mysql percona server mariadb server security features
play

MySQL/Percona Server/MariaDB Server security features overview Colin - PowerPoint PPT Presentation

Aug 23, 2022 •41 likes •681 views

MySQL/Percona Server/MariaDB Server security features overview Colin Charles, Chief Evangelist, Percona Inc. colin.charles@percona.com / byte@bytebot.net http://bytebot.net/blog/ | @bytebot on Twitter Percona Live Santa Clara 2018, Santa Clara,

  1. MySQL/Percona Server/MariaDB Server security features overview Colin Charles, Chief Evangelist, Percona Inc. colin.charles@percona.com / byte@bytebot.net http://bytebot.net/blog/ | @bytebot on Twitter Percona Live Santa Clara 2018, Santa Clara, California, USA 25 April 2018

  2. whoami • Chief Evangelist, Percona Inc • Focusing on the MySQL ecosystem (MySQL, Percona Server, MariaDB Server), as well as the MongoDB ecosystem (Percona Server for MongoDB) + 100% open source tools from Percona like Percona Monitoring & Management, Percona xtrabackup, Percona Toolkit, etc. • Founding team of MariaDB Server (2009-2016), previously at Monty Program Ab, merged with SkySQL Ab, now MariaDB Corporation • Formerly MySQL AB (exit: Sun Microsystems) • Past lives include The Fedora Project (FESCO), OpenOffice.org • MySQL Community Contributor of the Year Award winner 2014 #PerconaLive

  3. License • Creative Commons BY-NC-SA 4.0 • https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode 
 #PerconaLive

  4. MySQL Variants • MySQL Community Edition • Won’t cover: 3.23, 4.0, 4.1, 5.0, 5.1 • Will focus on: 5.5, 5.6, 5.7, and the newly released 8.0 • MySQL Enterprise Edition • Percona Server for MySQL • 5.5, 5.6, 5.7 • MariaDB Server • Won’t cover: 5.1, 5.2, 5.3 • 5.5, 10.0, 10.1, 10.2, with 10.3 as an alpha • What we won’t cover: MySQL Cluster (NDBCLUSTER), Galera Cluster, Group Replication/ InnoDB Cluster, X Protocol/mysqlsh (33060) #PerconaLive

  5. Structured Query Language (SQL) • ISO/IEC 9075 (reviewed every 5 years), SQL-86, SQL-89, SQL-92, SQL:1999, SQL:2003, SQL:2006, SQL:2008, SQL:2011, SQL:2016 • select @@global.sql_mode; • ANSI - come close to the SQL standard • STRICT_TRANS_TABLES - If a value could not be inserted as given into a transactional table, abort the statement. • TRADITIONAL - “give an error instead of a warning” when inserting an incorrect value into a column. • https://dev.mysql.com/doc/refman/5.7/en/sql-mode.html • Deprecated - MariaDB Server has NO_AUTO_CREATE_USER but MySQL 5.7 has this in standard sql_mode #PerconaLive

  6. MySQL security by version • GRANT (3.23) • REVOKE (3.23) • SET PASSWORD (3.23) • SHOW GRANTS (3.23) • DROP USER (4.1) • SHOW PRIVILEGES (4.1) • CREATE USER (5.0) • RENAME USER (5.0) • ALTER USER (5.6) • SHOW CREATE USER (5.7) • CREATE ROLE (8.0) • DROP ROLE (8.0) • SET ROLE (8.0) • SET DEFAULT ROLE (8.0) • N/B: ROLES came to MariaDB Server in 10.0, and the DEFAULT ROLE came in 10.1 #PerconaLive

  7. mysql.user table • host • user • password (removed in 5.7; still present in MariaDB) • plugin (5.5) • authentication_string (5.5) • password_expired (5.6) • account_locked (5.7) Comparing mysql.user • Create_role_priv (8.0) between MariaDB Server 10.2 and MySQL 5.7 • Drop_role_priv (8.0) #PerconaLive

  8. Key security features by version • 5.1 - McAfee Audit plugin • 5.5 - pluggable authentication (MariaDB 5.2 backport), proxy users, changes in mysql.user table, client password warning; Enterprise provided Audit and PAM authentication (present again in Percona Server for MySQL and MariaDB Server) • 5.6 - encrypted client credentials (mysql_config_editor), sha256_password, password expiry, VALIDATE_PASSWORD_STRENGTH(), --random-passwords (optional random on install), mysql.user password_expired column; Enterprise Firewall • 5.7 - grep for root password on installation, password expiry every ‘n’ days, user accounts can be locked/unlocked, mysql_ssl_rsa_setup, mysql.user.password removed, super_read_only, at rest tablespace encryption • 8.0 - roles + mysql.user changes • MariaDB 10.0 - roles, userstats • MariaDB 10.1 - default roles, at rest table/tablespace encryption, simple_password_check, cracklib_password_check, AWS Key Management plugin • MariaDB 10.2 - user limits, ed25519 auth • Percona Server for MySQL 5.5 - extended SHOW GRANTS, utility user, userstats • Percona Server for MySQL 5.6 - super_read_only • Percona Server for MySQL 5.7 - Vault plugin #PerconaLive

  9. Installation Default Passwords • 'root' user • Pre 5.7 no password • 5.7 expired random password • Anonymous users • Removed in 5.7 #PerconaLive

  10. How are passwords stored in MySQL? (5.5) mysql55 >SELECT /* 5.5 */ host, user, password, plugin, authentication_string FROM mysql.user; 
 +-----------+------+----------+--------+-----------------------+ 
 | host | user | password | plugin | authentication_string | 
 +-----------+------+----------+--------+-----------------------+ 
 | localhost | root | | | | 
 | mysql55 | root | | | | 
 | 127.0.0.1 | root | | | | 
 | ::1 | root | | | | 
 | localhost | | | | NULL | 
 | mysql55 | | | | NULL | 
 +-----------+------+----------+--------+-----------------------+ 
 6 rows in set (0.00 sec) 
 #PerconaLive

  11. How are passwords stored in MySQL? (5.6) mysql56 >SELECT /* 5.6 */ host, user, password, plugin, authentication_string, password_expired FROM mysql.user; 
 +-----------+------+----------+-----------------------+-----------------------+------------------+ 
 | host | user | password | plugin | authentication_string | password_expired | 
 +-----------+------+----------+-----------------------+-----------------------+------------------+ 
 | localhost | root | | mysql_native_password | | N | 
 | mysql56 | root | | mysql_native_password | | N | 
 | 127.0.0.1 | root | | mysql_native_password | | N | 
 | ::1 | root | | mysql_native_password | | N | 
 | localhost | | | mysql_native_password | NULL | N | 
 | mysql56 | | | mysql_native_password | NULL | N | 
 +-----------+------+----------+-----------------------+-----------------------+------------------+ 
 6 rows in set (0.00 sec) 
 #PerconaLive

  12. How are passwords stored in MySQL? (5.7) mysql57 >SELECT /* 5.7 */ host, user, plugin, authentication_string, password_expired, password_last_changed, password_lifetime, account_locked FROM mysql.user; 
 +-----------+---------------+-----------------------+------------------------------------------- +------------------+-----------------------+-------------------+----------------+ 
 | host | user | plugin | authentication_string | password_expired | password_last_changed | password_lifetime | account_locked | 
 +-----------+---------------+-----------------------+------------------------------------------- +------------------+-----------------------+-------------------+----------------+ 
 | localhost | root | mysql_native_password | *E89C1DBB80A00976B61D19025C3081E4B190D8BE | N | 2017-09-03 18:45:43 | NULL | N | 
 | localhost | mysql.session | mysql_native_password | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | N | 2017-09-03 18:42:33 | NULL | Y | 
 | localhost | mysql.sys | mysql_native_password | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | N | 2017-09-03 18:42:33 | NULL | Y | 
 +-----------+---------------+-----------------------+------------------------------------------- +------------------+-----------------------+-------------------+----------------+ 
 3 rows in set (0.01 sec) 
 #PerconaLive

  13. How are passwords stored in MySQL? (8.0) mysql> SELECT /* 8.0 */ host, user, plugin, authentication_string, password_expired, password_last_changed, password_lifetime, account_locked FROM mysql.user; +-----------+------------------+-----------------------+------------------------------------------------------------------------ +------------------+-----------------------+-------------------+----------------+ | host | user | plugin | authentication_string | password_expired | password_last_changed | password_lifetime | account_locked | +-----------+------------------+-----------------------+------------------------------------------------------------------------ +------------------+-----------------------+-------------------+----------------+ | localhost | mysql.infoschema | mysql_native_password | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | N | 2018-04-25 13:04:15 | NULL | Y | | localhost | mysql.session | mysql_native_password | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | N | 2018-04-25 13:04:15 | NULL | Y | | localhost | mysql.sys | mysql_native_password | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | N | 2018-04-25 13:04:15 | NULL | Y | | localhost | root | caching_sha2_password | $A$005$hqy-OG+.:|qsypaH/HS.i19CInGfOtklCz3kyo4cZxqCFy2bEHcogi6/ | N | 2018-04-25 13:04:19 | NULL | N | +-----------+------------------+-----------------------+------------------------------------------------------------------------ +------------------+-----------------------+-------------------+----------------+ 4 rows in set (0.00 sec) #PerconaLive

Recommend

Percona Server for MySQL 8.0 Laurynas Biveinis Percona First of All, What Is Percona Server

Percona Server for MySQL 8.0 Laurynas Biveinis Percona First of All, What Is Percona Server

Percona Server for MySQL 8.0 Laurynas Biveinis Percona First of All, What Is Percona Server for MySQL? a free, fully compatible, enhanced and open source drop-in replacement for any MySQL database 2 First of All, What Is

2.47k views • 28 slides
Securing your MySQL/MariaDB Server Data Colin Charles, Ronald Bradford, Hank Eskin Percona Live

Securing your MySQL/MariaDB Server Data Colin Charles, Ronald Bradford, Hank Eskin Percona Live

Securing your MySQL/MariaDB Server Data Colin Charles, Ronald Bradford, Hank Eskin Percona Live Santa Clara 2017 #PerconaLive @bytebot @RonaldBradford @HankEskin About: Colin Charles Chief Evangelist (in the CTO office), Percona Inc

643 views • 52 slides
In-depth Percona Server/MySQL encryption Robert Golebiowski Percona Keyrings Keyrings

In-depth Percona Server/MySQL encryption Robert Golebiowski Percona Keyrings Keyrings

In-depth Percona Server/MySQL encryption Robert Golebiowski Percona Keyrings Keyrings General Concept Plugin installation - always successful - keyrings variables may need correction - keyring_vault_config - keyring_file_data 3

780 views • 47 slides
ALTER TABLE IMPROVEMENTS IN MARIA DB SERVER Marko Mkel Lead Developer InnoDB MariaDB

ALTER TABLE IMPROVEMENTS IN MARIA DB SERVER Marko Mkel Lead Developer InnoDB MariaDB

ALTER TABLE IMPROVEMENTS IN MARIA DB SERVER Marko Mkel Lead Developer InnoDB MariaDB Corporation Generic ALTER TABLE in MySQL & MariaDB CREATE ; INSERT SELECT ; RENAME ; DROP Starting with MySQL 5.6 & MariaDB 10.0,

1.51k views • 25 slides
Enhancing MySQL Security Vinicius Grippa Percona About me Support Engineer at Percona since

Enhancing MySQL Security Vinicius Grippa Percona About me Support Engineer at Percona since

Enhancing MySQL Security Vinicius Grippa Percona About me Support Engineer at Percona since 2017 Working with MySQL for over 5 years - Started with SQL Server Working with databases for 7 years 2 Agenda OS/Cloud security

1.16k views • 78 slides
MariaDB security features and best practices Robert Bindar Software Developer @MariaDB

MariaDB security features and best practices Robert Bindar Software Developer @MariaDB

MariaDB security features and best practices Robert Bindar Software Developer @MariaDB Foundation Percona Live Austin, 28-30 May 2019 Motivation - Users Potential public shaming through data breaches Massive loss of business

606 views • 42 slides
MariaDB 10.3 vs MySQL 8.0 Tyler Duzan, Product Manager Percona Who Am I? My name is Tyler

MariaDB 10.3 vs MySQL 8.0 Tyler Duzan, Product Manager Percona Who Am I? My name is Tyler

MariaDB 10.3 vs MySQL 8.0 Tyler Duzan, Product Manager Percona Who Am I? My name is Tyler Duzan Formerly an operations engineer for more than 12 years focused on security and automation Now a Product Manager at Percona

4.42k views • 37 slides
Learning MySQL 5.7 Jervin Real Percona Live 2017 1 / 21 Agenda 1. Background 2. New Features

Learning MySQL 5.7 Jervin Real Percona Live 2017 1 / 21 Agenda 1. Background 2. New Features

Learning MySQL 5.7 Jervin Real Percona Live 2017 1 / 21 Agenda 1. Background 2. New Features 3. Upgrading to 5.7 2 / 21 Background and Current State 3 / 21 Background and Current State In Comparison, MySQL 5.7 is: Percona Server 5.7

329 views • 21 slides
Mesosphere and Percona Server for MongoDB Peter Schwaller, Senior Director Server Eng. (Percona)

Mesosphere and Percona Server for MongoDB Peter Schwaller, Senior Director Server Eng. (Percona)

Mesosphere and Percona Server for MongoDB Peter Schwaller, Senior Director Server Eng. (Percona) Taco Scargo, Senior Solution Engineer (Mesosphere) Mesosphere DC/OS MICROSERVICES, CONTAINERS, & DEV TOOLS DATA SERVICES, MACHINE LEARNING,

307 views • 18 slides
The Aspersa Toolkit Baron Schwartz O'Reilly MySQL Conference & Expo 2011 Consulting

The Aspersa Toolkit Baron Schwartz O'Reilly MySQL Conference & Expo 2011 Consulting

The Aspersa Toolkit Baron Schwartz O'Reilly MySQL Conference & Expo 2011 Consulting Support Training Development For MySQL Percona Server Replaces MySQL Faster Queries More Consistent More Measurable More Features

740 views • 30 slides
Building an Enterprise Grade PostgreSQL Using Open Source Tools and Extensions Avinash Vallarapu

Building an Enterprise Grade PostgreSQL Using Open Source Tools and Extensions Avinash Vallarapu

Building an Enterprise Grade PostgreSQL Using Open Source Tools and Extensions Avinash Vallarapu Percona Enterprise-Grade Support For Any Database Percona Server for MySQL Percona XtraDB Cluster Percona Server for MongoDB

522 views • 16 slides
Geographic Features in MySQL Tibor Korocz Percona What do I try to answer today? - Can MySQL

Geographic Features in MySQL Tibor Korocz Percona What do I try to answer today? - Can MySQL

Geographic Features in MySQL Tibor Korocz Percona What do I try to answer today? - Can MySQL 8 help us with the common usecases? - Distance Calculation. - What is near by me? - Does MySQL 8 give us better options/solutions for these

1.14k views • 52 slides
Vinicius Grippa Percona About me Support Engineer at Percona since 2017 Working with MySQL

Vinicius Grippa Percona About me Support Engineer at Percona since 2017 Working with MySQL

Whats new in Mongo 4.0 Vinicius Grippa Percona About me Support Engineer at Percona since 2017 Working with MySQL for over 5 years - Started with SQL Server Working with databases for 7 years 2 Agenda Transactions Support

744 views • 52 slides
Forecasting MySQL Scalability Baron Schwartz O'Reilly MySQL Conference & Expo 2011

Forecasting MySQL Scalability Baron Schwartz O'Reilly MySQL Conference & Expo 2011

Forecasting MySQL Scalability Baron Schwartz O'Reilly MySQL Conference & Expo 2011 Consulting Support Training Development For MySQL Percona Server Replaces MySQL Faster Queries More Consistent More Measurable More

670 views • 41 slides
Percona Backup for MongoDB Akira Kurogane Percona 3 - 2 - 1 MongoDB Percona Server for

Percona Backup for MongoDB Akira Kurogane Percona 3 - 2 - 1 MongoDB Percona Server for

Percona Backup for MongoDB Akira Kurogane Percona 3 - 2 - 1 MongoDB Percona Server for MongoDB Community Edition MongoDB Enterprise Edition Replica Set Cluster Percona Backup for MongoDB 2 Elements of MongoDB Backups 3 MongoDB oplog

1.43k views • 38 slides
Opensource Column Store Databases: MariaDB ColumnStore vs. ClickHouse Alexander Rubin

Opensource Column Store Databases: MariaDB ColumnStore vs. ClickHouse Alexander Rubin

Opensource Column Store Databases: MariaDB ColumnStore vs. ClickHouse Alexander Rubin VirtualHealth About me Working with MySQL for 10-15 years Started at MySQL AB 2006 - Sun Microsystems, Oracle (MySQL Consulting) - Percona since

645 views • 50 slides
External Authentication with Percona Server for MongoDB and MongoDB Enterprise Jason Terpko DBA

External Authentication with Percona Server for MongoDB and MongoDB Enterprise Jason Terpko DBA

External Authentication with Percona Server for MongoDB and MongoDB Enterprise Jason Terpko DBA @ Rackspace/ObjectRocket linkedin.com/in/jterpko 1 Overview Percona Server For MongoDB o SASL and LDAP o MongoDB Enterprise o Kerberos and

430 views • 25 slides
At Rest Encryption with MySQL & Vault Tate McDaniel Charles Thompson Percona Empowered

At Rest Encryption with MySQL & Vault Tate McDaniel Charles Thompson Percona Empowered

At Rest Encryption with MySQL & Vault Tate McDaniel Charles Thompson Percona Empowered Welcome and Introductions Charles Thompson Empowered Senior MySQL DBA with over seven years of experience in the industry. Proficient in server

755 views • 46 slides
Mesosphere and Percona Server for MongoDB Jeff Sandstrom, Product Manager (Percona) Ravi Yadav,

Mesosphere and Percona Server for MongoDB Jeff Sandstrom, Product Manager (Percona) Ravi Yadav,

Mesosphere and Percona Server for MongoDB Jeff Sandstrom, Product Manager (Percona) Ravi Yadav, Tech. Partnerships Lead (Mesosphere) Mesosphere DC/OS MICROSERVICES, CONTAINERS, & DEV TOOLS DATA SERVICES, MACHINE LEARNING, & AI Broad

482 views • 18 slides
CS 377 MySQL/PHP Tutorial Connect from PHP Scripts MySQL is currently the most popular open source

CS 377 MySQL/PHP Tutorial Connect from PHP Scripts MySQL is currently the most popular open source

CS 377 MySQL/PHP Tutorial Connect from PHP Scripts MySQL is currently the most popular open source database server in existence. On top of that, it is very commonly used in conjunction with PHP scripts to create powerful and dynamic server-side

92 views • 5 slides
Evolution of the Web 1 Client Server 2 2 / 22 1 Client Server 2 2 / 22 1 Client Server

Evolution of the Web 1 Client Server 2 2 / 22 1 Client Server 2 2 / 22 1 Client Server

E LIOM Tierless Web programming from the ground up Gabriel R ADANNE Jrme V OUILLON Vincent B ALAT Vasilis P APAVASILEIOU Evolution of the Web 1 Client Server 2 2 / 22 1 Client Server 2 2 / 22 1 Client Server DOM 2 2 / 22 1

778 views • 42 slides
MariaDB State of MariaDB Michael Monty Widenius MariaDB hacker monty@askmonty.org

MariaDB State of MariaDB Michael Monty Widenius MariaDB hacker monty@askmonty.org

MariaDB State of MariaDB Michael Monty Widenius MariaDB hacker monty@askmonty.org http://mariadb.com/ Notice: MySQL is a registered trademark of Sun Microsystems, Inc. The origin of My (SQL) At start: Lots of traveling and meeting

1.16k views • 57 slides
Server Server Server Server Server Datacenter Network (e.g., Ethernet, InfiniBand,

Server Server Server Server Server Datacenter Network (e.g., Ethernet, InfiniBand,

Chanwoo Chung , Jinhyung Koo, Junsu Im, Arvind , and Sungjin Lee DGIST and MIT NVRAMOS 19 2019.10.24 DATA -INTENSIVE COMPUTING SYSTEMS LAB ORATORY Computation Application Application Application Application Application

597 views • 48 slides
FOSDEM MariaDB 10 - The Spider Storage Engine (a sharding plugin for MySQL/MariaDB) Stphane

FOSDEM MariaDB 10 - The Spider Storage Engine (a sharding plugin for MySQL/MariaDB) Stphane

FOSDEM MariaDB 10 - The Spider Storage Engine (a sharding plugin for MySQL/MariaDB) Stphane Varoqui <stephane@skysql.com> Colin Charles <byte@mariadb.com> Introduction Fear of Databases Fear of Sharding Fear of

599 views • 30 slides

More recommend