This is a 3 part blog series:
To modify users, you must have the CREATE USER privilege or the UPDATE privilege on the mysql schema.…
Facebook Twitter Google+ LinkedIn
With the next version of MySQL that is MySQL 8, there is a very
nice feature of creating "roles" which can be assigned
certain privileges and then these roles can be assigned to users,
thus helping us in maintaining the principle of least
privilege.
It makes our life as developers and DBAs easier as we do not have
to remember what are the specific privileges assigned to
different users. These "roles" can simply be assigned or
de-assigned from users as necessary.
The setup process is pretty easy and intuitive.
1. Create Role:
CREATE ROLE 'read', 'write', 'read_write';
Which essentially …
Knowing which privileges a given account has is easy – just issue SHOW GRANTS FOR user@host. But what about when you need visibility into privileges from the other direction – which accounts can access specific data? If you’re a DBA – or perform DBA duties, regardless of your title – you may have been asked this question. It’s an important question to ask in an audit or compliance review – but it can be a difficult question to answer. This post will walk through how to assess this, but if you’re impatient and need answers to this question immediately, jump to the end – there’s a simple shortcut.
Things to consider
There are a few things you’ll want to consider about the implementation of the MySQL privilege system as you try to sort out who has access to certain data.
Access type
MySQL can restrict privileges based on operations – somebody who has …
[Read more]A series of related discussions triggered by difficulty in setting passwords via scripts using the mysql command-line client when an account has an expired password caused me to look into the interaction between expired passwords and batch mode, and this blog post resulted. I hope it’s a useful explanation of the behavior and the workaround to those troubled by it, and amplifies the excellent documentation in the user manual.
The ability to flag accounts as having expired passwords first appeared in MySQL 5.6, with further …
[Read more]Just a quick post to note that the content from my hands-on lab at MySQL Connect (“MySQL Enterprise Features in Practice”) has been uploaded to the content catalog, and can be found here. This includes the 36-page lab manual and example commands and programs (mostly in Java; the package includes both compiled and source code). For those who attended the lab, this is an opportunity to complete the exercises we didn’t get to in the 2.5 hours, and for those who missed it, an opportunity to learn more about the features and capabilities of key MySQL Enterprise products and features such as MySQL Enterprise Audit plugin, MySQL Enterprise Monitor and MySQL Enterprise Security (PAM plugin). I hope to expand on the lab content …
[Read more]When I saw Shlomi’s recent post which asked (in part) for blacklist support in MySQL, I started thinking about ways in which this could be done using the tools we have today. Here’s the example requirements Shlomi noted:
Speaking of whitelist, it would be great to have a host blacklist. If I wanted to grant access to ‘gromit’@’192.168.%’ except for ’192.168.10.%’ — well, I would have to whitelist all the possible subnets. I can’t exclude a set of hosts.
I think that’s entirely possible without the overhead of whitelisting all possible subnets – let’s give it a go!
This solution will rely on the fact that the first step in authentication in MySQL is finding the most applicable host for the incoming connection. That’s caused all sorts of annoyances in the past with the anonymous user, where …
[Read more]The MySQL Connect content catalog is published, and I’ll be leading a hands-on lab on MySQL Enterprise Features in Practice [HOL9787]. If you have wondered how to get the most out of the features of MySQL Enterprise subscriptions – whether you are an existing Enterprise customer or not – this lab is for you. We’ll help you understand the benefits of the various components of the MySQL Enterprise subscription as you install, configure, demonstrate and use the …
[Read more]To only slightly misquote one of the greatest movies of all times:
You keep using that option. I do not think it means what you think it means.
Perhaps like many users, I had certain assumptions about what max_connect_errors really does – but in looking closely as part of investigating the new PERFORMANCE_SCHEMA.HOST_CACHE table in MySQL 5.6, I learned that some very fundamental elements had escaped my notice. I’m writing this blog post to help others who hold similar misconceptions of what this option does.
Many, if not most, MySQL DBAs are familiar with “host blocked” errors:
C:\mysql-5.5.27-winx64>bin\mysql -utest_mce -P3307 -h192.168.2.8 ERROR 1129 (HY000): Host …[Read more]
The much-improved PERFORMANCE_SCHEMA in MySQL 5.6 provides visibility into MySQL’s host cache, including the ability to monitor for impending blocked hosts. You can do this with the following query:
mysql> SELECT
-> ip,
-> host,
-> host_validated,
-> sum_connect_errors
-> FROM performance_schema.host_cache\G
*************************** 1. row ***************************
ip: 192.168.2.4
host: TFARMER-MYSQL.wh.oracle.com
host_validated: YES
sum_connect_errors: 3
1 row in set (0.02 sec)
That’s helpful information, and allows DBAs to identify problematic hosts before they are blocked. Due to Bug#69807, it’s also something MySQL 5.6 users will want to do. This bug causes the counter maintained in the host …
[Read more]I previously published stored programs to help implement a (more) comprehensive password policy in MySQL 5.6, building on the password complexity plugin now available in MySQL 5.6. This proof-of-concept has been expanded recently, and the updated package is available here. There’s a few notable changes to the earlier version:
Moved all created objects out of mysql system database
The mysql database is meant for system tables, and I try to keep everything not directly managed by the MySQL server out of that database. The initial proof-of-concept implementation violated this principal – the update corrects this by creating and using a new password_policy database …
[Read more]