MariaDB CeBIT 2016 - linux-magazin.de file© MariaDB Corporation Ab. Galera Custer integrated •Per...

© 2015, MariaDB Corp.

MariaDB CeBIT 2016

MariaDB 10.1: Datenbankverschlüsselung und andere Sicherheitsvorteile

Jens Bollmann, Principal Instructor/Consultant

© MariaDB Corporation Ab.

Agenda

• MariaDB 10.1/10.2 new features• High Availabilty• For Scalability• For Security

• MariaDB 10.1 Security Feature Set

16.03.16 2


MariaDB 10.1 Released

• First GA version 10.1.8 released in October• Based on MariaDB 10.0• Includes contributions from community members

like Facebook

16.03.16 3


MariaDB 10.1 Themes

High Availability

Scalability Security

16.03.16 4

© MariaDB Corporation Ab.16.03.16 5

High Availability


Galera Cluster integrated

• Full integration of Galera Cluster into MariaDB 10.1 — all out of the box

• Enable Galera Cluster when you need it

16.03.16 6


Galera Custer integrated

• Per default MariaDB 10.1 works like a vanilla MariaDB Server• For Galera Cluster it is required to:

• wrep_on = ON – – enable the code on startup• wsrep_provider – – simply point to the galera library• wsrep_cluster_address – – define your cluster members• binlog_format=ROW• default_storage_engine=InnoDB• innodb_autoinc_lock_mode=2 – – galera takes over auto_increment• innodb_doublewrite=1• query_cache_type=0/1 – – default on now• query_cache_size=XXXM – – default 1M

16.03.16 7


Scalability


Parallel Slave Replication (10.0)

• Multi-source replication from different masters (domains) executed in parallel

• Queries that are run in parallel on the master are run in parallel on the slave (based on group commit)

• Transactions modifying the same table can be updated in parallel on the slave!

• Supports both statement based and row based replication.

16.03.16 9


Optimistic Parallel Replication

• New replicaton mode in MariaDB 10.1• Any INSERT, UPDATE or DELETE can be applied in

parallel on the slave• Not neccessarily means that it was commited in

parallel on the master • Needs a 10.1 master• Needs a transactional engine for rollback in case of a

conflict16.03.16 10


Optimistic Parallel Replication

• Enabled byslave-parallel-mode=optimistic

• Temporarily disable by variable@@skip_parallel_replication

• Server optimistically assumes that few conflicts will occur

• roll back and retry for conflicting transactions

16.03.16 11


Performance Improvements

• Especially for High-End Servers• High processing power• More cores

• Benchmark 10.1 on Linux Only POWER8 • „1 million SQL queries per second: GA MariaDB

10.1 on POWER8“• https://blog.mariadb.org/10-1-mio-qps/

16.03.16 12


InnoDB Defragmentation

• Deleted records can create gaps on pages• Defragmentation based on an implementation

from Facebook and Kakao Corp• But no new SQL literals needed and changes to

the server needed• OPTIMIZE TABLE is used

•innodb_defragment=1

16.03.16 13


MySQL Compatibility Feature

• MariaDB 10.1 can be a slave to MySQL 5.6• Also when GTIDs are used

• Feature was requested from the Community• To test MariaDB in a MySQL deployment• For migrating to MariaDB / or Galera

16.03.16 14


Security


Security Features in MariaDB 10.1

• Data at Rest Encryption• Password Validation Plugin• PAM Authentication Plugin• Audit Plugin• SSL Connections• Encryption functions

16.03.16 16


Data at Rest Encryption I

• New with MariaDB 10.1• Originates from Google encryption patch• Table space and table encryption• Based on

• Encyption key• Key id• Key rotation• Key version

16.03.16 17


Data at Rest Encyption II

• Encryption for• XtraDB/InnoDB tablespaces• XtraDB/InnoDB log files• Binary logs• Aria tables• Temporary files

16.03.16 18


Data at Rest Encyption III

• No Encryption for• Metadata• Memory• Config-Files

16.03.16 19


Data at Rest Encryption

• Last internal benchmarks on encryption overhead

• XtraDB/InnoDB encryption•<1% (ro)•≈8-14% (rw)

• Temporary files encryption•≈7-10% (filesort)•Binary log encryption: <4%

16.03.16 20


Deleted Data Encryption

• Scrubbing• Background threads periodically scan tablespaces

and logs and overwrite all data that should be deleted.

• More info:• https://mariadb.com/kb/en/mariadb/xtradb-

innodb-data-scrubbing/

16.03.16 21


Password Validation Plugins

• Password validation plugin API• simple_password_check plugin

• Can enforce a minimum password length and guarantee that a password contains at least a specified number of upper and lowercase letters, digits, and punctuation characters

• cracklib_password_check plugin• A widely used library• Stop users from choosing easy to guess passwords. It includes checks

for not allowing passwords based on the username or a dictionary word etc.

16.03.16 22


PAM Authentication Plugin

• Authentication using /etc/shadow• Authentication using LDAP, SSH pass phrases, password

expiration, username mapping, logging every login attempt, etc…

• INSTALL PLUGIN pam SONAME 'auth_pam.so';• CREATE USER foo@host IDENTIFIED via pam;• REMEMBER to configure PAM (/etc/pam.d or /etc/pam.conf)

16.03.16 23


MariaDB Audit Plugin

• Auditing database access to• File (comma delimited format)• Syslog

• Modified Plugin API in MariaDB• Audit Plugin compatible with MySQL Server

• Only MariaDB allows to monitor table level events

16.03.16 24



16.03.16 25

CONNECTIONCONNECTION

QUERYQUERY

CONNECTCONNECT

DDLDDL

DISCONNECTDISCONNECT

FAILED CONNECTFAILED CONNECT

DML+TCLDML+TCL

OBJECTOBJECTDATABASEDATABASE

TABLESTABLES

TIMESTAMPHOSTUSER

SESSION

TIMESTAMPHOSTUSER

SESSION

DCLDCL



• Password filtering included

16.03.16 26

20150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'CREATE USER "test1"@"localhost" IDENTIFIED BY *****',0

20150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'CREATE USER "test4"@"localhost" IDENTIFIED BY PASSWORD *****',0

20150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'INSERT INTO t_pwdtest VALUES (1,PASSWORD("mypwd"))',0

20150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'UPDATE t_pwdtest SET mypwd = PASSWORD("mynewpwd")',0

20150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'INSERT INTO t_pwdtest VALUES (2,OLD_PASSWORD("mypwd2"))',0

20150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'UPDATE t_pwdtest SET mypwd = OLD_PASSWORD("mynewpwd2")',0

20150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'GRANT ALL ON *.* TO "test5"@"localhost" IDENTIFIED BY *****',0


SSL Connections

• Encrytion between client and server• Disabled by default

• TLSv1.2 protocol• SSL also available for replication• Variables needed to use SSL

• ssl-ca=ca.pem• ssl-cert=server-cert.pem• ssl-key=server-key.pem

16.03.16 27


Encryption Functions

• Encrytion functions are used per column• Available encryptions

• AES (Advanced Encryption Standard) algorithm• DES (Data Encryption Standard) algorithm

•Requires SSL to be configured

• String encryption via DECODE / ENCODE

16.03.16 28


Thank You

mariadb.com

[email protected]

"MySQL is a registered trademark of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. MariaDB is not affiliated with MySQL."

MariaDB CeBIT 2016 - linux-magazin.de file© MariaDB Corporation Ab. Galera Custer integrated •Per...

Documents

Transcript of MariaDB CeBIT 2016 - linux-magazin.de file© MariaDB Corporation Ab. Galera Custer integrated •Per...