Documentation Home
Security in MySQL
Related Documentation Download this Excerpt
PDF (US Ltr) - 2.3Mb
PDF (A4) - 2.3Mb


Security in MySQL  /  ...  /  Elements of MySQL Enterprise Firewall

6.7.1 Elements of MySQL Enterprise Firewall

MySQL Enterprise Firewall is based on a plugin library that includes these elements:

  • A server-side plugin named MYSQL_FIREWALL examines SQL statements before they execute and, based on the registered firewall profiles, renders a decision whether to execute or reject each statement.

  • The MYSQL_FIREWALL plugin, along with server-side plugins named MYSQL_FIREWALL_USERS and MYSQL_FIREWALL_WHITELIST implement Performance Schema and INFORMATION_SCHEMA tables that provide views into the registered profiles.

  • Profiles are cached in memory for better performance. Tables in the mysql system database provide backing storage of firewall data for persistence of profiles across server restarts.

  • Stored procedures perform tasks such as registering firewall profiles, establishing their operational mode, and managing transfer of firewall data between the cache and persistent storage.

  • Administrative functions provide an API for lower-level tasks such as synchronizing the cache with persistent storage.

  • System variables enable firewall configuration and status variables provide runtime operational information.

  • The FIREWALL_ADMIN and FIREWALL_USER privileges enable users to administer firewall rules for any user, and their own firewall rules, respectively.

  • The FIREWALL_EXEMPT privilege (available as of MySQL 8.0.27) exempts a user from firewall restrictions. This is useful, for example, for any database administrator who configures the firewall, to avoid the possibility of a misconfiguration causing even the administrator to be locked out and unable to execute statements.