MySQL 8.0 Reference Manual
MySQL 8.0 Release Notes
Abstract
This is the MySQL Security Guide extract from the MySQL 8.0 Reference Manual.
For legal information, see the Legal Notices.
For help with using MySQL, please visit the MySQL Forums, where you can discuss your issues with other MySQL users.
Document generated on: 2024-12-12 (revision: 80467)
Table of Contents
- Preface and Legal Notices
- 1 Security
- 2 General Security Issues
- 3 Postinstallation Setup and Testing
- 4 Access Control and Account Management
- 4.1 Account User Names and Passwords
- 4.2 Privileges Provided by MySQL
- 4.3 Grant Tables
- 4.4 Specifying Account Names
- 4.5 Specifying Role Names
- 4.6 Access Control, Stage 1: Connection Verification
- 4.7 Access Control, Stage 2: Request Verification
- 4.8 Adding Accounts, Assigning Privileges, and Dropping Accounts
- 4.9 Reserved Accounts
- 4.10 Using Roles
- 4.11 Account Categories
- 4.12 Privilege Restriction Using Partial Revokes
- 4.13 When Privilege Changes Take Effect
- 4.14 Assigning Account Passwords
- 4.15 Password Management
- 4.16 Server Handling of Expired Passwords
- 4.17 Pluggable Authentication
- 4.18 Multifactor Authentication
- 4.19 Proxy Users
- 4.20 Account Locking
- 4.21 Setting Account Resource Limits
- 4.22 Troubleshooting Problems Connecting to MySQL
- 4.23 SQL-Based Account Activity Auditing
- 5 Using Encrypted Connections
- 6 Security Components and Plugins
- 6.1 Authentication Plugins
- 6.1.1 Native Pluggable Authentication
- 6.1.2 Caching SHA-2 Pluggable Authentication
- 6.1.3 SHA-256 Pluggable Authentication
- 6.1.4 Client-Side Cleartext Pluggable Authentication
- 6.1.5 PAM Pluggable Authentication
- 6.1.6 Windows Pluggable Authentication
- 6.1.7 LDAP Pluggable Authentication
- 6.1.8 Kerberos Pluggable Authentication
- 6.1.9 No-Login Pluggable Authentication
- 6.1.10 Socket Peer-Credential Pluggable Authentication
- 6.1.11 FIDO Pluggable Authentication
- 6.1.12 Test Pluggable Authentication
- 6.1.13 Pluggable Authentication System Variables
- 6.2 The Connection-Control Plugins
- 6.3 The Password Validation Component
- 6.4 The MySQL Keyring
- 6.4.1 Keyring Components Versus Keyring Plugins
- 6.4.2 Keyring Component Installation
- 6.4.3 Keyring Plugin Installation
- 6.4.4 Using the component_keyring_file File-Based Keyring Component
- 6.4.5 Using the component_keyring_encrypted_file Encrypted File-Based Keyring Component
- 6.4.6 Using the keyring_file File-Based Keyring Plugin
- 6.4.7 Using the keyring_encrypted_file Encrypted File-Based Keyring Plugin
- 6.4.8 Using the keyring_okv KMIP Plugin
- 6.4.9 Using the keyring_aws Amazon Web Services Keyring Plugin
- 6.4.10 Using the HashiCorp Vault Keyring Plugin
- 6.4.11 Using the Oracle Cloud Infrastructure Vault Keyring Component
- 6.4.12 Using the Oracle Cloud Infrastructure Vault Keyring Plugin
- 6.4.13 Supported Keyring Key Types and Lengths
- 6.4.14 Migrating Keys Between Keyring Keystores
- 6.4.15 General-Purpose Keyring Key-Management Functions
- 6.4.16 Plugin-Specific Keyring Key-Management Functions
- 6.4.17 Keyring Metadata
- 6.4.18 Keyring Command Options
- 6.4.19 Keyring System Variables
- 6.5 MySQL Enterprise Audit
- 6.5.1 Elements of MySQL Enterprise Audit
- 6.5.2 Installing or Uninstalling MySQL Enterprise Audit
- 6.5.3 MySQL Enterprise Audit Security Considerations
- 6.5.4 Audit Log File Formats
- 6.5.5 Configuring Audit Logging Characteristics
- 6.5.6 Reading Audit Log Files
- 6.5.7 Audit Log Filtering
- 6.5.8 Writing Audit Log Filter Definitions
- 6.5.9 Disabling Audit Logging
- 6.5.10 Legacy Mode Audit Log Filtering
- 6.5.11 Audit Log Reference
- 6.5.12 Audit Log Restrictions
- 6.6 The Audit Message Component
- 6.7 MySQL Enterprise Firewall
- A MySQL 8.0 FAQ: Security