PDF (A4) - 35.2Mb
Man Pages (TGZ) - 256.4Kb
Man Pages (Zip) - 361.2Kb
Info (Gzip) - 3.4Mb
Info (Zip) - 3.4Mb
MySQL Globalization
MySQL Information Schema
MySQL Installation Guide
MySQL and Linux/Unix
MySQL and macOS
MySQL Partitioning
MySQL Performance Schema
MySQL Replication
Using the MySQL Yum Repository
MySQL Restrictions and Limitations
Security in MySQL
MySQL and Solaris
Building MySQL from Source
Starting and Stopping MySQL
MySQL Tutorial
MySQL and Windows
MySQL NDB Cluster 7.5
The following sections provide a reference to MySQL Enterprise Firewall elements:
MySQL Enterprise Firewall maintains profile information on a per-group and per-account basis, using tables in the firewall database for persistent storage and Information Schema tables to provide views into in-memory cached data. When enabled, the firewall bases operational decisions on the cached data. The firewall database can be themysql system database or a custom schema (seeInstalling MySQL Enterprise Firewall).
Tables in the firewall database are covered in this section. For information about MySQL Enterprise Firewall Information Schema tables, seeSection 24.7, “INFORMATION_SCHEMA MySQL Enterprise Firewall Tables”.
Eachmysql system database table is accessible only by accounts that have theSELECT privilege for it. TheINFORMATION_SCHEMA tables are accessible by anyone.
Themysql.firewall_users table lists names and operational modes of registered firewall account profiles. The table has the following columns (with the corresponding Information SchemaMYSQL_FIREWALL_USERS table having similar but not necessarily identical columns):
USERHOSTThe account profile name. Each account name has the format
user_name@host_nameMODEThe current operational mode for the profile. Permitted mode values are
OFF,DETECTING,PROTECTING,RECORDING, andRESET. For details about their meanings, seeFirewall Concepts.
Themysql.firewall_whitelist table lists allowlist rules of registered firewall account profiles. The table has the following columns (with the corresponding Information SchemaMYSQL_FIREWALL_WHITELIST table having similar but not necessarily identical columns):
USERHOSTThe account profile name. Each account name has the format
user_name@host_nameRULEA normalized statement indicating an acceptable statement pattern for the profile. A profile allowlist is the union of its rules.
IDAn integer column that is a primary key for the table. This column was added in MySQL 5.7.23.
MySQL Enterprise Firewall stored procedures perform tasks such as registering profiles with the firewall, establishing their operational mode, and managing transfer of firewall data between the cache and persistent storage. These procedures invoke administrative functions that provide an API for lower-level tasks.
Firewall stored procedures are created in themysql system database. To invoke a firewall stored procedure, either do so whilemysql is the default database, or qualify the procedure name with the database name. For example:
CALL mysql.sp_set_firewall_mode(user,mode);The following list describes each firewall stored procedure:
sp_reload_firewall_rules(user)This stored procedure provides control over firewall operation for individual account profiles. The procedure uses firewall administrative functions to reload the in-memory rules for an account profile from the rules stored in the
mysql.firewall_whitelisttable.Arguments:
user: The name of the affected account profile, as a string inuser_name@host_name
Example:
CALL mysql.sp_reload_firewall_rules('fwuser@localhost');WarningThis procedure clears the account profile in-memory allowlist rules before reloading them from persistent storage, and sets the profile mode to
OFF. If the profile mode was notOFFprior to thesp_reload_firewall_rules()call, usesp_set_firewall_mode()to restore its previous mode after reloading the rules. For example, if the profile was inPROTECTINGmode, that is no longer true after callingsp_reload_firewall_rules()and you must set it toPROTECTINGagain explicitly.sp_set_firewall_mode(user,mode)This stored procedure establishes the operational mode for a firewall account profile, after registering the profile with the firewall if it was not already registered. The procedure also invokes firewall administrative functions as necessary to transfer firewall data between the cache and persistent storage. This procedure may be called even if the
mysql_firewall_modesystem variable isOFF, although setting the mode for a profile has no operational effect until the firewall is enabled.Arguments:
user: The name of the affected account profile, as a string inuser_name@host_namemode: The operational mode for the profile, as a string. Permitted mode values areOFF,DETECTING,PROTECTING,RECORDING, andRESET. For details about their meanings, seeFirewall Concepts.
Switching an account profile to any mode but
RECORDINGsynchronizes its firewall cache data to themysqlsystem database tables that provide persistent underlying storage. Switching the mode fromOFFtoRECORDINGreloads the allowlist from themysql.firewall_whitelisttable into the cache.If an account profile has an empty allowlist, its mode cannot be set to
PROTECTINGbecause the profile would reject every statement, effectively prohibiting the account from executing statements. In response to such a mode-setting attempt, the firewall produces a diagnostic message that is returned as a result set rather than as an SQL error:mysql> CALL mysql.sp_set_firewall_mode('a@b','PROTECTING');+----------------------------------------------------------------------+| set_firewall_mode(arg_userhost, arg_mode) |+----------------------------------------------------------------------+| ERROR: PROTECTING mode requested for a@b but the whitelist is empty. |+----------------------------------------------------------------------+1 row in set (0.02 sec)Query OK, 0 rows affected (0.02 sec)
MySQL Enterprise Firewall administrative functions provide an API for lower-level tasks such as synchronizing the firewall cache with the underlying system tables.
Under normal operation, these functions are invoked by the firewall stored procedures, not directly by users. For that reason, these function descriptions do not include details such as information about their arguments and return types.
Firewall Account Profile Functions
These functions perform management operations on firewall account profiles:
read_firewall_users(user,mode)This aggregate function updates the firewall account profile cache through a
SELECTstatement on themysql.firewall_userstable. It requires theSUPERprivilege.Example:
SELECT read_firewall_users('fwuser@localhost', 'RECORDING')FROM mysql.firewall_users;read_firewall_whitelist(user,rule)This aggregate function updates the recorded-statement cache for the named account profile through a
SELECTstatement on themysql.firewall_whitelisttable. It requires theSUPERprivilege.Example:
SELECT read_firewall_whitelist('fwuser@localhost', fw.rule)FROM mysql.firewall_whitelist AS fwWHERE USERHOST = 'fwuser@localhost';This function manages the account profile cache and establishes the profile operational mode. It requires the
SUPERprivilege.Example:
SELECT set_firewall_mode('fwuser@localhost', 'RECORDING');
Firewall Miscellaneous Functions
These functions perform miscellaneous firewall operations:
This function resets several firewall status variables to 0:
This function requires the
SUPERprivilege.Example:
SELECT mysql_firewall_flush_status();This function normalizes an SQL statement into the digest form used for allowlist rules. It requires the
SUPERprivilege.Example:
SELECT normalize_statement('SELECT * FROM t1 WHERE c1 > 2');
MySQL Enterprise Firewall supports the following system variables. Use them to configure firewall operation. These variables are unavailable unless the firewall is installed (seeSection 6.4.6.2, “Installing or Uninstalling MySQL Enterprise Firewall”).
Command-Line Format --mysql-firewall-mode[={OFF|ON}]System Variable mysql_firewall_modeScope Global Dynamic Yes Type Boolean Default Value ONWhether MySQL Enterprise Firewall is enabled (the default) or disabled.
Command-Line Format --mysql-firewall-trace[={OFF|ON}]System Variable mysql_firewall_traceScope Global Dynamic Yes Type Boolean Default Value OFFWhether the MySQL Enterprise Firewall trace is enabled or disabled (the default). When
mysql_firewall_traceis enabled, forPROTECTINGmode, the firewall writes rejected statements to the error log.
MySQL Enterprise Firewall supports the following status variables. Use them to obtain information about firewall operational status. These variables are unavailable unless the firewall is installed (seeSection 6.4.6.2, “Installing or Uninstalling MySQL Enterprise Firewall”). Firewall status variables are set to 0 whenever theMYSQL_FIREWALL plugin is installed or the server is started. Many of them are reset to zero by themysql_firewall_flush_status() function (seeMySQL Enterprise Firewall Administrative Functions).
The number of statements rejected by MySQL Enterprise Firewall.
The number of statements accepted by MySQL Enterprise Firewall.
The number of statements logged by MySQL Enterprise Firewall as suspicious for users who are in
DETECTINGmode.The number of statements recorded by MySQL Enterprise Firewall, including duplicates.
PDF (A4) - 35.2Mb
Man Pages (TGZ) - 256.4Kb
Man Pages (Zip) - 361.2Kb
Info (Gzip) - 3.4Mb
Info (Zip) - 3.4Mb
MySQL Globalization
MySQL Information Schema
MySQL Installation Guide
MySQL and Linux/Unix
MySQL and macOS
MySQL Partitioning
MySQL Performance Schema
MySQL Replication
Using the MySQL Yum Repository
MySQL Restrictions and Limitations
Security in MySQL
MySQL and Solaris
Building MySQL from Source
Starting and Stopping MySQL
MySQL Tutorial
MySQL and Windows
MySQL NDB Cluster 7.5