTION User with ‘GRANT OPTION’ can give grants to other users only for the grants he has already www.percona.com 12
FILE Read/Write Files with: > SELECT ... INTO OUTFILE > LOAD DATA INFILE ... Are you sure you want to give FILE? Restrict with secure_file_priv=/path/ www.percona.com 13
FILE Example: > CREATE TABLE passwd(user varchar(255),pass varchar(255),userid integer,`group` integer,gecos varchar(255),home varchar(255),shell varchar(255)); Query OK, 0 rows affected (0.05 sec) > LOAD DATA INFILE '/etc/passwd' INTO TABLE passwd FIELDS TERMINATED BY ":"; Query OK, 40 rows affected (0.05 sec) > SELECT user, pass, userid, `group`, gecos FROM passwd; +-------------------+------+--------+-------+------------------------------------+ | user | pass | userid | group | gecos | +-------------------+------+--------+-------+------------------------------------+ | root |x | 0| 0 | root | | daemon |x | 1| 1 | daemon | | bin |x | 2| 2 | bin | | sys |x | 3| 3 | sys | | sync |x | 4 | 65534 | sync | | games |x | 5| 60 | games | | man |x | 6| 12 | man | | lp |x | 7| 7 | lp | | mail |x | 8| 8 | mail | | news |x | 9| 9 | news | www.percona.com 14
LOAD DATA LOCAL Just like LOAD DATA, but takes a file from the client Must have config on server: local-infile=0 More a security problem on the client: local-infile=0 to [client] recompile library with DENABLED_LOCAL_INFILE=1 www.percona.com 15
PROCESS See complete SHOW PROCESSLIST for every user > SHOW GRANTS; +-----------------------------------------------+ | Grants for process@localhost | +-----------------------------------------------+ | GRANT PROCESS ON *.* TO 'process'@'localhost' | +-----------------------------------------------+ >SHOW FULL PROCESSLISTG ... *************************** 3. row *************************** Id: 6163 User: root Host: localhost db: test Command: Query Time: 63 State: Locked Info: insert into passwd values ('lefred','iLikeDim0', null,null,null,null) www.percona.com 16
PROCESS And....: > SHOW ENGINE INNODB STATUSG ... ===================================== 120110 21:44:00 INNODB MONITOR OUTPUT ===================================== Per second averages calculated from the last 37 seconds ... ------------ TRANSACTIONS ------------ ... ---TRANSACTION 0, not started, process no 955, OS thread id 140712801937152 mysql tables in use 1, locked 1 MySQL thread id 6163, query id 273 localhost root Table lock insert into passwd values ('lefred','iLikeDim0', null,null,null,null) ... www.percona.com 17
RELOAD Reload all kinds of log files, not so bad... But: FLUSH MASTER: remove all binary logs FLUSH SLAVE: remove all slave configuration FLUSH TABLES WITH READ LOCK: lock tables www.percona.com 18
REPLICATION CLIENT SHOW MASTER STATUS; SHOW SLAVE STATUSG www.percona.com 19
REPLICATION SLAVE Required for slave to fetch binlogs Also gives: SHOW BINLOG EVENTSG ... Log_name: mysql-bin.000001 Pos: 175 Event_type: Query Server_id: 9999 End_log_pos: 312 Info: use `test`; insert into passwd values ('lefred','iLikeDim0', null,null,null,null,null) www.percona.com 20
SHUTDOWN # mysqladmin shutdown www.percona.com 21
SUPER Known to be given to app users & monitoring users However,it is very powerful: CHANGE MASTER TO, STOP SLAVE, START SLAVE KILL any thread SET GLOBAL ... BINLOG When read_only=on SUPER users can still write Set DEFINER with Stored Procedures/Views to account of choice Have the extra login when max_connections is reached www.percona.com 22
ALL Gives ALL privileges possible (on a certain level): > GRANT ALL ON *.* > GRANT ALL ON db.* > GRANT ALL ON db.table ... www.percona.com 23
USAGE Gives you the possibility to... login Possible to run: SHOW GLOBAL STATUS; SHOW GLOBAL VARIABLES; Set session buffers/variables (see next chapter) www.percona.com 24
mysql Database > SHOW TABLES; | plugin | +---------------------------+ | proc | | Tables_in_mysql | | procs_priv | +---------------------------+ | proxies_priv | | columns_priv | | servers | | db | | slow_log | | event | | tables_priv | | func | | time_zone | | general_log | | time_zone_leap_second | | help_category | | time_zone_name | | help_keyword | | time_zone_transition | | help_relation | | time_zone_transition_type | | help_topic | | user | | host | +---------------------------+ | ndb_binlog_index | 24 rows in set (0.00 sec) www.percona.com 25
mysql Database Do not give rights for app or general users DML statements are possible use FLUSH PRIVILEGES to apply www.percona.com 26
Resource Limits For every user: max_user_connections >GRANT USAGE ON db.* TO ‘lefred'@'localhost' WITH MAX_QUERIES_PER_HOUR 1000 MAX_UPDATES_PER_HOUR 999 MAX_CONNECTIONS_PER_HOUR 100 MAX_USER_CONNECTIONS 5; FLUSH USER_RESOURCES; Not commonly used www.percona.com 27
Default Permissions -- Grants dumped by pt-show-grants -- Dumped from server Localhost via UNIX socket, MySQL 5.5.17-55- log at 2012-01-11 03:36:25 -- Grants for 'root'@'127.0.0.1' GRANT ALL PRIVILEGES ON *.* TO 'root'@'127.0.0.1' WITH GRANT OPTION; -- Grants for 'root'@'desktop' GRANT ALL PRIVILEGES ON *.* TO 'root'@'desktop' WITH GRANT OPTION; -- Grants for 'root'@'localhost' GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION; -- Grants for ‘’@‘localhost’ GRANT USAGE ON *.* TO ‘’@‘localhost’; # mysql_secure_installation Set root password? [Y/n] y Remove anonymous users? [Y/n] y Disallow root login remotely? [Y/n] y Remove test database and access to it? [Y/n] y www.percona.com 28
Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 29
User Management Difficult to manage when having +1 MySQL server How to properly manage all those users? Version Control SecuRich Configuration Management www.percona.com 30
Version Control Put all grants in a .txt file and put in VC use pt-show-grants: orders grants, easy to VC generates revoke statements -- Grants dumped by pt-show-grants -- Dumped from server Localhost via UNIX socket, MySQL 5.5.17-55-log at 2012-01-10 23:52:18 -- Grants for 'debian-sys-maint'@'localhost' GRANT ALL PRIVILEGES ON *.* TO 'debian-sys-maint'@'localhost' IDENTIFIED BY PASSWORD '*C86BAB1C913CE0D310B662846E830230C51DA954' WITH GRANT OPTION; -- Grants for 'lefred'@'app0001' GRANT INSERT ON *.* TO 'lefred'@'app0001'; GRANT SELECT ON `db`.* TO 'lefred'@'app0001'; -- Grants for 'lefred'@'localhost' GRANT SELECT, SELECT (user) ON `test`.`passwd` TO 'lefred'@'localhost'; GRANT USAGE ON *.* TO 'lefred'@'localhost'; http://www.percona.com/doc/percona-toolkit/2.0/pt-show-grants.html www.percona.com 31
SecuRich Tool (scripts/stored procedures) to facilitate user management Has some features MySQL does _not_ have: password expiry block users (even throws out users) password history password complexity checks http://www.securich.com/ www.percona.com 32
Configuration Management Use your favorite configuration management tool Puppet example: https://github.com/DavidS/puppet-mysql www.percona.com 33
Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 34
Pluggable Authentication Feature Since MySQL 5.5 New Grant: PROXY: act like a user Percona PAM Plugin: http://www.mysqlperformanceblog.com/2011/12/05/announcing-pam-authentication- plugin-for-mysql-early-access-release/ Oracle PAM Plugin: commercial plugin Clear text password will be sent: use secure connections www.percona.com 35
Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 36
Application Security SQL Injections use mysql_real_escape_string() Use Prepared Statements Use different users in the application (read/write/...) Don’t give app users permissions they should not have (see this presentation) www.percona.com 37
Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 38
Network Security Port protection Traffic encryption DNS www.percona.com 39
Port Protection Firewall bind-address=127.0.0.1 No need for network connections (socket only): skip-networking www.percona.com 40
Traffic Encryption Problem: # tcpdump -w - -i lo port 3306 | strings ... insert into passwd values ('lefred','dim00tjen', null,null,null,null)H Solution: Built-in SSL Secure Tunnels www.percona.com 41
DNS Remember: authentication is user@host MySQL does Reverse DNS Lookup taking over DNS server can change grants Killing DNS server can cause stalls (next to the default dns cache in MySQL or nscd): both security and performance problem use skip-name-resolve www.percona.com 42
Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 43
OS Level Security Security profiles: AppArmor SELinux Chroot start mysqld with --chroot www.percona.com 44
Filesystem Encryption LUKS/ecryptfs/...: Disk/File/Directory encryption Protects against ‘disk-stealing’ No protection for user ‘root’ Gazzang ezNcrypt (http://www.gazzang.com) Commercial tool Uses ecryptfs Off-Site Key Management kernel module ACL Only certain binary, with a certain hash can access the encrypted files www.percona.com 45
Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 46
Other MySQL Security Features old-passwords: Insecure 4.1 hashing set secure-auth to avoid skip-symbolic-links max_connect_errors: default=10 Error: Host 'host_name' is blocked FLUSH HOSTS skip-grant-tables: ignore authentication recover lost root password Audit Plugin interface (since 5.5) www.percona.com 47
Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 48
Data Security Functions PASSWORD() Crypt: ENCRYPT()/DECRYPT() AES: AES_ENCRYPT()/AES_DECRYPT() DES: DES_ENCRYPT()/DES_DECRYPT() Hashing: MD5(), SHA2() Statement Based Replication includes the SQL statement in the binary log: Use Row Based Same counts for general/slowlog Maybe encrypt in application www.percona.com 49
Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 50
DoS mysql> show grants; +--------------------------------------+ | Grants for @localhost | +--------------------------------------+ | GRANT USAGE ON *.* TO ''@'localhost' | +--------------------------------------+ 1 row in set (0.00 sec) Disk: mysql> use information_schema; mysql> select a.* FROM CHARACTER_SETS a, CHARACTER_SETS b, -> CHARACTER_SETS c, CHARACTER_SETS d, CHARACTER_SETS e; Memory: mysql> SELECT REPEAT('a', 1024*1024) INTO @a1; Query OK, 1 row affected (0.01 sec) .. mysql> SELECT REPEAT('a', 1024*1024) INTO @a99; Query OK, 1 row affected (0.01 sec) www.percona.com 51
Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 52
PCI Compliance 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security http://en.wikipedia.org/wiki/PCI_DSS www.percona.com 53
Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 54
Kenny Gryp <kenny.gryp@percona.com> @gryp We're Hiring! www.percona.com/about-us/careers/

Recomendados

Percona Live 2012PPT: introduction-to-mysql-replication
Percona Live 2012PPT: introduction-to-mysql-replicationPercona Live 2012PPT: introduction-to-mysql-replication
Percona Live 2012PPT: introduction-to-mysql-replication
mysqlops
 
Highload Perf Tuning
Highload Perf TuningHighload Perf Tuning
Highload Perf Tuning
HighLoad2009
 
MySQL 5.5 Guide to InnoDB Status
MySQL 5.5 Guide to InnoDB StatusMySQL 5.5 Guide to InnoDB Status
MySQL 5.5 Guide to InnoDB Status
Karwin Software Solutions LLC
 
MySQL Replication Basics -Ohio Linux Fest 2016
MySQL Replication Basics -Ohio Linux Fest 2016MySQL Replication Basics -Ohio Linux Fest 2016
MySQL Replication Basics -Ohio Linux Fest 2016
Dave Stokes
 
MySQL Replication Update -- Zendcon 2016
MySQL Replication Update -- Zendcon 2016MySQL Replication Update -- Zendcon 2016
MySQL Replication Update -- Zendcon 2016
Dave Stokes
 
How to migrate from MySQL to MariaDB without tears
How to migrate from MySQL to MariaDB without tearsHow to migrate from MySQL to MariaDB without tears
How to migrate from MySQL to MariaDB without tears
Sveta Smirnova
 
Why MySQL Replication Fails, and How to Get it Back
Why MySQL Replication Fails, and How to Get it BackWhy MySQL Replication Fails, and How to Get it Back
Why MySQL Replication Fails, and How to Get it Back
Sveta Smirnova
 
Managing MariaDB Server operations with Percona Toolkit
Managing MariaDB Server operations with Percona ToolkitManaging MariaDB Server operations with Percona Toolkit
Managing MariaDB Server operations with Percona Toolkit
Sveta Smirnova
 

Recomendados

Percona Live 2012PPT: introduction-to-mysql-replication
Percona Live 2012PPT: introduction-to-mysql-replicationPercona Live 2012PPT: introduction-to-mysql-replication
Percona Live 2012PPT: introduction-to-mysql-replication
mysqlops
 
Highload Perf Tuning
Highload Perf TuningHighload Perf Tuning
Highload Perf Tuning
HighLoad2009
 
MySQL 5.5 Guide to InnoDB Status
MySQL 5.5 Guide to InnoDB StatusMySQL 5.5 Guide to InnoDB Status
MySQL 5.5 Guide to InnoDB Status
Karwin Software Solutions LLC
 
MySQL Replication Basics -Ohio Linux Fest 2016
MySQL Replication Basics -Ohio Linux Fest 2016MySQL Replication Basics -Ohio Linux Fest 2016
MySQL Replication Basics -Ohio Linux Fest 2016
Dave Stokes
 
MySQL Replication Update -- Zendcon 2016
MySQL Replication Update -- Zendcon 2016MySQL Replication Update -- Zendcon 2016
MySQL Replication Update -- Zendcon 2016
Dave Stokes
 
How to migrate from MySQL to MariaDB without tears
How to migrate from MySQL to MariaDB without tearsHow to migrate from MySQL to MariaDB without tears
How to migrate from MySQL to MariaDB without tears
Sveta Smirnova
 
Why MySQL Replication Fails, and How to Get it Back
Why MySQL Replication Fails, and How to Get it BackWhy MySQL Replication Fails, and How to Get it Back
Why MySQL Replication Fails, and How to Get it Back
Sveta Smirnova
 
Managing MariaDB Server operations with Percona Toolkit
Managing MariaDB Server operations with Percona ToolkitManaging MariaDB Server operations with Percona Toolkit
Managing MariaDB Server operations with Percona Toolkit
Sveta Smirnova
 
Performance Schema for MySQL Troubleshooting
Performance Schema for MySQL TroubleshootingPerformance Schema for MySQL Troubleshooting
Performance Schema for MySQL Troubleshooting
Sveta Smirnova
 
How to Avoid Pitfalls in Schema Upgrade with Percona XtraDB Cluster
How to Avoid Pitfalls in Schema Upgrade with Percona XtraDB ClusterHow to Avoid Pitfalls in Schema Upgrade with Percona XtraDB Cluster
How to Avoid Pitfalls in Schema Upgrade with Percona XtraDB Cluster
Sveta Smirnova
 
Introduction to MySQL Query Tuning for Dev[Op]s
Introduction to MySQL Query Tuning for Dev[Op]sIntroduction to MySQL Query Tuning for Dev[Op]s
Introduction to MySQL Query Tuning for Dev[Op]s
Sveta Smirnova
 
How to Avoid Pitfalls in Schema Upgrade with Galera
How to Avoid Pitfalls in Schema Upgrade with GaleraHow to Avoid Pitfalls in Schema Upgrade with Galera
How to Avoid Pitfalls in Schema Upgrade with Galera
Sveta Smirnova
 
MySQL Performance Schema in Action
MySQL Performance Schema in ActionMySQL Performance Schema in Action
MySQL Performance Schema in Action
Sveta Smirnova
 
Introduction to MySQL InnoDB Cluster
Introduction to MySQL InnoDB ClusterIntroduction to MySQL InnoDB Cluster
Introduction to MySQL InnoDB Cluster
I Goo Lee
 
MySQL Performance Schema in 20 Minutes
MySQL Performance Schema in 20 Minutes MySQL Performance Schema in 20 Minutes
MySQL Performance Schema in 20 Minutes
Sveta Smirnova
 
MySQL Replication Troubleshooting for Oracle DBAs
MySQL Replication Troubleshooting for Oracle DBAsMySQL Replication Troubleshooting for Oracle DBAs
MySQL Replication Troubleshooting for Oracle DBAs
Sveta Smirnova
 
MySQL InnoDB Cluster 미리보기 (remote cluster test)
MySQL InnoDB Cluster 미리보기 (remote cluster test)MySQL InnoDB Cluster 미리보기 (remote cluster test)
MySQL InnoDB Cluster 미리보기 (remote cluster test)
Seungmin Yu
 
Oracle upgrade
Oracle upgradeOracle upgrade
Oracle upgrade
Raj p
 
Curso de MySQL 5.7
Curso de MySQL 5.7Curso de MySQL 5.7
Curso de MySQL 5.7
Eduardo Legatti
 
Introduction into MySQL Query Tuning
Introduction into MySQL Query TuningIntroduction into MySQL Query Tuning
Introduction into MySQL Query Tuning
Sveta Smirnova
 
MySQLinsanity
MySQLinsanityMySQLinsanity
MySQLinsanity
Stanley Huang
 
Introduction into MySQL Query Tuning for Dev[Op]s
Introduction into MySQL Query Tuning for Dev[Op]sIntroduction into MySQL Query Tuning for Dev[Op]s
Introduction into MySQL Query Tuning for Dev[Op]s
Sveta Smirnova
 
Lessons Learned: Troubleshooting Replication
Lessons Learned: Troubleshooting ReplicationLessons Learned: Troubleshooting Replication
Lessons Learned: Troubleshooting Replication
Sveta Smirnova
 
MySQL Binary Log API Presentation - OSCON 2011
MySQL Binary Log API Presentation - OSCON 2011MySQL Binary Log API Presentation - OSCON 2011
MySQL Binary Log API Presentation - OSCON 2011
Mats Kindahl
 
Preparse Query Rewrite Plugins
Preparse Query Rewrite PluginsPreparse Query Rewrite Plugins
Preparse Query Rewrite Plugins
Sveta Smirnova
 
監査ログをもっと身近に!〜統合監査のすすめ〜
監査ログをもっと身近に!〜統合監査のすすめ〜監査ログをもっと身近に!〜統合監査のすすめ〜
監査ログをもっと身近に!〜統合監査のすすめ〜
Michitoshi Yoshida
 
MySQL Document Store
MySQL Document StoreMySQL Document Store
MySQL Document Store
I Goo Lee
 
MySQL Performance Schema in Action
MySQL Performance Schema in ActionMySQL Performance Schema in Action
MySQL Performance Schema in Action
Sveta Smirnova
 
MySQL应用优化实践
MySQL应用优化实践MySQL应用优化实践
MySQL应用优化实践
mysqlops
 
分布式爬虫
分布式爬虫分布式爬虫
分布式爬虫
mysqlops
 

Más contenido relacionado

La actualidad más candente

How to Avoid Pitfalls in Schema Upgrade with Percona XtraDB Cluster
How to Avoid Pitfalls in Schema Upgrade with Percona XtraDB ClusterHow to Avoid Pitfalls in Schema Upgrade with Percona XtraDB Cluster
How to Avoid Pitfalls in Schema Upgrade with Percona XtraDB Cluster
Sveta Smirnova
 
Introduction to MySQL Query Tuning for Dev[Op]s
Introduction to MySQL Query Tuning for Dev[Op]sIntroduction to MySQL Query Tuning for Dev[Op]s
Introduction to MySQL Query Tuning for Dev[Op]s
Sveta Smirnova
 
How to Avoid Pitfalls in Schema Upgrade with Galera
How to Avoid Pitfalls in Schema Upgrade with GaleraHow to Avoid Pitfalls in Schema Upgrade with Galera
How to Avoid Pitfalls in Schema Upgrade with Galera
Sveta Smirnova
 
MySQL Performance Schema in 20 Minutes
MySQL Performance Schema in 20 Minutes MySQL Performance Schema in 20 Minutes
MySQL Performance Schema in 20 Minutes
Sveta Smirnova
 
MySQL Performance Schema in Action
MySQL Performance Schema in ActionMySQL Performance Schema in Action
MySQL Performance Schema in Action
Sveta Smirnova
 

La actualidad más candente (20)

Performance Schema for MySQL Troubleshooting
Performance Schema for MySQL TroubleshootingPerformance Schema for MySQL Troubleshooting
Performance Schema for MySQL Troubleshooting
 
How to Avoid Pitfalls in Schema Upgrade with Percona XtraDB Cluster
How to Avoid Pitfalls in Schema Upgrade with Percona XtraDB ClusterHow to Avoid Pitfalls in Schema Upgrade with Percona XtraDB Cluster
How to Avoid Pitfalls in Schema Upgrade with Percona XtraDB Cluster
 
Introduction to MySQL Query Tuning for Dev[Op]s
Introduction to MySQL Query Tuning for Dev[Op]sIntroduction to MySQL Query Tuning for Dev[Op]s
Introduction to MySQL Query Tuning for Dev[Op]s
 
How to Avoid Pitfalls in Schema Upgrade with Galera
How to Avoid Pitfalls in Schema Upgrade with GaleraHow to Avoid Pitfalls in Schema Upgrade with Galera
How to Avoid Pitfalls in Schema Upgrade with Galera
 
MySQL Performance Schema in Action
MySQL Performance Schema in ActionMySQL Performance Schema in Action
MySQL Performance Schema in Action
 
Introduction to MySQL InnoDB Cluster
Introduction to MySQL InnoDB ClusterIntroduction to MySQL InnoDB Cluster
Introduction to MySQL InnoDB Cluster
 
MySQL Performance Schema in 20 Minutes
MySQL Performance Schema in 20 Minutes MySQL Performance Schema in 20 Minutes
MySQL Performance Schema in 20 Minutes
 
MySQL Replication Troubleshooting for Oracle DBAs
MySQL Replication Troubleshooting for Oracle DBAsMySQL Replication Troubleshooting for Oracle DBAs
MySQL Replication Troubleshooting for Oracle DBAs
 
MySQL InnoDB Cluster 미리보기 (remote cluster test)
MySQL InnoDB Cluster 미리보기 (remote cluster test)MySQL InnoDB Cluster 미리보기 (remote cluster test)
MySQL InnoDB Cluster 미리보기 (remote cluster test)
 
Oracle upgrade
Oracle upgradeOracle upgrade
Oracle upgrade
 
Curso de MySQL 5.7
Curso de MySQL 5.7Curso de MySQL 5.7
Curso de MySQL 5.7
 
Introduction into MySQL Query Tuning
Introduction into MySQL Query TuningIntroduction into MySQL Query Tuning
Introduction into MySQL Query Tuning
 
MySQLinsanity
MySQLinsanityMySQLinsanity
MySQLinsanity
 
Introduction into MySQL Query Tuning for Dev[Op]s
Introduction into MySQL Query Tuning for Dev[Op]sIntroduction into MySQL Query Tuning for Dev[Op]s
Introduction into MySQL Query Tuning for Dev[Op]s
 
Lessons Learned: Troubleshooting Replication
Lessons Learned: Troubleshooting ReplicationLessons Learned: Troubleshooting Replication
Lessons Learned: Troubleshooting Replication
 
MySQL Binary Log API Presentation - OSCON 2011
MySQL Binary Log API Presentation - OSCON 2011MySQL Binary Log API Presentation - OSCON 2011
MySQL Binary Log API Presentation - OSCON 2011
 
Preparse Query Rewrite Plugins
Preparse Query Rewrite PluginsPreparse Query Rewrite Plugins
Preparse Query Rewrite Plugins
 
監査ログをもっと身近に!〜統合監査のすすめ〜
監査ログをもっと身近に!〜統合監査のすすめ〜監査ログをもっと身近に!〜統合監査のすすめ〜
監査ログをもっと身近に!〜統合監査のすすめ〜
 
MySQL Document Store
MySQL Document StoreMySQL Document Store
MySQL Document Store
 
MySQL Performance Schema in Action
MySQL Performance Schema in ActionMySQL Performance Schema in Action
MySQL Performance Schema in Action
 

Destacado

Destacado (7)

MySQL应用优化实践
MySQL应用优化实践MySQL应用优化实践
MySQL应用优化实践
 
分布式爬虫
分布式爬虫分布式爬虫
分布式爬虫
 
DBA新人的述职报告
DBA新人的述职报告DBA新人的述职报告
DBA新人的述职报告
 
QQ聊天系统后台架构的演化与启示
QQ聊天系统后台架构的演化与启示QQ聊天系统后台架构的演化与启示
QQ聊天系统后台架构的演化与启示
 
服务器性能测试介绍
服务器性能测试介绍服务器性能测试介绍
服务器性能测试介绍
 
Oracle数据库分析函数详解
Oracle数据库分析函数详解Oracle数据库分析函数详解
Oracle数据库分析函数详解
 
The simplethebeautiful
The simplethebeautifulThe simplethebeautiful
The simplethebeautiful
 

Similar a Percona Live 2012PPT:mysql-security-privileges-and-user-management

glance replicator
glance replicatorglance replicator
glance replicator
irix_jp
 
Linux Containers From Scratch: Makfile MicroVPS
Linux Containers From Scratch: Makfile MicroVPSLinux Containers From Scratch: Makfile MicroVPS
Linux Containers From Scratch: Makfile MicroVPS
joshuasoundcloud
 
Facebook的缓存系统
Facebook的缓存系统Facebook的缓存系统
Facebook的缓存系统
yiditushe
 
Service discovery and configuration provisioning
Service discovery and configuration provisioningService discovery and configuration provisioning
Service discovery and configuration provisioning
Source Ministry
 
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
Scott Sutherland
 

Similar a Percona Live 2012PPT:mysql-security-privileges-and-user-management (20)

Build your own private openstack cloud
Build your own private openstack cloudBuild your own private openstack cloud
Build your own private openstack cloud
 
Automating everything with PowerShell, Terraform, and AWS
Automating everything with PowerShell, Terraform, and AWSAutomating everything with PowerShell, Terraform, and AWS
Automating everything with PowerShell, Terraform, and AWS
 
TrinityCore server install guide
TrinityCore server install guideTrinityCore server install guide
TrinityCore server install guide
 
Percona University - ProxySQL para MySQL
Percona University - ProxySQL para MySQLPercona University - ProxySQL para MySQL
Percona University - ProxySQL para MySQL
 
MySQL server security
MySQL server securityMySQL server security
MySQL server security
 
glance replicator
glance replicatorglance replicator
glance replicator
 
Bare-metal and Virtual Provisioning with Razor
Bare-metal and Virtual Provisioning with RazorBare-metal and Virtual Provisioning with Razor
Bare-metal and Virtual Provisioning with Razor
 
Mysql nowwhat
Mysql nowwhatMysql nowwhat
Mysql nowwhat
 
Bare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and ChefBare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and Chef
 
DB Floripa - ProxySQL para MySQL
DB Floripa - ProxySQL para MySQLDB Floripa - ProxySQL para MySQL
DB Floripa - ProxySQL para MySQL
 
How to install squid proxy on server or how to install squid proxy on centos o
How to install squid proxy on server or how to install squid proxy on centos oHow to install squid proxy on server or how to install squid proxy on centos o
How to install squid proxy on server or how to install squid proxy on centos o
 
MySQL Audit using Percona audit plugin and ELK
MySQL Audit using Percona audit plugin and ELKMySQL Audit using Percona audit plugin and ELK
MySQL Audit using Percona audit plugin and ELK
 
Linux Containers From Scratch: Makfile MicroVPS
Linux Containers From Scratch: Makfile MicroVPSLinux Containers From Scratch: Makfile MicroVPS
Linux Containers From Scratch: Makfile MicroVPS
 
Facebook的缓存系统
Facebook的缓存系统Facebook的缓存系统
Facebook的缓存系统
 
Service discovery and configuration provisioning
Service discovery and configuration provisioningService discovery and configuration provisioning
Service discovery and configuration provisioning
 
Cutting through the fog of cloud
Cutting through the fog of cloudCutting through the fog of cloud
Cutting through the fog of cloud
 
Linux Desktop Automation
Linux Desktop AutomationLinux Desktop Automation
Linux Desktop Automation
 
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
 
MySQL 5.7 innodb_enhance_partii_20160527
MySQL 5.7 innodb_enhance_partii_20160527MySQL 5.7 innodb_enhance_partii_20160527
MySQL 5.7 innodb_enhance_partii_20160527
 
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
 

Más de mysqlops

如何写有效的Bug报告
如何写有效的Bug报告如何写有效的Bug报告
如何写有效的Bug报告
mysqlops
 

Más de mysqlops (20)

Percona Live 2012PPT: MySQL Cluster And NDB Cluster
Percona Live 2012PPT: MySQL Cluster And NDB ClusterPercona Live 2012PPT: MySQL Cluster And NDB Cluster
Percona Live 2012PPT: MySQL Cluster And NDB Cluster
 
Percona Live 2012PPT: MySQL Query optimization
Percona Live 2012PPT: MySQL Query optimizationPercona Live 2012PPT: MySQL Query optimization
Percona Live 2012PPT: MySQL Query optimization
 
Pldc2012 innodb architecture and internals
Pldc2012 innodb architecture and internalsPldc2012 innodb architecture and internals
Pldc2012 innodb architecture and internals
 
eBay EDW元数据管理及应用
eBay EDW元数据管理及应用eBay EDW元数据管理及应用
eBay EDW元数据管理及应用
 
基于协程的网络开发框架的设计与实现
基于协程的网络开发框架的设计与实现基于协程的网络开发框架的设计与实现
基于协程的网络开发框架的设计与实现
 
eBay基于Hadoop平台的用户邮件数据分析
eBay基于Hadoop平台的用户邮件数据分析eBay基于Hadoop平台的用户邮件数据分析
eBay基于Hadoop平台的用户邮件数据分析
 
对MySQL DBA的一些思考
对MySQL DBA的一些思考对MySQL DBA的一些思考
对MySQL DBA的一些思考
 
腾讯即时聊天IM1.4亿在线背后的故事
腾讯即时聊天IM1.4亿在线背后的故事腾讯即时聊天IM1.4亿在线背后的故事
腾讯即时聊天IM1.4亿在线背后的故事
 
分布式存储与TDDL
分布式存储与TDDL分布式存储与TDDL
分布式存储与TDDL
 
MySQL数据库生产环境维护
MySQL数据库生产环境维护MySQL数据库生产环境维护
MySQL数据库生产环境维护
 
Memcached
MemcachedMemcached
Memcached
 
DevOPS
DevOPSDevOPS
DevOPS
 
MySQL数据库开发的三十六条军规
MySQL数据库开发的三十六条军规MySQL数据库开发的三十六条军规
MySQL数据库开发的三十六条军规
 
Web请求异步处理和海量数据即时分析在淘宝开放平台的实践
Web请求异步处理和海量数据即时分析在淘宝开放平台的实践Web请求异步处理和海量数据即时分析在淘宝开放平台的实践
Web请求异步处理和海量数据即时分析在淘宝开放平台的实践
 
新浪微博开放平台Redis实战
新浪微博开放平台Redis实战新浪微博开放平台Redis实战
新浪微博开放平台Redis实战
 
MySQL Explain输出详解
MySQL Explain输出详解MySQL Explain输出详解
MySQL Explain输出详解
 
MySQL Explain输出详解
MySQL Explain输出详解MySQL Explain输出详解
MySQL Explain输出详解
 
Cbo100053
Cbo100053Cbo100053
Cbo100053
 
如何写有效的Bug报告
如何写有效的Bug报告如何写有效的Bug报告
如何写有效的Bug报告
 
如何写有效的Bug报告
如何写有效的Bug报告如何写有效的Bug报告
如何写有效的Bug报告
 

Último

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 

Último (20)

MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 

Percona Live 2012PPT:mysql-security-privileges-and-user-management

  • 1. MySQL Security, Privileges & User Management Kenny Gryp <kenny.gryp@percona.com> Percona Live Washington DC / 2012-01-11
  • 2. Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 2
  • 3. Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 3
  • 4. Privilege System Users Grants mysql database Resource Limits Default Permissions www.percona.com 4
  • 5. Users Identify users based on: user@host user: username host: hostname/ip of the client that connects different host, different user, different ‘grants’ Examples: ‘fred’@‘localhost’, ‘root’@‘localhost’ ‘lefred’@‘app0001’, ‘kampen’@‘192.168.%’ ‘lekampen’@‘192.168.1__’, ‘fred’@‘app.fq.dn’ Creating A User: >CREATE USER 'lefred'@'app0001'; Drop user: change CREATE into DROP www.percona.com 5
  • 6. Grants Grant the user some kind of privilege Grant ... to: server, column, view, database, trigger, index table, stored procedure, Example: INSERT, SELECT, UPDATE, DELETE SQL Command: >GRANT SELECT ON db.* TO ‘lefred’@‘app0001’; >GRANT INSERT ON *.* TO ‘lefred’@‘app0001’; Revoking privileges: change GRANT into REVOKE www.percona.com 6
  • 7. Table/Column Level Grants Possible: > GRANT SELECT ON db.table TO ‘lefred’@‘app’; > GRANT SELECT (col) ON db.table to ‘fr’@‘app’; Too much columns might make authentication slower www.percona.com 7
  • 8. Password Examples: > SET PASSWORD FOR ‘lefred’@‘app0001’ = PASSWORD(‘pass’); > SELECT PASSWORD('pass')G PASSWORD('pass'): *196BDEDE2AE4F84CA44C47D54D78478C7E2BD7B7 > SET PASSWORD FOR ‘lefred’@‘app0001’ = ‘*196BDEDE2...’; > CREATE USER ‘lefred’@‘app0001’ IDENTIFIED BY ‘pass’; > CREATE USER ‘fred’@‘app’ IDENTIFIED BY PASSWORD ‘*196BDEDE2...’; > GRANT SELECT ON db.* TO ‘fred’@‘app’ IDENTIFIED BY ‘pass’; www.percona.com 8
  • 9. Grants Complete list of grants: CREATE ALTER ROUTINE DROP CREATE ROUTINE GRANT OPTION EXECUTE LOCK TABLES FILE EVENT CREATE USER ALTER PROCESS DELETE PROXY INDEX RELOAD INSERT REPLICATION CLIENT SELECT REPLICATION SLAVE UPDATE SHOW DATABASES CREATE TEMPORARY TABLES SHUTDOWN TRIGGER SUPER CREATE VIEW ALL [PRIVILEGES] SHOW VIEW USAGE www.percona.com 9
  • 10. Grants CREATE ALTER ROUTINE DROP CREATE ROUTINE GRANT OPTION EXECUTE LOCK TABLES FILE EVENT CREATE USER ALTER PROCESS DELETE PROXY INDEX RELOAD INSERT REPLICATION CLIENT SELECT REPLICATION SLAVE UPDATE SHOW DATABASES CREATE TEMPORARY TABLES SHUTDOWN TRIGGER SUPER CREATE VIEW ALL [PRIVILEGES] SHOW VIEW USAGE www.percona.com 10
  • 11. SHOW GRANTS > SHOW GRANTS; +----------------------------------------------------------------+ | Grants for root@localhost | +----------------------------------------------------------------+ | GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY| |PASSWORD '*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B' WITH GRANT | | OPTION | +----------------------------------------------------------------+ > SHOW GRANTS FOR 'lefred'@'app0001'; +----------------------------------------------+ | Grants for lefred@app0001 | +----------------------------------------------+ | GRANT INSERT ON *.* TO 'lefred'@'app0001' | | GRANT SELECT ON `db`.* TO 'lefred'@'app0001' | +----------------------------------------------+ www.percona.com 11
  • 12. GRANT OPTION User with ‘GRANT OPTION’ can give grants to other users only for the grants he has already www.percona.com 12
  • 13. FILE Read/Write Files with: > SELECT ... INTO OUTFILE > LOAD DATA INFILE ... Are you sure you want to give FILE? Restrict with secure_file_priv=/path/ www.percona.com 13
  • 14. FILE Example: > CREATE TABLE passwd(user varchar(255),pass varchar(255),userid integer,`group` integer,gecos varchar(255),home varchar(255),shell varchar(255)); Query OK, 0 rows affected (0.05 sec) > LOAD DATA INFILE '/etc/passwd' INTO TABLE passwd FIELDS TERMINATED BY ":"; Query OK, 40 rows affected (0.05 sec) > SELECT user, pass, userid, `group`, gecos FROM passwd; +-------------------+------+--------+-------+------------------------------------+ | user | pass | userid | group | gecos | +-------------------+------+--------+-------+------------------------------------+ | root |x | 0| 0 | root | | daemon |x | 1| 1 | daemon | | bin |x | 2| 2 | bin | | sys |x | 3| 3 | sys | | sync |x | 4 | 65534 | sync | | games |x | 5| 60 | games | | man |x | 6| 12 | man | | lp |x | 7| 7 | lp | | mail |x | 8| 8 | mail | | news |x | 9| 9 | news | www.percona.com 14
  • 15. LOAD DATA LOCAL Just like LOAD DATA, but takes a file from the client Must have config on server: local-infile=0 More a security problem on the client: local-infile=0 to [client] recompile library with DENABLED_LOCAL_INFILE=1 www.percona.com 15
  • 16. PROCESS See complete SHOW PROCESSLIST for every user > SHOW GRANTS; +-----------------------------------------------+ | Grants for process@localhost | +-----------------------------------------------+ | GRANT PROCESS ON *.* TO 'process'@'localhost' | +-----------------------------------------------+ >SHOW FULL PROCESSLISTG ... *************************** 3. row *************************** Id: 6163 User: root Host: localhost db: test Command: Query Time: 63 State: Locked Info: insert into passwd values ('lefred','iLikeDim0', null,null,null,null) www.percona.com 16
  • 17. PROCESS And....: > SHOW ENGINE INNODB STATUSG ... ===================================== 120110 21:44:00 INNODB MONITOR OUTPUT ===================================== Per second averages calculated from the last 37 seconds ... ------------ TRANSACTIONS ------------ ... ---TRANSACTION 0, not started, process no 955, OS thread id 140712801937152 mysql tables in use 1, locked 1 MySQL thread id 6163, query id 273 localhost root Table lock insert into passwd values ('lefred','iLikeDim0', null,null,null,null) ... www.percona.com 17
  • 18. RELOAD Reload all kinds of log files, not so bad... But: FLUSH MASTER: remove all binary logs FLUSH SLAVE: remove all slave configuration FLUSH TABLES WITH READ LOCK: lock tables www.percona.com 18
  • 19. REPLICATION CLIENT SHOW MASTER STATUS; SHOW SLAVE STATUSG www.percona.com 19
  • 20. REPLICATION SLAVE Required for slave to fetch binlogs Also gives: SHOW BINLOG EVENTSG ... Log_name: mysql-bin.000001 Pos: 175 Event_type: Query Server_id: 9999 End_log_pos: 312 Info: use `test`; insert into passwd values ('lefred','iLikeDim0', null,null,null,null,null) www.percona.com 20
  • 21. SHUTDOWN # mysqladmin shutdown www.percona.com 21
  • 22. SUPER Known to be given to app users & monitoring users However,it is very powerful: CHANGE MASTER TO, STOP SLAVE, START SLAVE KILL any thread SET GLOBAL ... BINLOG When read_only=on SUPER users can still write Set DEFINER with Stored Procedures/Views to account of choice Have the extra login when max_connections is reached www.percona.com 22
  • 23. ALL Gives ALL privileges possible (on a certain level): > GRANT ALL ON *.* > GRANT ALL ON db.* > GRANT ALL ON db.table ... www.percona.com 23
  • 24. USAGE Gives you the possibility to... login Possible to run: SHOW GLOBAL STATUS; SHOW GLOBAL VARIABLES; Set session buffers/variables (see next chapter) www.percona.com 24
  • 25. mysql Database > SHOW TABLES; | plugin | +---------------------------+ | proc | | Tables_in_mysql | | procs_priv | +---------------------------+ | proxies_priv | | columns_priv | | servers | | db | | slow_log | | event | | tables_priv | | func | | time_zone | | general_log | | time_zone_leap_second | | help_category | | time_zone_name | | help_keyword | | time_zone_transition | | help_relation | | time_zone_transition_type | | help_topic | | user | | host | +---------------------------+ | ndb_binlog_index | 24 rows in set (0.00 sec) www.percona.com 25
  • 26. mysql Database Do not give rights for app or general users DML statements are possible use FLUSH PRIVILEGES to apply www.percona.com 26
  • 27. Resource Limits For every user: max_user_connections >GRANT USAGE ON db.* TO ‘lefred'@'localhost' WITH MAX_QUERIES_PER_HOUR 1000 MAX_UPDATES_PER_HOUR 999 MAX_CONNECTIONS_PER_HOUR 100 MAX_USER_CONNECTIONS 5; FLUSH USER_RESOURCES; Not commonly used www.percona.com 27
  • 28. Default Permissions -- Grants dumped by pt-show-grants -- Dumped from server Localhost via UNIX socket, MySQL 5.5.17-55- log at 2012-01-11 03:36:25 -- Grants for 'root'@'127.0.0.1' GRANT ALL PRIVILEGES ON *.* TO 'root'@'127.0.0.1' WITH GRANT OPTION; -- Grants for 'root'@'desktop' GRANT ALL PRIVILEGES ON *.* TO 'root'@'desktop' WITH GRANT OPTION; -- Grants for 'root'@'localhost' GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION; -- Grants for ‘’@‘localhost’ GRANT USAGE ON *.* TO ‘’@‘localhost’; # mysql_secure_installation Set root password? [Y/n] y Remove anonymous users? [Y/n] y Disallow root login remotely? [Y/n] y Remove test database and access to it? [Y/n] y www.percona.com 28
  • 29. Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 29
  • 30. User Management Difficult to manage when having +1 MySQL server How to properly manage all those users? Version Control SecuRich Configuration Management www.percona.com 30
  • 31. Version Control Put all grants in a .txt file and put in VC use pt-show-grants: orders grants, easy to VC generates revoke statements -- Grants dumped by pt-show-grants -- Dumped from server Localhost via UNIX socket, MySQL 5.5.17-55-log at 2012-01-10 23:52:18 -- Grants for 'debian-sys-maint'@'localhost' GRANT ALL PRIVILEGES ON *.* TO 'debian-sys-maint'@'localhost' IDENTIFIED BY PASSWORD '*C86BAB1C913CE0D310B662846E830230C51DA954' WITH GRANT OPTION; -- Grants for 'lefred'@'app0001' GRANT INSERT ON *.* TO 'lefred'@'app0001'; GRANT SELECT ON `db`.* TO 'lefred'@'app0001'; -- Grants for 'lefred'@'localhost' GRANT SELECT, SELECT (user) ON `test`.`passwd` TO 'lefred'@'localhost'; GRANT USAGE ON *.* TO 'lefred'@'localhost'; http://www.percona.com/doc/percona-toolkit/2.0/pt-show-grants.html www.percona.com 31
  • 32. SecuRich Tool (scripts/stored procedures) to facilitate user management Has some features MySQL does _not_ have: password expiry block users (even throws out users) password history password complexity checks http://www.securich.com/ www.percona.com 32
  • 33. Configuration Management Use your favorite configuration management tool Puppet example: https://github.com/DavidS/puppet-mysql www.percona.com 33
  • 34. Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 34
  • 35. Pluggable Authentication Feature Since MySQL 5.5 New Grant: PROXY: act like a user Percona PAM Plugin: http://www.mysqlperformanceblog.com/2011/12/05/announcing-pam-authentication- plugin-for-mysql-early-access-release/ Oracle PAM Plugin: commercial plugin Clear text password will be sent: use secure connections www.percona.com 35
  • 36. Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 36
  • 37. Application Security SQL Injections use mysql_real_escape_string() Use Prepared Statements Use different users in the application (read/write/...) Don’t give app users permissions they should not have (see this presentation) www.percona.com 37
  • 38. Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 38
  • 39. Network Security Port protection Traffic encryption DNS www.percona.com 39
  • 40. Port Protection Firewall bind-address=127.0.0.1 No need for network connections (socket only): skip-networking www.percona.com 40
  • 41. Traffic Encryption Problem: # tcpdump -w - -i lo port 3306 | strings ... insert into passwd values ('lefred','dim00tjen', null,null,null,null)H Solution: Built-in SSL Secure Tunnels www.percona.com 41
  • 42. DNS Remember: authentication is user@host MySQL does Reverse DNS Lookup taking over DNS server can change grants Killing DNS server can cause stalls (next to the default dns cache in MySQL or nscd): both security and performance problem use skip-name-resolve www.percona.com 42
  • 43. Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 43
  • 44. OS Level Security Security profiles: AppArmor SELinux Chroot start mysqld with --chroot www.percona.com 44
  • 45. Filesystem Encryption LUKS/ecryptfs/...: Disk/File/Directory encryption Protects against ‘disk-stealing’ No protection for user ‘root’ Gazzang ezNcrypt (http://www.gazzang.com) Commercial tool Uses ecryptfs Off-Site Key Management kernel module ACL Only certain binary, with a certain hash can access the encrypted files www.percona.com 45
  • 46. Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 46
  • 47. Other MySQL Security Features old-passwords: Insecure 4.1 hashing set secure-auth to avoid skip-symbolic-links max_connect_errors: default=10 Error: Host 'host_name' is blocked FLUSH HOSTS skip-grant-tables: ignore authentication recover lost root password Audit Plugin interface (since 5.5) www.percona.com 47
  • 48. Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 48
  • 49. Data Security Functions PASSWORD() Crypt: ENCRYPT()/DECRYPT() AES: AES_ENCRYPT()/AES_DECRYPT() DES: DES_ENCRYPT()/DES_DECRYPT() Hashing: MD5(), SHA2() Statement Based Replication includes the SQL statement in the binary log: Use Row Based Same counts for general/slowlog Maybe encrypt in application www.percona.com 49
  • 50. Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 50
  • 51. DoS mysql> show grants; +--------------------------------------+ | Grants for @localhost | +--------------------------------------+ | GRANT USAGE ON *.* TO ''@'localhost' | +--------------------------------------+ 1 row in set (0.00 sec) Disk: mysql> use information_schema; mysql> select a.* FROM CHARACTER_SETS a, CHARACTER_SETS b, -> CHARACTER_SETS c, CHARACTER_SETS d, CHARACTER_SETS e; Memory: mysql> SELECT REPEAT('a', 1024*1024) INTO @a1; Query OK, 1 row affected (0.01 sec) .. mysql> SELECT REPEAT('a', 1024*1024) INTO @a99; Query OK, 1 row affected (0.01 sec) www.percona.com 51
  • 52. Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 52
  • 53. PCI Compliance 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security http://en.wikipedia.org/wiki/PCI_DSS www.percona.com 53
  • 54. Security, Privileges & User Management Privilege System User Management Pluggable Authentication Application Security Network Security OS Level Security Other MySQL Security Features Data Security Functions DoS PCI Compliance www.percona.com 54
  • 55. Kenny Gryp <kenny.gryp@percona.com> @gryp We're Hiring! www.percona.com/about-us/careers/