Security in MySQL

Abstract

This is the MySQL Security Guide extract from the MySQL 8.0 Reference Manual.

For legal information, see the Legal Notices.

For help with using MySQL, please visit the MySQL Forums, where you can discuss your issues with other MySQL users.

Document generated on: 2024-11-19 (revision: 80261)


Table of Contents

Preface and Legal Notices
1 Security
2 General Security Issues
2.1 Security Guidelines
2.2 Keeping Passwords Secure
2.2.1 End-User Guidelines for Password Security
2.2.2 Administrator Guidelines for Password Security
2.2.3 Passwords and Logging
2.3 Making MySQL Secure Against Attackers
2.4 Security-Related mysqld Options and Variables
2.5 How to Run MySQL as a Normal User
2.6 Security Considerations for LOAD DATA LOCAL
2.7 Client Programming Security Guidelines
3 Postinstallation Setup and Testing
3.1 Initializing the Data Directory
3.2 Starting the Server
3.2.1 Troubleshooting Problems Starting the MySQL Server
3.3 Testing the Server
3.4 Securing the Initial MySQL Account
3.5 Starting and Stopping MySQL Automatically
4 Access Control and Account Management
4.1 Account User Names and Passwords
4.2 Privileges Provided by MySQL
4.3 Grant Tables
4.4 Specifying Account Names
4.5 Specifying Role Names
4.6 Access Control, Stage 1: Connection Verification
4.7 Access Control, Stage 2: Request Verification
4.8 Adding Accounts, Assigning Privileges, and Dropping Accounts
4.9 Reserved Accounts
4.10 Using Roles
4.11 Account Categories
4.12 Privilege Restriction Using Partial Revokes
4.13 When Privilege Changes Take Effect
4.14 Assigning Account Passwords
4.15 Password Management
4.16 Server Handling of Expired Passwords
4.17 Pluggable Authentication
4.18 Multifactor Authentication
4.19 Proxy Users
4.20 Account Locking
4.21 Setting Account Resource Limits
4.22 Troubleshooting Problems Connecting to MySQL
4.23 SQL-Based Account Activity Auditing
5 Using Encrypted Connections
5.1 Configuring MySQL to Use Encrypted Connections
5.2 Encrypted Connection TLS Protocols and Ciphers
5.3 Creating SSL and RSA Certificates and Keys
5.3.1 Creating SSL and RSA Certificates and Keys using MySQL
5.3.2 Creating SSL Certificates and Keys Using openssl
5.3.3 Creating RSA Keys Using openssl
5.4 Connecting to MySQL Remotely from Windows with SSH
5.5 Reusing SSL Sessions
6 Security Components and Plugins
6.1 Authentication Plugins
6.1.1 Native Pluggable Authentication
6.1.2 Caching SHA-2 Pluggable Authentication
6.1.3 SHA-256 Pluggable Authentication
6.1.4 Client-Side Cleartext Pluggable Authentication
6.1.5 PAM Pluggable Authentication
6.1.6 Windows Pluggable Authentication
6.1.7 LDAP Pluggable Authentication
6.1.8 Kerberos Pluggable Authentication
6.1.9 No-Login Pluggable Authentication
6.1.10 Socket Peer-Credential Pluggable Authentication
6.1.11 FIDO Pluggable Authentication
6.1.12 Test Pluggable Authentication
6.1.13 Pluggable Authentication System Variables
6.2 The Connection-Control Plugins
6.2.1 Connection-Control Plugin Installation
6.2.2 Connection-Control System and Status Variables
6.3 The Password Validation Component
6.3.1 Password Validation Component Installation and Uninstallation
6.3.2 Password Validation Options and Variables
6.3.3 Transitioning to the Password Validation Component
6.4 The MySQL Keyring
6.4.1 Keyring Components Versus Keyring Plugins
6.4.2 Keyring Component Installation
6.4.3 Keyring Plugin Installation
6.4.4 Using the component_keyring_file File-Based Keyring Component
6.4.5 Using the component_keyring_encrypted_file Encrypted File-Based Keyring Component
6.4.6 Using the keyring_file File-Based Keyring Plugin
6.4.7 Using the keyring_encrypted_file Encrypted File-Based Keyring Plugin
6.4.8 Using the keyring_okv KMIP Plugin
6.4.9 Using the keyring_aws Amazon Web Services Keyring Plugin
6.4.10 Using the HashiCorp Vault Keyring Plugin
6.4.11 Using the Oracle Cloud Infrastructure Vault Keyring Component
6.4.12 Using the Oracle Cloud Infrastructure Vault Keyring Plugin
6.4.13 Supported Keyring Key Types and Lengths
6.4.14 Migrating Keys Between Keyring Keystores
6.4.15 General-Purpose Keyring Key-Management Functions
6.4.16 Plugin-Specific Keyring Key-Management Functions
6.4.17 Keyring Metadata
6.4.18 Keyring Command Options
6.4.19 Keyring System Variables
6.5 MySQL Enterprise Audit
6.5.1 Elements of MySQL Enterprise Audit
6.5.2 Installing or Uninstalling MySQL Enterprise Audit
6.5.3 MySQL Enterprise Audit Security Considerations
6.5.4 Audit Log File Formats
6.5.5 Configuring Audit Logging Characteristics
6.5.6 Reading Audit Log Files
6.5.7 Audit Log Filtering
6.5.8 Writing Audit Log Filter Definitions
6.5.9 Disabling Audit Logging
6.5.10 Legacy Mode Audit Log Filtering
6.5.11 Audit Log Reference
6.5.12 Audit Log Restrictions
6.6 The Audit Message Component
6.7 MySQL Enterprise Firewall
6.7.1 Elements of MySQL Enterprise Firewall
6.7.2 Installing or Uninstalling MySQL Enterprise Firewall
6.7.3 Using MySQL Enterprise Firewall
6.7.4 MySQL Enterprise Firewall Reference
A MySQL 8.0 FAQ: Security