Security features In MySQL 8.0
0 likes502 views
The document presents an overview of security features in MySQL 8.0, focusing on user roles, encryption, and authentication improvements. It covers various aspects such as managing user privileges, binary log encryption, and dual password functionality to enhance security and compliance. The text serves as guidance for users and database administrators on the enhancements and practices for effectively utilizing MySQL 8.0 features.
Security features In MySQL 8.0
- 1. Vignesh Prabhu S Database Reliability Engineer Mydbops July 31st, 2021 MyWebinar Season#7 Security Features in MySQL 8.0
- 2. Interested in Open source Databases and Linux Certified in MySQL 5.7 Ceritified in AWS Cloud Architect Active Learner About Me
- 3. Services on top open source databases Founded in 2016 50 Member team Assisted over 500+ Customers AWS Partner and a PCI Certified Organisation About Mydbops
- 4. Consulting Services Managed Services Focuses on Top Opensource databases MySQL, MongoDB and PostgreSQL Mydbops Services
- 5. 500 + Clients In 5 Yrs. of Operations Our Clients
- 8. Collection of privileges. Effectively Managing the Privileges across users. Role Creation / Privilege Syntax = User Creation / Privilege Syntax Role Drop Syntax = User Drop Syntax User Roles
- 9. User Roles - Creation
- 10. Production Role: Testing Role: User Roles - Creation
- 11. User Roles - Creation
- 12. User Roles - Creation Variables related to User roles mandatory_roles activate_all_roles_on_login Privilege Required - Role Admin System_user Privilege can't be listed in the above variables.
- 13. User Roles - Creation
- 14. Ease of managing users & privileges Much Useful is large environment More control to DB admins User Roles - Pros
- 15. Encryption
- 16. Introduced from 8.0.14 Encrypt Binary / Relay Log. Encryption at rest. Keyring is needed. Privilege Needed - Super (or) Binlog Encryption Admin Master key - Encryption key used for the encrypted binlogs Master key can be rotated - binlog_rotate_encryption_master_key_at_startup / alter instance rotate binlog master key Binlog Encryption
- 17. Encryption before enabling the Keyring: Enable Keyring: Apply the below variable in config file early-plugin-load=keyring_file.so Encryption after enabling the Keyring: Binlog Encryption - Setup
- 18. Binary log Encryption - Architecture
- 19. Binary log Encryption - Architecture
- 20. Binary log Encryption - Architecture
- 21. Unencrypted Binlog Magic Number - Encrypted Binlog Magic Number - Binary log Encryption - Magic Number
- 22. Binary log Encryption - Decoding Encrypted Binlog
- 23. With the help of running server (use read from remote host) Binary log Encryption - Decoding Encrypted Binlog
- 24. Decryption without the encryption is not possible More Secure. Ensure Compliance. Pros - Cons - CPU Resource usage. Slave must be in the encrypted format. Not easy to read. Binary log Encryption - Pros & Cons
- 25. Prerequisities - Keyring is must. default_table_encryption - 8.0.16. Privilege needed - TABLE_ENCRYPTION_ADMIN. General Tablespace & File Per-table Tablespace. MySQL Schema Encryption Tablespace Encryption
- 26. Introduced from 8.0.16 Default - Unencrypted MySQL Schema Encryption
- 27. Introduced from 8.0.23. By default, encrypts the encrypted tablespace data. Encrypted by using the respective tablespace key. Unencrypted tablespace data remain unencrypted. Doublewrite Encryption
- 28. Related Variables innodb_redo_log_encrypt innodb_undo_log_encrypt Default - OFF Redo Log Encryption key details - header of first redo log (ib_logfile0). Undo Log Encryption key details - header of undo log. Redo / Undo Encryption
- 29. Redo / Undo Encryption - Process Behind
- 30. Authentication
- 31. Introduced from 8.0.14. Minimal downtime to change the password Apply 2 passwords for a single user. Primary Secondary Privilege - APPLICATION PASSWORD ADMIN Dual Password
- 32. Dual Password - Process Behind
- 33. Dual Password - Process Behind
- 34. Dual Password - Process Behind
- 35. Dual Password - Process Behind
- 36. Dual Password - Process Behind
- 37. Seamless Password Change Minimal Downtime Flexbility Irrespective of time, change the password Dual Password - Pros
- 38. Introduced in 8.0.19. Lock the account after consecutive retries. Default - 0 Alter user keeps the same config as before. Same rules applied during the dual password. Temporary Account Locking
- 39. Temporary Account Locking - Implementation
- 40. Global Reset Flush privileges Server Restart --skip-grant-tables Per-Account Reset Unlock Account (alter) Temporary Account Locking - Account Reset
- 41. Connection-Control Plugin. Based on user/host combination. Adding the delay, respective of failure. Slow down the Brute force Attacks. Adds delay 1000ms (1s) per failure connection. Library has 2 plugins Connection_Control - Checks incoming connections, adds delay Connection_Control_Failed_Login_Attempts - Monitoring (information_schema) Connection Control
- 42. Connection Control - Installation
- 43. Connection Control - Configuration & Monitoring
- 44. Implements SHA-256 authentication Default in 8.0 Password will be unique irrespective users Caching on Server side Faster Authentication caching_sha2_password
- 45. Caching will be done by First access - mysql.user (system table) Consequent access - in memory cache (match entries) Clearing Cache - sha2_cache_cleaner Flush privileges User renamed / Dropped Server restart caching_sha2_password - Process Behind
- 46. caching_sha2_password - Hash Creation
- 47. MySQL 8.0 MySQL 5.7 MySQL 5.6 Binlog Encryption Y - - Undo Redo Encryption Y - - Roles Y - - Default Encryption Y - - Double write Encryption Y - - Connection Control Plugin Y Y Y TDE Y Y - MySQL Keyring Y Y - Password Validation Plugin Y Y Y Caching SHA-256 Authentication Y Y Y Cleartext Plugin Y Y Y PAM Authentication Y Y Y SHA-256 Pluggable Authentication Y Y Y MySQL 8.0 > MySQL 5.7 > MySQL 5.6
- 48. Stay Tuned with MySQL 8.0 !! Queries?
- 49. Reach Us : [email protected] Thank You