Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

MySQL 8.0: Secure your replication deployment

P
Pedro Figueiredo

This document discusses securing MySQL replication deployments. It outlines several solutions to enforce data protection rules on a slave database in a replication setup. The solutions discussed include: 1) replicating over secure channels using the latest TLS version, 2) encrypting binary and relay logs at rest, 3) only allowing row-based events in the replication stream, 4) normalizing primary key requirements, and 5) running the slave applier thread with privilege checks. The goal is to allow the slave to impose rules on the replicated data from multiple masters to ensure sensitive data and changes are handled securely.

1 of 18
Software Engineer MySQL, Replication February 02, 2020 Pedro Figueiredo Secure your MySQL Replication deployment
2 © 2020 Oracle The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, timing, and pricing of any features or functionality described for Oracle’s products may change and remains at the sole discretion of Oracle Corporation. Statements in this presentation relating to Oracle’s future plans, expectations, beliefs, intentions and prospects are “forward-looking statements” and are subject to material risks and uncertainties. A detailed discussion of these factors and other risks that afect our business is contained in Oracle’s Securities and Exchange Commission (SEC) flings, including our most recent reports on Form 10-K and Form 10-Q under the heading “Risk Factors.” These flings are available on the SEC’s website or on Oracle’s website at htp:/p/pwww.oracle.com/pinvestor. All information in this presentation is current as of September 2019 and Oracle undertakes no duty to update any statement in light of new information or future events. Safe harbor statement
3 © 2020 Oracle 3 2 1 Any questions? So, what’s the solution? Agenda What is the problem we’re trying to solve?
4 © 2020 Oracle 3 2 1 Any questions? So, what’s the solution? Agenda What is the problem we’re trying to solve?
5 © 2020 Oracle Slave blindly follows the Master Tell me what to do, I’ll do it! Master Slave mysql> CHANGE MASTER TO … FOR CHANNEL “m1”;
6 © 2020 Oracle In Multi-Source-Replication a Slave may follow several Masters Slave M2 M1 M3 Tell me what to do, I’ll do it! mysql> CHANGE MASTER TO … FOR CHANNEL “m1”; mysql> CHANGE MASTER TO … FOR CHANNEL “m2”; mysql> CHANGE MASTER TO … FOR CHANNEL “m3”; Commonly used for: ● data consolidation ● data aggregation
7 © 2020 Oracle What if the Slave needs to impose some rules about replicated data? Slave M2 M1 M3 I want your data but I have some rules I need you to follow Data protection boundary
8 © 2020 Oracle What are the requirements to allow the Slave to enforce data protection We can’t trust that by some reason one of the masters won’t: • Replicate sensitive data that it should not. • Replicate statements that will change data in ways that it should not. • Replicate statements that will change database structure in ways that it should not. So we need to ensure that, independently of the Master confguration: • All data being replicated is encrypted • All data that touches the disk is encrypted • DML and DDL statement level privileges are enforced • No clashing global variable values for distinct masters
9 © 2020 Oracle 3 2 1 Any questions? So, what’s the solution? Agenda What is the problem we’re trying to solve
10 © 2020 Oracle 1) Replicate using secure channels and the latest supported versions mysql> STOP SLAVE FOR CHANNEL “m1”; mysql> CHANGE MASTER TO master_ssl = 1, master_tls_version = “TLSv1.3” FOR CHANNEL “m1”; mysql> START SLAVE FOR CHANNEL “m1”; mysql> USE performance_schema; mysql> SELECT channel_name,ssl_allowed,tls_version FROM replication_connection_configuration; +--------------+-------------+-------------+ | channel_name | ssl_allowed | tls_version | +--------------+-------------+-------------+ | m1 | YES | TLSv1.3 | +--------------+-------------+-------------+ 1 row in set (0.0403 sec)
11 © 2020 Oracle 2) Always activate binary and relay log encryption at rest $ mysqld … --binlog-encryption=ON --early-plugin-load=keyring_file.so --keyring_file_data=${data_dir}/keyring_master mysql> SET GLOBAL binlog_encryption = ON; mysql> SET PERSIST binlog_encryption = ON; [mysqld] binlog_encryption = ON mysql> USE performance_schema; mysql> SELECT * FROM global_variables WHERE variable_name = ‘binlog_encryption’; +-------------------+----------------+ | VARIABLE_NAME | VARIABLE_VALUE | +-------------------+----------------+ | binlog_encryption | ON | +-------------------+----------------+ 1 row in set (0.0545 sec)
12 © 2020 Oracle 3) Only allow for ROW based events in the replication stream mysql> STOP SLAVE FOR CHANNEL “m1”; mysql> CHANGE MASTER TO require_row_format = 1 FOR CHANNEL “m1”; mysql> START SLAVE FOR CHANNEL “m1”; mysql> USE performance_schema; mysql> SELECT channel_name,require_row_format FROM replication_applier_configuration; +--------------+--------------------+ | channel_name | require_row_format | +--------------+--------------------+ | m1 | YES | +--------------+--------------------+ 1 row in set (0.0371 sec) It prevents re-execution of the statements on the slave side, making it easier to enforce rules about how data may be changed. If an event not in ROW format is found, replication will stop and error messages are writen to the error log.
13 © 2020 Oracle 4) Normalize the usage of primary key requirements – available in 8.0.20 mysql> STOP SLAVE FOR CHANNEL “m1”; mysql> CHANGE MASTER TO require_table_primary_key_check = ON|OFF FOR CHANNEL “m1”; mysql> START SLAVE FOR CHANNEL “m1”; mysql> USE performance_schema; mysql> SELECT channel_name, require_table_primary_key_check FROM replication_applier_configuration; +--------------+---------------------------------+ | channel_name | require_table_primary_key_check | +--------------+---------------------------------+ | m1 | ON | +--------------+---------------------------------+ 1 row in set (0.0397 sec) Forces the check for PRIMARY KEYS to exist or not while executing a table related DDL, disregarding the master’s confgured value. The goal is to normalize the behavior among all the masters. If a DDL over a table with no PRIMARY KEY is executed while the option value is ON, replication will stop for the channel and error messages are writen to the error log.
14 © 2020 Oracle 5) Run the slave applier thread with privilege checks mysql> CREATE USER u; mysql> GRANT REPLICATION_APPLIER ON *.* TO u; mysql> GRANT INSERT,UPDATE ON db.* TO u; mysql> STOP SLAVE FOR CHANNEL “m1”; mysql> CHANGE MASTER TO privilege_checks_user = u FOR CHANNEL “m1”; mysql> START SLAVE FOR CHANNEL “m1”; mysql> USE performance_schema; mysql> SELECT channel_name, privilege_checks_user FROM replication_applier_configuration; +--------------+-----------------------+ | channel_name | privilege_checks_user | +--------------+-----------------------+ | m1 | 'u'@'%' | +--------------+-----------------------+ 1 row in set (0.0414 sec) Forces the slave applier to run under the security context of the confgured user and run privilege checks on every replicated incoming transaction. If a privilege checks fails, replication will stop for the channel and error messages are writen to the error log.
15 © 2020 Oracle Bibliography Manual reference: ● htps:/p/pdev.mysql.com/pdoc/prefman/p8.0/pen/pchange-master-to.html Blog posts: ● htps:/p/pmysqlhighavailability.com/pbinary-log-encryption-at-rest/p ● htps:/p/pmysqlhighavailability.com/phow-to-manually-decrypt-an-encrypted-binary-log-fle/p ● htps:/p/pmysqlhighavailability.com/pbinary-log-encryption-encryption-of-temporary-capture-fles/p ● htps:/p/pmysqlhighavailability.com/prestrict-replication-to-row-based-events/p ● htps:/p/pmysqlhighavailability.com/preplication-with-restricted-privileges/p
16 © 2020 Oracle Any questions?
17 © 2020 Oracle Thank you and a good FOSDEM!
MySQL 8.0: Secure your replication deployment

More Related Content

MySQL 8.0: Secure your replication deployment

  • 1. Software Engineer MySQL, Replication February 02, 2020 Pedro Figueiredo Secure your MySQL Replication deployment
  • 2. 2 © 2020 Oracle The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, timing, and pricing of any features or functionality described for Oracle’s products may change and remains at the sole discretion of Oracle Corporation. Statements in this presentation relating to Oracle’s future plans, expectations, beliefs, intentions and prospects are “forward-looking statements” and are subject to material risks and uncertainties. A detailed discussion of these factors and other risks that afect our business is contained in Oracle’s Securities and Exchange Commission (SEC) flings, including our most recent reports on Form 10-K and Form 10-Q under the heading “Risk Factors.” These flings are available on the SEC’s website or on Oracle’s website at htp:/p/pwww.oracle.com/pinvestor. All information in this presentation is current as of September 2019 and Oracle undertakes no duty to update any statement in light of new information or future events. Safe harbor statement
  • 3. 3 © 2020 Oracle 3 2 1 Any questions? So, what’s the solution? Agenda What is the problem we’re trying to solve?
  • 4. 4 © 2020 Oracle 3 2 1 Any questions? So, what’s the solution? Agenda What is the problem we’re trying to solve?
  • 5. 5 © 2020 Oracle Slave blindly follows the Master Tell me what to do, I’ll do it! Master Slave mysql> CHANGE MASTER TO … FOR CHANNEL “m1”;
  • 6. 6 © 2020 Oracle In Multi-Source-Replication a Slave may follow several Masters Slave M2 M1 M3 Tell me what to do, I’ll do it! mysql> CHANGE MASTER TO … FOR CHANNEL “m1”; mysql> CHANGE MASTER TO … FOR CHANNEL “m2”; mysql> CHANGE MASTER TO … FOR CHANNEL “m3”; Commonly used for: ● data consolidation ● data aggregation
  • 7. 7 © 2020 Oracle What if the Slave needs to impose some rules about replicated data? Slave M2 M1 M3 I want your data but I have some rules I need you to follow Data protection boundary
  • 8. 8 © 2020 Oracle What are the requirements to allow the Slave to enforce data protection We can’t trust that by some reason one of the masters won’t: • Replicate sensitive data that it should not. • Replicate statements that will change data in ways that it should not. • Replicate statements that will change database structure in ways that it should not. So we need to ensure that, independently of the Master confguration: • All data being replicated is encrypted • All data that touches the disk is encrypted • DML and DDL statement level privileges are enforced • No clashing global variable values for distinct masters
  • 9. 9 © 2020 Oracle 3 2 1 Any questions? So, what’s the solution? Agenda What is the problem we’re trying to solve
  • 10. 10 © 2020 Oracle 1) Replicate using secure channels and the latest supported versions mysql> STOP SLAVE FOR CHANNEL “m1”; mysql> CHANGE MASTER TO master_ssl = 1, master_tls_version = “TLSv1.3” FOR CHANNEL “m1”; mysql> START SLAVE FOR CHANNEL “m1”; mysql> USE performance_schema; mysql> SELECT channel_name,ssl_allowed,tls_version FROM replication_connection_configuration; +--------------+-------------+-------------+ | channel_name | ssl_allowed | tls_version | +--------------+-------------+-------------+ | m1 | YES | TLSv1.3 | +--------------+-------------+-------------+ 1 row in set (0.0403 sec)
  • 11. 11 © 2020 Oracle 2) Always activate binary and relay log encryption at rest $ mysqld … --binlog-encryption=ON --early-plugin-load=keyring_file.so --keyring_file_data=${data_dir}/keyring_master mysql> SET GLOBAL binlog_encryption = ON; mysql> SET PERSIST binlog_encryption = ON; [mysqld] binlog_encryption = ON mysql> USE performance_schema; mysql> SELECT * FROM global_variables WHERE variable_name = ‘binlog_encryption’; +-------------------+----------------+ | VARIABLE_NAME | VARIABLE_VALUE | +-------------------+----------------+ | binlog_encryption | ON | +-------------------+----------------+ 1 row in set (0.0545 sec)
  • 12. 12 © 2020 Oracle 3) Only allow for ROW based events in the replication stream mysql> STOP SLAVE FOR CHANNEL “m1”; mysql> CHANGE MASTER TO require_row_format = 1 FOR CHANNEL “m1”; mysql> START SLAVE FOR CHANNEL “m1”; mysql> USE performance_schema; mysql> SELECT channel_name,require_row_format FROM replication_applier_configuration; +--------------+--------------------+ | channel_name | require_row_format | +--------------+--------------------+ | m1 | YES | +--------------+--------------------+ 1 row in set (0.0371 sec) It prevents re-execution of the statements on the slave side, making it easier to enforce rules about how data may be changed. If an event not in ROW format is found, replication will stop and error messages are writen to the error log.
  • 13. 13 © 2020 Oracle 4) Normalize the usage of primary key requirements – available in 8.0.20 mysql> STOP SLAVE FOR CHANNEL “m1”; mysql> CHANGE MASTER TO require_table_primary_key_check = ON|OFF FOR CHANNEL “m1”; mysql> START SLAVE FOR CHANNEL “m1”; mysql> USE performance_schema; mysql> SELECT channel_name, require_table_primary_key_check FROM replication_applier_configuration; +--------------+---------------------------------+ | channel_name | require_table_primary_key_check | +--------------+---------------------------------+ | m1 | ON | +--------------+---------------------------------+ 1 row in set (0.0397 sec) Forces the check for PRIMARY KEYS to exist or not while executing a table related DDL, disregarding the master’s confgured value. The goal is to normalize the behavior among all the masters. If a DDL over a table with no PRIMARY KEY is executed while the option value is ON, replication will stop for the channel and error messages are writen to the error log.
  • 14. 14 © 2020 Oracle 5) Run the slave applier thread with privilege checks mysql> CREATE USER u; mysql> GRANT REPLICATION_APPLIER ON *.* TO u; mysql> GRANT INSERT,UPDATE ON db.* TO u; mysql> STOP SLAVE FOR CHANNEL “m1”; mysql> CHANGE MASTER TO privilege_checks_user = u FOR CHANNEL “m1”; mysql> START SLAVE FOR CHANNEL “m1”; mysql> USE performance_schema; mysql> SELECT channel_name, privilege_checks_user FROM replication_applier_configuration; +--------------+-----------------------+ | channel_name | privilege_checks_user | +--------------+-----------------------+ | m1 | 'u'@'%' | +--------------+-----------------------+ 1 row in set (0.0414 sec) Forces the slave applier to run under the security context of the confgured user and run privilege checks on every replicated incoming transaction. If a privilege checks fails, replication will stop for the channel and error messages are writen to the error log.
  • 15. 15 © 2020 Oracle Bibliography Manual reference: ● htps:/p/pdev.mysql.com/pdoc/prefman/p8.0/pen/pchange-master-to.html Blog posts: ● htps:/p/pmysqlhighavailability.com/pbinary-log-encryption-at-rest/p ● htps:/p/pmysqlhighavailability.com/phow-to-manually-decrypt-an-encrypted-binary-log-fle/p ● htps:/p/pmysqlhighavailability.com/pbinary-log-encryption-encryption-of-temporary-capture-fles/p ● htps:/p/pmysqlhighavailability.com/prestrict-replication-to-row-based-events/p ● htps:/p/pmysqlhighavailability.com/preplication-with-restricted-privileges/p
  • 16. 16 © 2020 Oracle Any questions?
  • 17. 17 © 2020 Oracle Thank you and a good FOSDEM!