MariaDB CeBIT 2016 - linux-magazin.de file© MariaDB Corporation Ab. Galera Custer integrated •Per...
Transcript of MariaDB CeBIT 2016 - linux-magazin.de file© MariaDB Corporation Ab. Galera Custer integrated •Per...
© 2015, MariaDB Corp.
MariaDB CeBIT 2016
MariaDB 10.1: Datenbankverschlüsselung und andere Sicherheitsvorteile
Jens Bollmann, Principal Instructor/Consultant
© MariaDB Corporation Ab.
Agenda
• MariaDB 10.1/10.2 new features• High Availabilty• For Scalability• For Security
• MariaDB 10.1 Security Feature Set
16.03.16 2
© MariaDB Corporation Ab.
MariaDB 10.1 Released
• First GA version 10.1.8 released in October• Based on MariaDB 10.0• Includes contributions from community members
like Facebook
16.03.16 3
© MariaDB Corporation Ab.
Galera Cluster integrated
• Full integration of Galera Cluster into MariaDB 10.1 — all out of the box
• Enable Galera Cluster when you need it
16.03.16 6
© MariaDB Corporation Ab.
Galera Custer integrated
• Per default MariaDB 10.1 works like a vanilla MariaDB Server• For Galera Cluster it is required to:
• wrep_on = ON – – enable the code on startup• wsrep_provider – – simply point to the galera library• wsrep_cluster_address – – define your cluster members• binlog_format=ROW• default_storage_engine=InnoDB• innodb_autoinc_lock_mode=2 – – galera takes over auto_increment• innodb_doublewrite=1• query_cache_type=0/1 – – default on now• query_cache_size=XXXM – – default 1M
16.03.16 7
© MariaDB Corporation Ab.
Parallel Slave Replication (10.0)
• Multi-source replication from different masters (domains) executed in parallel
• Queries that are run in parallel on the master are run in parallel on the slave (based on group commit)
• Transactions modifying the same table can be updated in parallel on the slave!
• Supports both statement based and row based replication.
16.03.16 9
© MariaDB Corporation Ab.
Optimistic Parallel Replication
• New replicaton mode in MariaDB 10.1• Any INSERT, UPDATE or DELETE can be applied in
parallel on the slave• Not neccessarily means that it was commited in
parallel on the master • Needs a 10.1 master• Needs a transactional engine for rollback in case of a
conflict16.03.16 10
© MariaDB Corporation Ab.
Optimistic Parallel Replication
• Enabled byslave-parallel-mode=optimistic
• Temporarily disable by variable@@skip_parallel_replication
• Server optimistically assumes that few conflicts will occur
• roll back and retry for conflicting transactions
16.03.16 11
© MariaDB Corporation Ab.
Performance Improvements
• Especially for High-End Servers• High processing power• More cores
• Benchmark 10.1 on Linux Only POWER8 • „1 million SQL queries per second: GA MariaDB
10.1 on POWER8“• https://blog.mariadb.org/10-1-mio-qps/
16.03.16 12
© MariaDB Corporation Ab.
InnoDB Defragmentation
• Deleted records can create gaps on pages• Defragmentation based on an implementation
from Facebook and Kakao Corp• But no new SQL literals needed and changes to
the server needed• OPTIMIZE TABLE is used
•innodb_defragment=1
16.03.16 13
© MariaDB Corporation Ab.
MySQL Compatibility Feature
• MariaDB 10.1 can be a slave to MySQL 5.6• Also when GTIDs are used
• Feature was requested from the Community• To test MariaDB in a MySQL deployment• For migrating to MariaDB / or Galera
16.03.16 14
© MariaDB Corporation Ab.
Security Features in MariaDB 10.1
• Data at Rest Encryption• Password Validation Plugin• PAM Authentication Plugin• Audit Plugin• SSL Connections• Encryption functions
16.03.16 16
© MariaDB Corporation Ab.
Data at Rest Encryption I
• New with MariaDB 10.1• Originates from Google encryption patch• Table space and table encryption• Based on
• Encyption key• Key id• Key rotation• Key version
16.03.16 17
© MariaDB Corporation Ab.
Data at Rest Encyption II
• Encryption for• XtraDB/InnoDB tablespaces• XtraDB/InnoDB log files• Binary logs• Aria tables• Temporary files
16.03.16 18
© MariaDB Corporation Ab.
Data at Rest Encyption III
• No Encryption for• Metadata• Memory• Config-Files
16.03.16 19
© MariaDB Corporation Ab.
Data at Rest Encryption
• Last internal benchmarks on encryption overhead
• XtraDB/InnoDB encryption•<1% (ro)•≈8-14% (rw)
• Temporary files encryption•≈7-10% (filesort)•Binary log encryption: <4%
16.03.16 20
© MariaDB Corporation Ab.
Deleted Data Encryption
• Scrubbing• Background threads periodically scan tablespaces
and logs and overwrite all data that should be deleted.
• More info:• https://mariadb.com/kb/en/mariadb/xtradb-
innodb-data-scrubbing/
16.03.16 21
© MariaDB Corporation Ab.
Password Validation Plugins
• Password validation plugin API• simple_password_check plugin
• Can enforce a minimum password length and guarantee that a password contains at least a specified number of upper and lowercase letters, digits, and punctuation characters
• cracklib_password_check plugin• A widely used library• Stop users from choosing easy to guess passwords. It includes checks
for not allowing passwords based on the username or a dictionary word etc.
16.03.16 22
© MariaDB Corporation Ab.
PAM Authentication Plugin
• Authentication using /etc/shadow• Authentication using LDAP, SSH pass phrases, password
expiration, username mapping, logging every login attempt, etc…
• INSTALL PLUGIN pam SONAME 'auth_pam.so';• CREATE USER foo@host IDENTIFIED via pam;• REMEMBER to configure PAM (/etc/pam.d or /etc/pam.conf)
16.03.16 23
© MariaDB Corporation Ab.
MariaDB Audit Plugin
• Auditing database access to• File (comma delimited format)• Syslog
• Modified Plugin API in MariaDB• Audit Plugin compatible with MySQL Server
• Only MariaDB allows to monitor table level events
16.03.16 24
© MariaDB Corporation Ab.
MariaDB Audit Plugin
16.03.16 25
CONNECTIONCONNECTION
QUERYQUERY
CONNECTCONNECT
DDLDDL
DISCONNECTDISCONNECT
FAILED CONNECTFAILED CONNECT
DML+TCLDML+TCL
OBJECTOBJECTDATABASEDATABASE
TABLESTABLES
TIMESTAMPHOSTUSER
SESSION
TIMESTAMPHOSTUSER
SESSION
DCLDCL
© MariaDB Corporation Ab.
MariaDB Audit Plugin
• Password filtering included
16.03.16 26
20150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'CREATE USER "test1"@"localhost" IDENTIFIED BY *****',0
20150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'CREATE USER "test4"@"localhost" IDENTIFIED BY PASSWORD *****',0
20150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'INSERT INTO t_pwdtest VALUES (1,PASSWORD("mypwd"))',0
20150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'UPDATE t_pwdtest SET mypwd = PASSWORD("mynewpwd")',0
20150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'INSERT INTO t_pwdtest VALUES (2,OLD_PASSWORD("mypwd2"))',0
20150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'UPDATE t_pwdtest SET mypwd = OLD_PASSWORD("mynewpwd2")',0
20150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'GRANT ALL ON *.* TO "test5"@"localhost" IDENTIFIED BY *****',0
© MariaDB Corporation Ab.
SSL Connections
• Encrytion between client and server• Disabled by default
• TLSv1.2 protocol• SSL also available for replication• Variables needed to use SSL
• ssl-ca=ca.pem• ssl-cert=server-cert.pem• ssl-key=server-key.pem
16.03.16 27
© MariaDB Corporation Ab.
Encryption Functions
• Encrytion functions are used per column• Available encryptions
• AES (Advanced Encryption Standard) algorithm• DES (Data Encryption Standard) algorithm
•Requires SSL to be configured
• String encryption via DECODE / ENCODE
16.03.16 28
© MariaDB Corporation Ab.16.03.16 29
Thank You
mariadb.com
"MySQL is a registered trademark of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. MariaDB is not affiliated with MySQL."