• Save
Southeast Linuxfest -- MySQL User Admin Tips & Tricks
Upcoming SlideShare
Loading in...5
×
 

Southeast Linuxfest -- MySQL User Admin Tips & Tricks

on

  • 545 views

MySQL User Administration is viewed as a 'dark art' but is actually very simple. This presentation covers the pitfalls that novice DBAs plunge into and covers how to keep your data safe

MySQL User Administration is viewed as a 'dark art' but is actually very simple. This presentation covers the pitfalls that novice DBAs plunge into and covers how to keep your data safe

Statistics

Views

Total Views
545
Views on SlideShare
545
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Southeast Linuxfest -- MySQL User Admin Tips & Tricks Southeast Linuxfest -- MySQL User Admin Tips & Tricks Presentation Transcript

  • Copyright © 2013, Oracle and/or its affiliates. All rights reserved.1Dave StokesMySQL Community ManagerDavid.Stokes@oracle.com @StokerMySQL User AdministrationTips & Tricks
  • Copyright © 2013, Oracle and/or its affiliates. All rights reserved.2The following is intended to outline our general product direction. It isintended for information purposes only, and may not be incorporatedinto any contract. It is not a commitment to deliver any material, code,or functionality, and should not be relied upon in making purchasingdecision. The development, release, and timing of any features orfunctionality described for Oracle’s products remains at the solediscretion of Oracle.Safe Harbor Statement
  • Copyright © 2013, Oracle and/or its affiliates. All rights reserved.4MySQL Manual 6.3.1. User Namesand PasswordsMySQL stores accounts in the user table of the mysql database. Anaccount is defined in terms of a user nameand the client host or hosts from which theuser can connect to the server. The accountmay also have a password.Thus speaketh themanual
  • Copyright © 2013, Oracle and/or its affiliates. All rights reserved.5MySQL login ≠ User Login• Many folks do use Unix Login as their MySQL login●For convenience only●Easily overridden●-u or –user option●MySQL user names can be upto 16 characters long●Passwords encrypted by own algorithm●Alternative character sets and collations supported
  • Copyright © 2013, Oracle and/or its affiliates. All rights reserved.6You can create MySQL accounts in two ways:By using statements intended for creatingaccounts, such as CREATE USER or GRANT.These statements cause the server to makeappropriate modifications to the grant tables.By manipulating the MySQL grant tables directlywith statements such as INSERT, UPDATE, or DELETE.The preferred method is to use account-creationstatements because they are more concise and
  • Copyright © 2013, Oracle and/or its affiliates. All rights reserved.7Example of adding usersshell> mysql --user=root mysqlmysql> CREATE USER ‘joe@localhostIDENTIFIED BY some_pass;mysql> GRANT ALL PRIVILEGES ON *.* TO‘joe@localhost -> WITH GRANT OPTION;mysql> CREATE USER ‘joe@% IDENTIFIEDBY some_pass;mysql> GRANT ALL PRIVILEGES ON *.* TO‘joe@% -> WITH GRANT OPTION;mysql> CREATE USER admin@localhost;
  • Copyright © 2013, Oracle and/or its affiliates. All rights reserved.8When Joe is not Joe‘joe’@’localhost’ may or not have the samepermissions as ‘joe’@’168.10.%’Usually discovery of this occurs at worst possibletimesNetwork reconfiguration can cause problems
  • Copyright © 2013, Oracle and/or its affiliates. All rights reserved.9Anonymous Accounts Mysql.user User column is blank– Generally a bad idea– Often usedClick to edit Master text stylesSecond levelThird levelFourth level
  • Copyright © 2013, Oracle and/or its affiliates. All rights reserved.10So now we know mysql.user has user, host &password – what else is in there Privileges– Select, Insert, Update, Delete, Create, Drop, Reload, Shutdown, Process, File,Grant, References, Index, Alter, Show, Super, Create_tmp_table, Lock_tables,Execute, Repl_slave, Repl_client, Create_view, Show_view, Create_routine,Alter_routine, Create_user, Event, Trigger, Create_tablespace Encryption– SSL_type, SSL_cipher, x509_issuer, X509_subject Limits– Max_questions, Max_updates, Max_connections, Max_user_connections New– Plugin, authentication_string, password_expired
  • Copyright © 2013, Oracle and/or its affiliates. All rights reserved.11Plugins -- 6.3.7. Pluggable Authentication When a client connects to the MySQL server, theserver uses the user name provided by the clientand the client host to select the appropriateaccount row from the mysql.user table. It thenuses this row to authenticate the client. In MySQL 5.6, the server authenticates clientsusing plugins, as follows: The server determines from the account row whichauthentication plugin applies for the client: If the account row specifies no plugin name, theserver uses native authentication. If the account row specifies a plugin, the serverinvokes it to authenticate the user. If the servercannot find the plugin, an error occurs. The plugin returns a status to the server indicatingwhether the user is permitted to connect. Pluggable authentication enables two importantcapabilities: External authentication: Pluggable authenticationmakes it possible for clients to connect to theMySQL server with credentials that are appropriatefor authentication methods other than nativeauthentication based on passwords stored inthe mysql.user table. For example, plugins can becreated to use external authentication methodssuch as PAM, Windows login IDs, LDAP, orKerberos. Proxy users: If a user is permitted to connect, anauthentication plugin can return to the server auser name different from the name of theconnecting user, to indicate that the connectinguser is a proxy for another user. While theconnection lasts, the proxy user is treated, forpurposes of access control, as having theprivileges of a different user. In effect, one userimpersonates another. 
  • Copyright © 2013, Oracle and/or its affiliates. All rights reserved.12Plugins availableNativeSHA-256CleartextSocket PeerTestEnterprise Edition– PAM– Windows– Audit
  • Copyright © 2013, Oracle and/or its affiliates. All rights reserved.13Proxy Users When authentication to the MySQL serveroccurs by means of an authenticationplugin, the plugin may request that theconnecting (external) user be treated as adifferent user for privilege-checkingpurposes. This enables the external user tobe a proxy for the second user; that is, tohave the privileges of the second user. Inother words, the external user is a “proxyuser” (a user who can impersonate orbecome known as another user) and thesecond user is a “proxied user” (a userwhose identity can be taken on by a proxyuser).CREATE USERempl_external@localhostIDENTIFIED WITH auth_pluginAS auth_string; CREATE USERemployee@localhostIDENTIFIED BYemployee_pass; GRANTPROXY ONemployee@localhost TOempl_external@localhost;
  • Copyright © 2013, Oracle and/or its affiliates. All rights reserved.14Other controls
  • Copyright © 2013, Oracle and/or its affiliates. All rights reserved.15Examples of table/column permissions GRANT ALL ON mydb.mytbl TO someuser@somehost; GRANT SELECT, INSERT ON mydb.mytbl TOsomeuser@somehost;FLUSH PRIVILEGES GRANT SELECT (col1), INSERT (col1,col2) ONmydb.mytbl TO someuser@somehost;
  • Copyright © 2013, Oracle and/or its affiliates. All rights reserved.16Do not forget that changes require …FLUSH PRIVILEGESData in memory requires a reload after changes
  • Copyright © 2013, Oracle and/or its affiliates. All rights reserved.17Slide to check if audience is still awake
  • Copyright © 2013, Oracle and/or its affiliates. All rights reserved.18MySQL Predetermined Roles
  • Copyright © 2013, Oracle and/or its affiliates. All rights reserved.19●Error on the side of too few than too many●Grant, Super, and Process privs are dangerous●Temp files can fill up disk drives, SANs●Shutdown priv can get very messy●Consider audit vaule.First Rule on handing out privsBe Stingy!!!
  • Copyright © 2013, Oracle and/or its affiliates. All rights reserved.20●Look for who has Grant, File, Shutdown, Drop,Create User, Create Index, Create Temp Files,Alter and Event●Do you TRUST them●Are they worth a job/vacation/weekend/evening●Do you HAVE TO trust them●Triggers, logs, and Backups can be your friend●Setup replication accordingly●Time Delay●Certain Schemas /tables●Paranoia is not necessarily badSecond RuleAudit the privs
  • Copyright © 2013, Oracle and/or its affiliates. All rights reserved.21MySQL User Administration Tips & Tricks: Summary
  • Copyright © 2013, Oracle and/or its affiliates. All rights reserved.22 Optimized for Web, Cloud-based, Embedded use cases Simplified, Pluggable architecture– Maintainability, more extensible– More NoSQL options (HTTP, JSON, JavaScript, etc.) Refactoring– Data Dictionary in InnoDB– Optimizer/Parser/Protocol InnoDB– Optimized for SSD– GIS Easy HA, Replication and ShardingMySQL Database Development Priorities
  • Copyright © 2013, Oracle and/or its affiliates. All rights reserved.23 mysql.com●MySQL Products, Editions, Training, Consulting●TCO calculator●Customer use cases and success stories dev.mysql.com●Downloads, Documentation●Forums- PlanetMySQL eDelivery.oracle.com●Download and evaluate all MySQL productsLearn More
  • Copyright © 2013, Oracle and/or its affiliates. All rights reserved.24New MySQL 5.6 TrainingLearn about the world’s most popular open-source databaseoracle.com/education/mysqlLearn MySQL From Oracle●Expert-led training to help youinstall, configure, and administerMySQL 5.6.●Extensive hands-on practicesguide you through each concept●Explore real-world problems anddiscover best practices as youwork with the tools andtechniques used by professionalMySQL database administrators●Content developed incollaboration with productengineering.• Available in traditional or virtualclassroom as well as self-studyformats.• Custom training solutions to matchyour organization’s specific businessneeds• Backed by Oracle University’s 100%Satisfaction Program
  • Copyright © 2013, Oracle and/or its affiliates. All rights reserved.25MySQL ConnectMySQL Engineers, Twitter,Percona, Google, Facebook,Tumblr, Paypal, CensusBureau, Ticketmaster,Amazon, Verizon, Codershipand more presenting September 21st – 23rd San Francisco Union SquareHotel Learn from the best– Customers Tutorials on AdvancedSubjects
  • Copyright © 2013, Oracle and/or its affiliates. All rights reserved.26MySQL Marinate! -- Great way to learn MySQL Virtual self-study of MySQL through the Boston MySQL Users Group(http://www.meetup.com/mysqlbos/) http://www.meetup.com/Virtual-Tech-Self-Study/events/84103332/
  • Copyright © 2013, Oracle and/or its affiliates. All rights reserved.27Questions?MySQL User AdministrationTips & TricksDavid.Stokes@Oracle.com@stokerslideshare.net/davestokes