A meticulous presentation on Authorization, Encryption & Authentication of the security features in MySQL 8.0 by Vignesh Prabhu, Database reliability engineer, Mydbops.
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Security features In MySQL 8.0
1. Vignesh Prabhu S
Database Reliability Engineer
Mydbops
July 31st, 2021
MyWebinar Season#7
Security Features in MySQL 8.0
2. Interested in Open source Databases and Linux
Certified in MySQL 5.7
Ceritified in AWS Cloud Architect
Active Learner
About Me
3. Services on top open source databases
Founded in 2016
50 Member team
Assisted over 500+ Customers
AWS Partner and a PCI Certified Organisation
About Mydbops
8. Collection of privileges.
Effectively Managing the Privileges across users.
Role Creation / Privilege Syntax = User Creation / Privilege Syntax
Role Drop Syntax = User Drop Syntax
User Roles
12. User Roles - Creation
Variables related to User roles
mandatory_roles
activate_all_roles_on_login
Privilege Required - Role Admin
System_user Privilege can't be listed in the above variables.
16. Introduced from 8.0.14
Encrypt Binary / Relay Log.
Encryption at rest.
Keyring is needed.
Privilege Needed - Super (or) Binlog Encryption Admin
Master key - Encryption key used for the encrypted binlogs
Master key can be rotated -
binlog_rotate_encryption_master_key_at_startup / alter instance rotate
binlog master key
Binlog Encryption
17. Encryption before enabling the Keyring:
Enable Keyring:
Apply the below variable in config file
early-plugin-load=keyring_file.so
Encryption after enabling the Keyring:
Binlog Encryption - Setup
23. With the help of running server (use read from remote host)
Binary log Encryption - Decoding Encrypted Binlog
24. Decryption without the encryption is not possible
More Secure.
Ensure Compliance.
Pros -
Cons -
CPU Resource usage.
Slave must be in the encrypted format.
Not easy to read.
Binary log Encryption - Pros & Cons
25. Prerequisities - Keyring is must.
default_table_encryption - 8.0.16.
Privilege needed - TABLE_ENCRYPTION_ADMIN.
General Tablespace & File Per-table Tablespace.
MySQL Schema Encryption
Tablespace Encryption
27. Introduced from 8.0.23.
By default, encrypts the encrypted tablespace data.
Encrypted by using the respective tablespace key.
Unencrypted tablespace data remain unencrypted.
Doublewrite Encryption
31. Introduced from 8.0.14.
Minimal downtime to change the password
Apply 2 passwords for a single user.
Primary
Secondary
Privilege - APPLICATION PASSWORD ADMIN
Dual Password
38. Introduced in 8.0.19.
Lock the account after consecutive retries.
Default - 0
Alter user keeps the same config as before.
Same rules applied during the dual password.
Temporary Account Locking
40. Global Reset
Flush privileges
Server Restart
--skip-grant-tables
Per-Account Reset
Unlock Account (alter)
Temporary Account Locking - Account Reset
41. Connection-Control Plugin.
Based on user/host combination.
Adding the delay, respective of failure.
Slow down the Brute force Attacks.
Adds delay 1000ms (1s) per failure connection.
Library has 2 plugins
Connection_Control - Checks incoming connections, adds delay
Connection_Control_Failed_Login_Attempts - Monitoring
(information_schema)
Connection Control
45. Caching will be done by
First access - mysql.user (system table)
Consequent access - in memory cache (match entries)
Clearing Cache - sha2_cache_cleaner
Flush privileges
User renamed / Dropped
Server restart
caching_sha2_password - Process Behind
47. MySQL 8.0 MySQL 5.7 MySQL 5.6
Binlog Encryption Y - -
Undo Redo Encryption Y - -
Roles Y - -
Default Encryption Y - -
Double write Encryption Y - -
Connection Control Plugin Y Y Y
TDE Y Y -
MySQL Keyring Y Y -
Password Validation Plugin Y Y Y
Caching SHA-256 Authentication Y Y Y
Cleartext Plugin Y Y Y
PAM Authentication Y Y Y
SHA-256 Pluggable Authentication Y Y Y
MySQL 8.0 > MySQL 5.7 > MySQL 5.6