Documentation Home
Security in MySQL
Related Documentation Download this Excerpt
PDF (US Ltr) - 2.0Mb
PDF (A4) - 2.0Mb
HTML Download (TGZ) - 423.7Kb
HTML Download (Zip) - 430.9Kb


Security in MySQL  /  ...  /  MySQL Enterprise Firewall Reference

6.7.4 MySQL Enterprise Firewall Reference

The following sections provide a reference to MySQL Enterprise Firewall elements:

MySQL Enterprise Firewall Tables

MySQL Enterprise Firewall maintains per-account allowlist information using tables in the mysql system database for persistent storage and INFORMATION_SCHEMA tables to provide views into in-memory cached data. When enabled, the firewall bases operational decisions on the cached data.

Each mysql system database table is accessible only by accounts that have the SELECT privilege for it. The INFORMATION_SCHEMA tables are accessible by anyone.

The mysql.firewall_users table lists registered firewall accounts and their operational modes. The table has the following columns (with the corresponding INFORMATION_SCHEMA.MYSQL_FIREWALL_USERS table having similar but not necessarily identical columns):

  • USERHOST

    An account registered with the firewall. Each account has the format user_name@host_name.

  • MODE

    The current firewall operational mode for the account. Permitted mode values are OFF, DETECTING, PROTECTING, RECORDING, and RESET. For details about their meanings, see Firewall Operational Concepts.

The mysql.firewall_whitelist table associates registered firewall accounts and their allowlist rules. The table has the following columns (with the corresponding INFORMATION_SCHEMA.MYSQL_FIREWALL_WHITELIST table having similar but not necessarily identical columns):

  • USERHOST

    An account registered with the firewall. Each account has the format user_name@host_name.

  • RULE

    A normalized statement indicating an acceptable statement pattern for the account. An account allowlist is the union of its rules.

  • ID

    An integer column that is a primary key for the table. This column was added in MySQL 8.0.12.

MySQL Enterprise Firewall Stored Procedures

MySQL Enterprise Firewall stored procedures perform tasks such as registering MySQL accounts with the firewall, establishing their operational mode, and managing transfer of firewall data between the cache and persistent storage. These procedures invoke user-defined functions (UDFs) that provide an SQL-level API for lower-level tasks.

To invoke a firewall stored procedure when the default database is not the mysql system database that contains the procedure, qualify the procedure name with the database name. For example:

CALL mysql.sp_set_firewall_mode(user, mode);

The following list describes each firewall stored procedure:

  • sp_reload_firewall_rules(user)

    This stored procedure provides control over firewall operation for individual accounts. The procedure uses firewall UDFs to reload the in-memory rules for an account from the rules stored in the mysql.firewall_whitelist table.

    Arguments:

    • user: The affected account, as a string in user_name@host_name format.

    Example:

    CALL mysql.sp_reload_firewall_rules('fwuser@localhost');
    Warning

    This procedure clears the account in-memory allowlist rules before reloading them from persistent storage, and sets the account mode to OFF. If the account mode was not OFF prior to the sp_reload_firewall_rules() call, use sp_set_firewall_mode() to restore its previous mode after reloading the rules. For example, if the account was in PROTECTING mode, that is no longer true after calling sp_reload_firewall_rules() and you must set it to PROTECTING again explicitly.

  • sp_set_firewall_mode(user, mode)

    This stored procedure establishes the operational mode for a firewall account, after registering the account with the firewall if it was not already registered. The procedure also invokes firewall UDFs as necessary to transfer firewall data between the cache and persistent storage. This procedure may be called even if the mysql_firewall_mode system variable is OFF, although setting the mode for an account has no operational effect until the firewall is enabled.

    Arguments:

    • user: The affected account, as a string in user_name@host_name format.

    • mode: The operational mode for the account, as a string. Permitted mode values are OFF, DETECTING, PROTECTING, RECORDING, and RESET. For details about their meanings, see Firewall Operational Concepts.

    Switching an account to any mode but RECORDING synchronizes its firewall cache data to the mysql system database tables that provide persistent underlying storage. Switching the mode from OFF to RECORDING reloads the allowlist from the mysql.firewall_whitelist table into the cache.

    If an account has an empty allowlist, its mode cannot be set to PROTECTING because the firewall would reject every statement, effectively prohibiting the account from executing statements. In response to such a mode-setting attempt, the firewall produces a diagnostic message that is returned as a result set rather than as an SQL error:

    mysql> CALL mysql.sp_set_firewall_mode('a@b','PROTECTING');
    +----------------------------------------------------------------------+
    | set_firewall_mode(arg_userhost, arg_mode)                            |
    +----------------------------------------------------------------------+
    | ERROR: PROTECTING mode requested for a@b but the whitelist is empty. |
    +----------------------------------------------------------------------+

MySQL Enterprise Firewall User-Defined Functions

MySQL Enterprise Firewall user-defined functions (UDFs) provide an SQL-level API for lower-level tasks such as synchronizing the cache with the underlying system tables. Under normal operation, these UDFs are invoked by the stored procedures, not directly by users.

Firewall Account-Management User-Defined Functions

These UDFs perform per-account firewall-management operations:

  • read_firewall_users(user, mode)

    This aggregate UDF updates the firewall account cache through a SELECT statement on the mysql.firewall_users table. It requires the FIREWALL_ADMIN privilege or the deprecated SUPER privilege.

    Example:

    SELECT read_firewall_users('fwuser@localhost', 'RECORDING')
    FROM mysql.firewall_users;
  • read_firewall_whitelist(user, rule)

    This aggregate UDF updates the recorded-statement cache for the named account through a SELECT statement on the mysql.firewall_whitelist table. It requires the FIREWALL_ADMIN privilege or the deprecated SUPER privilege.

    Example:

    SELECT read_firewall_whitelist('fwuser@localhost', fw.rule)
    FROM mysql.firewall_whitelist AS fw
    WHERE USERHOST = 'fwuser@localhost';
  • set_firewall_mode(user, mode)

    This UDF manages the account cache and establishes the account operational mode. It requires the FIREWALL_ADMIN privilege or the deprecated SUPER privilege.

    Example:

    SELECT set_firewall_mode('fwuser@localhost', 'RECORDING');
Firewall Miscellaneous User-Defined Functions

These UDFs perform miscellaneous firewall operations:

MySQL Enterprise Firewall System Variables

MySQL Enterprise Firewall supports the following system variables. Use them to configure firewall operation. These variables are unavailable unless the firewall is installed (see Section 6.7.2, “Installing or Uninstalling MySQL Enterprise Firewall”).

  • mysql_firewall_mode

    Command-Line Format --mysql-firewall-mode[={OFF|ON}]
    Introduced 8.0.11
    System Variable mysql_firewall_mode
    Scope Global
    Dynamic Yes
    SET_VAR Hint Applies No
    Type Boolean
    Default Value ON

    Whether MySQL Enterprise Firewall is enabled (the default) or disabled.

  • mysql_firewall_trace

    Command-Line Format --mysql-firewall-trace[={OFF|ON}]
    Introduced 8.0.11
    System Variable mysql_firewall_trace
    Scope Global
    Dynamic Yes
    SET_VAR Hint Applies No
    Type Boolean
    Default Value OFF

    Whether the MySQL Enterprise Firewall trace is enabled or disabled (the default). When mysql_firewall_trace is enabled, for PROTECTING mode, the firewall writes rejected statements to the error log.

MySQL Enterprise Firewall Status Variables

MySQL Enterprise Firewall supports the following status variables. Use them to obtain information about firewall operational status. These variables are unavailable unless the firewall is installed (see Section 6.7.2, “Installing or Uninstalling MySQL Enterprise Firewall”). Firewall status variables are set to 0 whenever the MYSQL_FIREWALL plugin is installed or the server is started. Many of them are reset to zero by the mysql_firewall_flush_status() UDF (see MySQL Enterprise Firewall User-Defined Functions).