MySQL Enterprise Firewall is based on a plugin library that includes these elements:
A server-side plugin named
MYSQL_FIREWALL
examines SQL statements before they execute and, based on the registered firewall profiles, renders a decision whether to execute or reject each statement.The
MYSQL_FIREWALL
plugin, along with server-side plugins namedMYSQL_FIREWALL_USERS
andMYSQL_FIREWALL_WHITELIST
implement Performance Schema andINFORMATION_SCHEMA
tables that provide views into the registered profiles.Profiles are cached in memory for better performance. Tables in the
mysql
system database provide backing storage of firewall data for persistence of profiles across server restarts.Stored procedures perform tasks such as registering firewall profiles, establishing their operational mode, and managing transfer of firewall data between the cache and persistent storage.
Administrative functions provide an API for lower-level tasks such as synchronizing the cache with persistent storage.
System variables enable firewall configuration and status variables provide runtime operational information.
The
FIREWALL_ADMIN
andFIREWALL_USER
privileges enable users to administer firewall rules for any user, and their own firewall rules, respectively.The
FIREWALL_EXEMPT
privilege (available as of MySQL 8.0.27) exempts a user from firewall restrictions. This is useful, for example, for any database administrator who configures the firewall, to avoid the possibility of a misconfiguration causing even the administrator to be locked out and unable to execute statements.