MariaDB CeBIT 2016 - linux-magazin.de file© MariaDB Corporation Ab. Galera Custer integrated •Per...

of 29/29
© 2015, MariaDB Corp. MariaDB CeBIT 2016 MariaDB 10.1: Datenbankverschlüsselung und andere Sicherheitsvorteile Jens Bollmann, Principal Instructor/Consultant
  • date post

    28-Oct-2019
  • Category

    Documents

  • view

    12
  • download

    0

Embed Size (px)

Transcript of MariaDB CeBIT 2016 - linux-magazin.de file© MariaDB Corporation Ab. Galera Custer integrated •Per...

  • © 2015, MariaDB Corp.

    MariaDB CeBIT 2016

    MariaDB 10.1: Datenbankverschlüsselung und andere Sicherheitsvorteile

    Jens Bollmann, Principal Instructor/Consultant

  • © MariaDB Corporation Ab.

    Agenda

    • MariaDB 10.1/10.2 new features• High Availabilty• For Scalability• For Security

    • MariaDB 10.1 Security Feature Set

    16.03.16 2

  • © MariaDB Corporation Ab.

    MariaDB 10.1 Released

    • First GA version 10.1.8 released in October• Based on MariaDB 10.0• Includes contributions from community members

    like Facebook

    16.03.16 3

  • © MariaDB Corporation Ab.

    MariaDB 10.1 Themes

    High Availability

    Scalability Security

    16.03.16 4

  • © MariaDB Corporation Ab.16.03.16 5

    High Availability

  • © MariaDB Corporation Ab.

    Galera Cluster integrated

    • Full integration of Galera Cluster into MariaDB 10.1 — all out of the box

    • Enable Galera Cluster when you need it

    16.03.16 6

  • © MariaDB Corporation Ab.

    Galera Custer integrated

    • Per default MariaDB 10.1 works like a vanilla MariaDB Server• For Galera Cluster it is required to:

    • wrep_on = ON – – enable the code on startup• wsrep_provider – – simply point to the galera library• wsrep_cluster_address – – define your cluster members• binlog_format=ROW• default_storage_engine=InnoDB• innodb_autoinc_lock_mode=2 – – galera takes over auto_increment• innodb_doublewrite=1• query_cache_type=0/1 – – default on now• query_cache_size=XXXM – – default 1M

    16.03.16 7

  • © MariaDB Corporation Ab.16.03.16 8

    Scalability

  • © MariaDB Corporation Ab.

    Parallel Slave Replication (10.0)

    • Multi-source replication from different masters (domains) executed in parallel

    • Queries that are run in parallel on the master are run in parallel on the slave (based on group commit)

    • Transactions modifying the same table can be updated in parallel on the slave!

    • Supports both statement based and row based replication.

    16.03.16 9

  • © MariaDB Corporation Ab.

    Optimistic Parallel Replication

    • New replicaton mode in MariaDB 10.1• Any INSERT, UPDATE or DELETE can be applied in

    parallel on the slave• Not neccessarily means that it was commited in

    parallel on the master • Needs a 10.1 master• Needs a transactional engine for rollback in case of a

    conflict16.03.16 10

  • © MariaDB Corporation Ab.

    Optimistic Parallel Replication

    • Enabled byslave-parallel-mode=optimistic

    • Temporarily disable by [email protected]@skip_parallel_replication

    • Server optimistically assumes that few conflicts will occur

    • roll back and retry for conflicting transactions

    16.03.16 11

  • © MariaDB Corporation Ab.

    Performance Improvements

    • Especially for High-End Servers• High processing power• More cores

    • Benchmark 10.1 on Linux Only POWER8 • „1 million SQL queries per second: GA MariaDB

    10.1 on POWER8“• https://blog.mariadb.org/10-1-mio-qps/

    16.03.16 12

  • © MariaDB Corporation Ab.

    InnoDB Defragmentation

    • Deleted records can create gaps on pages• Defragmentation based on an implementation

    from Facebook and Kakao Corp• But no new SQL literals needed and changes to

    the server needed• OPTIMIZE TABLE is used

    •innodb_defragment=1

    16.03.16 13

  • © MariaDB Corporation Ab.

    MySQL Compatibility Feature

    • MariaDB 10.1 can be a slave to MySQL 5.6• Also when GTIDs are used

    • Feature was requested from the Community• To test MariaDB in a MySQL deployment• For migrating to MariaDB / or Galera

    16.03.16 14

  • © MariaDB Corporation Ab.16.03.16 15

    Security

  • © MariaDB Corporation Ab.

    Security Features in MariaDB 10.1

    • Data at Rest Encryption• Password Validation Plugin• PAM Authentication Plugin• Audit Plugin• SSL Connections• Encryption functions

    16.03.16 16

  • © MariaDB Corporation Ab.

    Data at Rest Encryption I

    • New with MariaDB 10.1• Originates from Google encryption patch• Table space and table encryption• Based on

    • Encyption key• Key id• Key rotation• Key version

    16.03.16 17

  • © MariaDB Corporation Ab.

    Data at Rest Encyption II

    • Encryption for• XtraDB/InnoDB tablespaces• XtraDB/InnoDB log files• Binary logs• Aria tables• Temporary files

    16.03.16 18

  • © MariaDB Corporation Ab.

    Data at Rest Encyption III

    • No Encryption for• Metadata• Memory• Config-Files

    16.03.16 19

  • © MariaDB Corporation Ab.

    Data at Rest Encryption

    • Last internal benchmarks on encryption overhead

    • XtraDB/InnoDB encryption•

  • © MariaDB Corporation Ab.

    Deleted Data Encryption

    • Scrubbing• Background threads periodically scan tablespaces

    and logs and overwrite all data that should be deleted.

    • More info:• https://mariadb.com/kb/en/mariadb/xtradb-

    innodb-data-scrubbing/

    16.03.16 21

  • © MariaDB Corporation Ab.

    Password Validation Plugins

    • Password validation plugin API• simple_password_check plugin

    • Can enforce a minimum password length and guarantee that a password contains at least a specified number of upper and lowercase letters, digits, and punctuation characters

    • cracklib_password_check plugin• A widely used library• Stop users from choosing easy to guess passwords. It includes checks

    for not allowing passwords based on the username or a dictionary word etc.

    16.03.16 22

  • © MariaDB Corporation Ab.

    PAM Authentication Plugin

    • Authentication using /etc/shadow• Authentication using LDAP, SSH pass phrases, password

    expiration, username mapping, logging every login attempt, etc…

    • INSTALL PLUGIN pam SONAME 'auth_pam.so';• CREATE USER [email protected] IDENTIFIED via pam;• REMEMBER to configure PAM (/etc/pam.d or /etc/pam.conf)

    16.03.16 23

  • © MariaDB Corporation Ab.

    MariaDB Audit Plugin

    • Auditing database access to• File (comma delimited format)• Syslog

    • Modified Plugin API in MariaDB• Audit Plugin compatible with MySQL Server

    • Only MariaDB allows to monitor table level events

    16.03.16 24

  • © MariaDB Corporation Ab.

    MariaDB Audit Plugin

    16.03.16 25

    CONNECTIONCONNECTION

    QUERYQUERY

    CONNECTCONNECT

    DDLDDL

    DISCONNECTDISCONNECT

    FAILED CONNECTFAILED CONNECT

    DML+TCLDML+TCL

    OBJECTOBJECTDATABASEDATABASE

    TABLESTABLES

    TIMESTAMPHOSTUSER

    SESSION

    TIMESTAMPHOSTUSER

    SESSION

    DCLDCL

  • © MariaDB Corporation Ab.

    MariaDB Audit Plugin

    • Password filtering included

    16.03.16 26

    20150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'CREATE USER "test1"@"localhost" IDENTIFIED BY *****',0

    20150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'CREATE USER "test4"@"localhost" IDENTIFIED BY PASSWORD *****',0

    20150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'INSERT INTO t_pwdtest VALUES (1,PASSWORD("mypwd"))',0

    20150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'UPDATE t_pwdtest SET mypwd = PASSWORD("mynewpwd")',0

    20150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'INSERT INTO t_pwdtest VALUES (2,OLD_PASSWORD("mypwd2"))',0

    20150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'UPDATE t_pwdtest SET mypwd = OLD_PASSWORD("mynewpwd2")',0

    20150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'GRANT ALL ON *.* TO "test5"@"localhost"  IDENTIFIED BY *****',0

  • © MariaDB Corporation Ab.

    SSL Connections

    • Encrytion between client and server• Disabled by default

    • TLSv1.2 protocol• SSL also available for replication• Variables needed to use SSL

    • ssl-ca=ca.pem• ssl-cert=server-cert.pem• ssl-key=server-key.pem

    16.03.16 27

  • © MariaDB Corporation Ab.

    Encryption Functions

    • Encrytion functions are used per column• Available encryptions

    • AES (Advanced Encryption Standard) algorithm• DES (Data Encryption Standard) algorithm

    •Requires SSL to be configured• String encryption via DECODE / ENCODE

    16.03.16 28

  • © MariaDB Corporation Ab.16.03.16 29

    Thank You

    mariadb.com

    [email protected]

    "MySQL is a registered trademark of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. MariaDB is not affiliated with MySQL."

    Slide 1AgendaMariaDB 10.1 ReleasedMariaDB 10.1 ThemesSlide 5Galera Cluster integratedGalera Custer integratedSlide 8Parallel Slave Replication (10.0)Optimistic Parallel ReplicationOptimistic Parallel ReplicationPerformance ImprovementsInnoDB DefragmentationMySQL Compatibility FeatureSlide 15Security Features in MariaDB 10.1Data at Rest EncryptionData at Rest EncyptionSlide 19Data at Rest EncryptionDeleted Data EncryptionPassword Validation PluginsPAM Authentication PluginMariaDB Audit PluginMariaDB Audit PluginMariaDB Audit PluginSSL ConnectionsEncryption FunctionsSlide 29