Documentation Home
Security in MySQL
Related Documentation Download this Excerpt
PDF (US Ltr) - 2.5Mb
PDF (A4) - 2.5Mb


Security in MySQL  /  Security Components and Plugins

Chapter 6 Security Components and Plugins

Table of Contents

6.1 Authentication Plugins
6.1.1 Native Pluggable Authentication
6.1.2 Caching SHA-2 Pluggable Authentication
6.1.3 SHA-256 Pluggable Authentication
6.1.4 Client-Side Cleartext Pluggable Authentication
6.1.5 PAM Pluggable Authentication
6.1.6 Windows Pluggable Authentication
6.1.7 LDAP Pluggable Authentication
6.1.8 Kerberos Pluggable Authentication
6.1.9 No-Login Pluggable Authentication
6.1.10 Socket Peer-Credential Pluggable Authentication
6.1.11 FIDO Pluggable Authentication
6.1.12 Test Pluggable Authentication
6.1.13 Pluggable Authentication System Variables
6.2 The Connection-Control Plugins
6.2.1 Connection-Control Plugin Installation
6.2.2 Connection-Control System and Status Variables
6.3 The Password Validation Component
6.3.1 Password Validation Component Installation and Uninstallation
6.3.2 Password Validation Options and Variables
6.3.3 Transitioning to the Password Validation Component
6.4 The MySQL Keyring
6.4.1 Keyring Components Versus Keyring Plugins
6.4.2 Keyring Component Installation
6.4.3 Keyring Plugin Installation
6.4.4 Using the component_keyring_file File-Based Keyring Component
6.4.5 Using the component_keyring_encrypted_file Encrypted File-Based Keyring Component
6.4.6 Using the keyring_file File-Based Keyring Plugin
6.4.7 Using the keyring_encrypted_file Encrypted File-Based Keyring Plugin
6.4.8 Using the keyring_okv KMIP Plugin
6.4.9 Using the keyring_aws Amazon Web Services Keyring Plugin
6.4.10 Using the HashiCorp Vault Keyring Plugin
6.4.11 Using the Oracle Cloud Infrastructure Vault Keyring Component
6.4.12 Using the Oracle Cloud Infrastructure Vault Keyring Plugin
6.4.13 Supported Keyring Key Types and Lengths
6.4.14 Migrating Keys Between Keyring Keystores
6.4.15 General-Purpose Keyring Key-Management Functions
6.4.16 Plugin-Specific Keyring Key-Management Functions
6.4.17 Keyring Metadata
6.4.18 Keyring Command Options
6.4.19 Keyring System Variables
6.5 MySQL Enterprise Audit
6.5.1 Elements of MySQL Enterprise Audit
6.5.2 Installing or Uninstalling MySQL Enterprise Audit
6.5.3 MySQL Enterprise Audit Security Considerations
6.5.4 Audit Log File Formats
6.5.5 Configuring Audit Logging Characteristics
6.5.6 Reading Audit Log Files
6.5.7 Audit Log Filtering
6.5.8 Writing Audit Log Filter Definitions
6.5.9 Disabling Audit Logging
6.5.10 Legacy Mode Audit Log Filtering
6.5.11 Audit Log Reference
6.5.12 Audit Log Restrictions
6.6 The Audit Message Component
6.7 MySQL Enterprise Firewall
6.7.1 Elements of MySQL Enterprise Firewall
6.7.2 Installing or Uninstalling MySQL Enterprise Firewall
6.7.3 Using MySQL Enterprise Firewall
6.7.4 MySQL Enterprise Firewall Reference

MySQL includes several components and plugins that implement security features:

  • Plugins for authenticating attempts by clients to connect to MySQL Server. Plugins are available for several authentication protocols. For general discussion of the authentication process, see Section 4.17, “Pluggable Authentication”. For characteristics of specific authentication plugins, see Section 6.1, “Authentication Plugins”.

  • A password-validation component for implementing password strength policies and assessing the strength of potential passwords. See Section 6.3, “The Password Validation Component”.

  • Keyring plugins that provide secure storage for sensitive information. See Section 6.4, “The MySQL Keyring”.

  • (MySQL Enterprise Edition only) MySQL Enterprise Audit, implemented using a server plugin, uses the open MySQL Audit API to enable standard, policy-based monitoring and logging of connection and query activity executed on specific MySQL servers. Designed to meet the Oracle audit specification, MySQL Enterprise Audit provides an out of box, easy to use auditing and compliance solution for applications that are governed by both internal and external regulatory guidelines. See Section 6.5, “MySQL Enterprise Audit”.

  • A function enables applications to add their own message events to the audit log. See Section 6.6, “The Audit Message Component”.

  • (MySQL Enterprise Edition only) MySQL Enterprise Firewall, an application-level firewall that enables database administrators to permit or deny SQL statement execution based on matching against lists of accepted statement patterns. This helps harden MySQL Server against attacks such as SQL injection or attempts to exploit applications by using them outside of their legitimate query workload characteristics. See Section 6.7, “MySQL Enterprise Firewall”.

  • (MySQL Enterprise Edition only) MySQL Enterprise Data Masking and De-Identification, implemented as a plugin library containing a plugin and a set of functions. Data masking hides sensitive information by replacing real values with substitutes. MySQL Enterprise Data Masking and De-Identification functions enable masking existing data using several methods such as obfuscation (removing identifying characteristics), generation of formatted random data, and data replacement or substitution. See MySQL Enterprise Data Masking and De-Identification.