Documentation Home
MySQL 9.4 Reference Manual
Related Documentation Download this Manual
PDF (US Ltr) - 41.2Mb
PDF (A4) - 41.3Mb
Man Pages (TGZ) - 262.8Kb
Man Pages (Zip) - 368.8Kb
Info (Gzip) - 4.1Mb
Info (Zip) - 4.1Mb


MySQL 9.4 Reference Manual  / ...  / Security  / Security Components and Plugins  / MySQL Enterprise Firewall  /  The MySQL Enterprise Firewall Component

8.4.8.2 The MySQL Enterprise Firewall Component

  • Purpose: Provide an application-level firewall enabling the database administrator to allow or block SQL statements based on matching them against accepted statement patterns.

  • URN:file://component_firewall

More information about the firewall component, installing it (and performing similar operations with it), and using it can be found in the following sections, listed here:

8.4.8.2.1 Elements of MySQL Enterprise Firewall (Component)

The MySQL Enterprise Firewall component, introduced in MySQL 9.4.0, is intended to replace the firewall plugin, which is now deprecated. The component-based version of MySQL Enterprise Firewall includes the following elements:

8.4.8.2.2 MySQL Enterprise Firewall Component Installation

This section covers topics relating to installation and configuration of the MySQL Enterprise Firewall component, including installation, removal, and migration between the firewall component and the firewall plugin (deprecated).

Installing the MySQL Enterprise Firewall Component

This section provides information about performing a new installation of the MySQL Enterprise Firewall component. If, instead, you wish to upgrade an existing plugin-based installation of MySQL Enterprise Firewall to use the firewall component, seeUpgrading to the MySQL Enterprise Firewall Component.

Prior to beginning the installation, you must choose a location for the firewall database. While it is possible to use themysql system database, we recommend that you use a separate, dedicated database for this purpose. For example, to install MySQL Enterprise Firewall to a new, not previously existing, database namedmyfwdb, execute the statements shown here in themysql client:

mysql> CREATE DATABASE IF NOT EXISTS myfwdb;Query OK, 1 row affected (0.01 sec)mysql> USE myfwdb;Database changed

To perform the installation, useinstall_component_firewall.sql from theshare directory of your MySQL installation. This script installs the firewall database to the current database, so you should make sure that this is the case before proceeding, like this:

mysql> SELECT DATABASE();+------------+| DATABASE() |+------------+| myfwdb     |+------------+1 row in set (0.00 sec)

This script requires (and accepts) no arguments; simply run it using themysql clientsource command, as shown here:

mysql> source ../share/install_component_firewall.sql

Adjust the path to theshare directory as needed to match your installation layout. SeeSection 6.5.1.2, “mysql Client Commands”, andSection 6.5.1.5, “Executing SQL Statements from a Text File”, for more information about using thesource command.

install_component_firewall.sql creates all tables, stored procedures, and server variables needed by the MySQL Enterprise Firewall component. Thecomponent_firewall.database server system variable is set to the name of the current database (and persisted), and the firewall is enabled, as you can see by checking the values ofcomponent_firewall.database andcomponent_firewall.enabled, like this:

SELECT component_firewall.database, component_firewall.enabled;+-----------------------------+----------------------------+| component_firewall.database | component_firewall.enabled |+-----------------------------+----------------------------+|                      myfwdb |                         ON |+-----------------------------+----------------------------+1 row in set (0.00 sec)
Uninstalling the MySQL Enterprise Firewall Component

This section provides information about performing a complete removal of the MySQL Enterprise Firewall component and its related elements. For information about downgrading the component to the firewall plugin (deprecated), seeDowngrading the MySQL Enterprise Firewall Component.

You can remove the MySQL Enterprise Firewall component from your MySQL installation using the supplied scriptuninstall_component_firewall.sql which can be found in theshare directory.

Important

Before runninguninstall_component_firewall.sql, you must insure that there are no other connections to the server. UseSHOW PROCESSLIST or query the Performance Schemaprocesslist table to help you determine that this is the case.

After ensuring the the current database is the firewall database, execute this script from amysql client session. In this example, we assume that the firewall database is namedmyfwdb:

SELECT @@component_firewall.database;+-------------------------------+| @@component_firewall.database |+-------------------------------+|                        myfwdb |+-------------------------------+1 row in set (0.00 sec)mysql> USE myfwdb;Database changedmysql> SELECT DATABASE();+------------+| DATABASE() |+------------+| myfwdb     |+------------+1 row in set (0.00 sec)mysql> source ../share/uninstall_component_firewall.sql

You may need to adjust the path to theshare directory to match the layout of your installation. For more information, seeSection 6.5.1.2, “mysql Client Commands”, as well asSection 6.5.1.5, “Executing SQL Statements from a Text File”.

Upgrading to the MySQL Enterprise Firewall Component

This section describes how to upgrade an existing MySQL Enterprise Firewall plugin installation to the firewall component introduced in MySQL 9.4.0.

You can perform an upgrade from the firewall plugin to the firewall component using the scriptfirewall_plugin_to_component.sql, in the MySQL installationshare directory. This script performs the following tasks:

  • Migrates any plugin account profiles to group profiles with single users.

  • Drops the plugin's stored procedures.

  • Uninstalls all firewall plugins.

  • Drops all tables not used by the component.

  • Alters those tables remaining after the others are dropped to conform with the table definitions accepted by the firewall component.

  • Translates plugin system variables to those used by the component and persists them. For example, the value ofmysql_firewall_database is copied tocomponent_firewall.database.

  • Installs the firewall component.

  • Creates the stored procedures used by the component.

Important

If the firewall plugin was loaded using--plugin-load-add, you must remove it from the list of plugins specified for that option prior to runningfirewall_plugin_to_component.sql.

To perform the upgrade, start amysql client session and ensure that the current database is the firewall database (mysql_firewall_database). After this, simply run the script. This is shown here:

mysql> SELECT @@mysql_firewall_database;+---------------------------+| @@mysql_firewall.database |+---------------------------+|                    myfwdb |+---------------------------+1 row in set (0.00 sec)mysql> USE myfwdb;Database changedmysql> SELECT DATABASE();+------------+| DATABASE() |+------------+| myfwdb     |+------------+1 row in set (0.00 sec)mysql> source ../share/firewall_plugin_to_component.sql

We usemyfwdb in the preceding example as the name of the firewall database; this value is almost certain to be different on your system. In addition, you may also need to adjust the path to theshare directory.

Downgrading the MySQL Enterprise Firewall Component

This section describes how to downgrade an existing MySQL Enterprise Firewall component installation to the legacy firewall plugin (deprecated in MySQL 9.4.0 and later).

A downgrade from the firewall component to the firewall plugin consists of two parts:

  • Preparation for the plugin and uninstallation of the firewall component

    This is performed by executing the SQL scriptfirewall_component_to_plugin.sql in amysql client session.

  • Installation of the firewall plugin

    This is accomplished by runninglinux_install_firewall.sql orwin_install_firewall.sql (also in themysql client), depending on the platform.

firewall_component_to_plugin.sql must be run with the firewall database as the current database. You can ensure that this is the case, and then execute the script using themysql clientsource command, as shown here:

SELECT @@component_firewall.database;+-------------------------------+| @@component_firewall.database |+-------------------------------+|                        myfwdb |+-------------------------------+1 row in set (0.00 sec)mysql> USE myfwdb;Database changedmysql> SELECT DATABASE();+------------+| DATABASE() |+------------+| myfwdb     |+------------+1 row in set (0.00 sec)mysql> source ../share/firewall_component_to_plugin.sql

The example showsmyfwdb as the name of the firewall database; this is likely to be different on your system. Adjust the path shown here to theshare directory as necessary to conform to the installation layout on your system.

firewall_component_to_plugin.sql terminates with the output shown here:

Restart mysqld with the following options:--loose-mysql-firewall-database=database,--loose-mysql-firewall-mode=mode,--loose-mysql-firewall-reload-interval-seconds=seconds,--loose-mysql-firewall-trace=trace,and run win_install_firewall.sql or linux_install_firewall.sql on schemadatabase.

Restart the MySQL server using the indicated options and values, then start amysql client session and runlinux_install_firewall.sql (Linux and other Unix platforms) orwin_install_firewall.sql (Windows platforms). SeeInstalling the MySQL Enterprise Firewall Plugin for more information about using these scripts to install the firewall plugin.

8.4.8.2.3 Using the MySQL Enterprise Firewall Component

Before using the MySQL Enterprise Firewall component, install it according to the instructions provided inSection 8.4.8.2.2, “MySQL Enterprise Firewall Component Installation”.

This section describes how to configure the firewall component using SQL statements. Alternatively, MySQL Workbench 6.3.4 and later versions provide a graphical interface for firewall control. SeeMySQL Enterprise Firewall Interface.

Enabling or Disabling the Firewall Plugin

To enable or disable the firewall plugin, set thecomponent_firewall.enabled system variable. By default, this isON when the firewall component is installed. To set the initial firewall state explicitly at server startup, you can set the variable in an option file such asmy.cnf, like this:

[mysqld]component_firewall.enabled=ON

After modifyingmy.cnf, you must restart the server to cause the new setting to take effect. SeeSection 6.2.2.2, “Using Option Files”.

Alternatively, you can set and persist the firewall setting at runtime by executing either of the SQL statements shown here:

SET PERSIST component_firewall.enabled = OFF;SET PERSIST component_firewall.enabled = ON;

SET PERSIST sets a value for the running MySQL instance, and saves the value, causing it to carry over to subsequent server restarts. To change a value for the running MySQL instance without having it carry over to subsequent restarts, use theGLOBAL keyword rather thanPERSIST. SeeSection 15.7.6.1, “SET Syntax for Variable Assignment”, for more information.

Scheduling Firewall Cache Reloads

Each time the firewall component initializes, it loads data into its internal cache from the following tables (seeMySQL Enterprise Firewall Component Tables):

  • firewall_group_allowlist

  • firewall_groups

  • firewall_membership

Without restarting the server or reinstalling the server-side plugin, modification of data outside of the plugin is not reflected internally. Thecomponent_firewall.reload_interval_seconds system variable makes it possible to force memory cache reloads from tables at specified intervals. By default, the interval value is0, which disables such reloads.

To schedule regular cache reloads, first ensure that thescheduler component is installed and enabled (seeSection 7.5.5, “Scheduler Component”). To check the status of the component, use aSHOW VARIABLES statement similar to this one:

mysql> SHOW VARIABLES LIKE 'component_scheduler%';+-----------------------------+-------+| Variable_name               | Value |+-----------------------------+-------|| component_scheduler.enabled | On    |+-----------------------------+-------+

With the firewall plugin installed, setcomponent_firewall.reload_interval_seconds at server startup to a number between 60 andINT_MAX, whose value is platform-specific. Values in the range1 to59 (inclusive) are reset to 60, with a warning, as shown here:

$> mysqld[server-options] --component_firewall.reload_interval_seconds=40...2023-08-31T17:46:35.043468Z 0 [Warning] [MY-015031] [Server] Plugin MYSQL_FIREWALL reported: 'Invalid reload interval specified: 40. Valid values are 0 (off) or greater than or equal to 60. Adjusting to 60.'...

Alternatively, to set and persist this value at startup, precede the variable name with thePERSIST_ONLY keyword or the@@PERSIST_ONLY. qualifier, like this:

SET PERSIST_ONLY component_firewall.reload_interval_seconds = 120;SET @@PERSIST_ONLY.component_firewall.reload_interval_seconds = 120;

After performing this modification, restart the server to cause the new setting to take effect.

Assigning Firewall Privileges (Component)

After the firewall component has been installed and configured, you should grant appropriate privileges to the MySQL account or accounts to be used for administering it. The assignment of privileges depends on which firewall operations an account should be permitted to perform, as listed here:

  • Grant theFIREWALL_EXEMPT privilege to any account that should be exempt from firewall restrictions. This is useful, for example, for a database administrator who configures the firewall, to avoid the possibility of a misconfiguration causing even the administrator to be locked out and unable to execute statements.

  • Grant theFIREWALL_ADMIN privilege to any account that should have full administrative firewall access. (Some administrative firewall functions can be invoked by accounts that haveFIREWALL_ADMINor the deprecatedSUPER privilege, as indicated in the individual function descriptions.)

  • Grant theEXECUTE privilege for the stored procedures in the firewall database (seeMySQL Enterprise Firewall Component Stored Procedures). These may invoke administrative functions, so stored procedure access also requires the privileges indicated earlier that are needed for those functions.

Note

TheFIREWALL_EXEMPT andFIREWALL_ADMIN privileges can be granted only while the firewall is installed because those privileges are defined bycomponent_firewall.

Firewall Concepts

The MySQL server permits clients to connect and receives from them SQL statements to be executed. If the firewall is enabled, the server passes to it each incoming statement that does not immediately fail with a syntax error. Based on whether the firewall accepts the statement, the server executes it or returns an error to the client. This section describes how the firewall accomplishes the task of accepting or rejecting statements.

Firewall Profiles

The firewall uses a registry of profiles that determine whether to permit statement execution. Profiles have these attributes:

  • An allowlist. The allowlist is the set of rules that defines which statements are acceptable to the profile.

  • A current operational mode. The mode enables the profile to be used in different ways. For example: the profile can be placed in training mode to establish the allowlist; the allowlist can be used for restricting statement execution or intrusion detection; the profile can be disabled entirely.

  • The firewall supports group profiles which can have multiple accounts as members, with the profile allowlist applying equally to all members.

Initially, no profiles exist, so by default, the firewall accepts all statements and has no effect on which statements MySQL accounts can execute. To apply firewall protective capabilities, explicit action is required. This includes the following steps:

  • Register one or more profiles with the firewall.

  • Train the firewall by establishing the allowlist for each profile; that is, the types of statements the profile permits clients to execute.

  • Place the trained profiles inPROTECTING mode to harden MySQL against unauthorized statement execution. It does this first by associating each client session with a specific user name and host name combination, known as thesession account. Then, for each client connection, the firewall uses the session account to determine which profile or profiles apply to incoming statements from this client, accepting only those statements which are permitted by the applicable profile allowlists.

Note

The firewall component does not support account profiles. For assistance with converting existing account profiles prior to upgrading from the firewall plugin, seeMigrating Account Profiles to Group Profiles.

The profile-based protection afforded by the firewall enables implementation of strategies such as those listed here:

  • If an application has unique protection requirements, have it use an account not used for any other purpose, and set up a group profile for that account.

  • If related applications share protection requirements, associate each application with its own account, then add these application accounts as members of the same group profile.

Firewall Statement Matching

Statement matching performed by the firewall does not use SQL statements as received from clients. Instead, the server converts incoming statements to normalized digest form and firewall operation uses these digests. The benefit of statement normalization is that it enables similar statements to be grouped and recognized using a single pattern. For example, these statements are distinct from each other:

SELECT first_name, last_name FROM customer WHERE customer_id = 1;select first_name, last_name from customer where customer_id = 99;SELECT first_name, last_name FROM customer WHERE customer_id = 143;

But all of them have the same normalized digest form, shown here:

SELECT `first_name` , `last_name` FROM `customer` WHERE `customer_id` = ?

By using normalization, firewall allowlists can store digests that each match many different statements received from clients. For more information about normalization and digests, seeSection 29.10, “Performance Schema Statement Digests and Sampling”.

Warning

Settingmax_digest_length to0 disables digest production, which also disables server functionality that requires digests, such as MySQL Enterprise Firewall.

Profile Operational Modes

Each profile registered with the firewall has its own operational mode, chosen from the following values:

  • OFF: Disables the profile. The firewall considers the profile inactive and ignores it.

  • RECORDING: Firewall training mode. Incoming statements received from a client that matches the profile are considered acceptable for the profile and become part of itsfingerprint. The firewall records the normalized digest form of each statement to learn the acceptable statement patterns for the profile. Each pattern is a rule; the profile allowlist consists of the union of all such rules.

  • PROTECTING: The profile allows or prevents statement execution. The firewall matches incoming statements against the profile allowlist, accepting only statements that match and rejecting those that do not. After training a profile inRECORDING mode, switch it toPROTECTING mode to harden MySQL against access by statements that deviate from the allowlist. If thecomponent_firewall.trace system variable is enabled, the firewall also writes any rejected statements to the error log.

  • DETECTING: Detects but not does not block intrusions (statements that are suspicious because they match nothing in the profile allowlist). InDETECTING mode, the firewall writes suspicious statements to the error log but accepts them without denying access.

When a profile is assigned any of the preceding mode values, the firewall stores the mode in the profile. Firewall mode-setting operations also permit the mode valueRESET, but this value is not stored: setting a given profile toRESET mode causes the firewall to delete all rules for this profile, and then set its mode toOFF.

Note

Messages written to the error log inDETECTING mode or becausemysql_firewall_trace is enabled are written as Notes, which are information messages. To ensure that such messages appear in the error log and are not discarded, make sure that error-logging verbosity is sufficient to include information messages. For example, if you are using priority-based log filtering, as described inSection 7.4.2.5, “Priority-Based Error Log Filtering (log_filter_internal)”, setlog_error_verbosity to3.

Firewall Statement Handling When Multiple Profiles Apply

For simplicity, later sections that describe how to set up profiles take the perspective that the firewall matches incoming statements from a client against only a single profile, either a group profile or account profile. But firewall operation can be more complex:

  • A group profile can include multiple accounts as members.

  • An account can be a member of multiple group profiles.

  • Multiple profiles can match a given client.

The following description covers the general case of how the firewall operates, when potentially multiple profiles apply to incoming statements.

As previously mentioned, MySQL associates each client session with a specific user name and host name combination known as thesession account. The firewall matches the session account against registered profiles to determine which profiles apply to handling incoming statements from the session:

  • The firewall ignores inactive profiles (profiles with a mode ofOFF).

  • The session account matches every active group profile that includes a member having the same user and host. There can be more than one such group profile.

  • The session account matches an active account profile having the same user and host, if there is one. There is at most one such account profile.

In other words, the session account can match 0 or more active group profiles, and 0 or 1 active account profiles. This means that 0, 1, or multiple firewall profiles are applicable to a given session, for which the firewall handles each incoming statement as follows:

  • If there is no applicable profile, the firewall imposes no restrictions and accepts the statement.

  • If there are applicable profiles, their modes determine statement handling:

    • The firewall records the statement in the allowlist of each applicable profile that is inRECORDING mode.

    • The firewall writes the statement to the error log for each applicable profile inDETECTING mode for which the statement is suspicious (does not match the profile allowlist).

    • The firewall accepts the statement if at least one applicable profile is inRECORDING orDETECTING mode (those modes accept all statements), or if the statement matches the allowlist of at least one applicable profile inPROTECTING mode. Otherwise, the firewall rejects the statement (and writes it to the error log if themysql_firewall_trace system variable is enabled).

With that description in mind, the next sections revert to the simplicity of the situations when a single group profile or a single account profile apply, and cover how to set up each type of profile.

Registering Firewall Profiles

MySQL Enterprise Firewall supports registration of group profiles. A group profile can have multiple accounts as its members. To use a firewall group profile to protect MySQL against incoming statements from a given account, follow these steps:

  1. Register the profile and put it inRECORDING mode.

  2. Add a member account to the profile.

  3. Connect to the MySQL server using this member account and execute statements to be learned. This trains the profile and establishes the rules that form the profile allowlist.

  4. Add any other accounts that are to be group members to the profile.

  5. Switch the profile toPROTECTING mode. When a client connects to the server using any account that is a member of the group, the profile allowlist restricts statement execution.

  6. Should additional training be necessary, switch the profile toRECORDING mode again, update its allowlist with new statement patterns, then switch it back toPROTECTING mode.

Observe these guidelines for account references relating to the MySQL Enterprise Firewall plugin:

  • Take note of the context in which account references occur. To name an account for firewall operations, specify it as a single quoted string ('user_name@host_name'). This differs from the usual MySQL convention for statements such asCREATE USER andGRANT, for which you quote the user and host parts of an account name separately ('user_name'@'host_name').

    The requirement for naming accounts as a single quoted string for firewall operations means that you cannot use any account whose user name contains the@ character.

  • The firewall assesses statements against accounts represented by actual user and host names as authenticated by the server. When registering accounts in profiles, do not use wildcard characters or netmasks. The reasons for this are described here:

    • Suppose that an account namedme@%.example.org exists and a client uses it to connect to the server from the hostabc.example.org.

    • The account name contains a% wildcard character, but the server authenticates the client as having the user nameme and host nameabc.example.com, and that is what the firewall sees.

    • Consequently, the account name to use for firewall operations isme@abc.example.org rather thanme@%.example.org.

The following procedure shows how to register a group profile with the firewall, train the firewall to know the acceptable statements for that profile (its allowlist), use the profile to protect MySQL against execution of unacceptable statements, and add and remove group members. The example uses the group profile namefwgrp. The example profile is presumed for use by clients of an application that accesses tables in thesakila database (available athttps://dev.mysql.com/doc/index-other.html).

Use an administrative MySQL account to perform the steps in this procedure, except those steps designated for execution by member accounts of the firewall group profile. For statements executed by member accounts, the default database should besakila. (You can use a different database by adjusting the instructions accordingly.)

  1. If necessary, create the accounts that are to be members of thefwgrp group profile and grant them appropriate access privileges. Statements for one member are shown here (choose an appropriate password):

    CREATE USER 'member1'@'localhost' IDENTIFIED BY 'password';GRANT ALL ON sakila.* TO 'member1'@'localhost';

  2. Use the stored procedureset_firewall_group_mode() to register the group profile with the firewall and place the profile inRECORDING (training) mode, as shown here:

    CALLfirewall-database.set_firewall_group_mode('fwgrp', 'RECORDING');

  3. Use the stored procedurefirewall_group_enlist() to add an initial member account for use in training the group profile allowlist:

    CALLfirewall-database.firewall_group_enlist('fwgrp', 'member1@localhost');

  4. To train the group profile using the initial member account, connect to the server asmember1 from the server host so that the firewall sees a session account formember1@localhost. Then execute some statements to be considered legitimate for the profile. For example:

    SELECT title, release_year FROM film WHERE film_id = 1;UPDATE actor SET last_update = NOW() WHERE actor_id = 1;SELECT store_id, COUNT(*) FROM inventory GROUP BY store_id;

    The firewall receives the statements from themember1@localhost account. Because that account is a member of thefwgrp profile, which is inRECORDING mode, the firewall interprets the statements as applicable tofwgrp and records the normalized digest form of the statements as rules in thefwgrp allowlist. Those rules then apply to all accounts that are members offwgrp.

    Note

    Until thefwgrp group profile receives statements inRECORDING mode, its allowlist is empty, which is equivalent todeny all and means that no statement can match. This has the following implications:

    • The group profile cannot be switched toPROTECTING mode, since it would then reject every statement, effectively prohibiting the accounts that are group members from executing any statements whatsoever.

    • The group profile can be switched toDETECTING mode. In this case, the profile accepts every statement but logs it as suspicious.

  5. At this point, the group profile information is cached, including its name, membership, and allowlist. To see this information, query the Performance Schema firewall tables, like this:

    mysql> SELECT MODE FROM performance_schema.firewall_groups    -> WHERE NAME = 'fwgrp';+-----------+| MODE      |+-----------+| RECORDING |+-----------+mysql> SELECT * FROM performance_schema.firewall_membership    -> WHERE GROUP_ID = 'fwgrp' ORDER BY MEMBER_ID;+----------+-------------------+| GROUP_ID | MEMBER_ID         |+----------+-------------------+| fwgrp    | member1@localhost |+----------+-------------------+mysql> SELECT RULE FROM performance_schema.firewall_group_allowlist    -> WHERE NAME = 'fwgrp';+----------------------------------------------------------------------+| RULE                                                                 |+----------------------------------------------------------------------+| SELECT @@`version_comment` LIMIT ?                                   || UPDATE `actor` SET `last_update` = NOW ( ) WHERE `actor_id` = ?      || SELECT `title` , `release_year` FROM `film` WHERE `film_id` = ?      || SELECT `store_id` , COUNT ( * ) FROM `inventory` GROUP BY `store_id` |+----------------------------------------------------------------------+

    SeeSection 29.12.17, “Performance Schema Firewall Tables”, for more information about these tables.

    Note

    The@@version_comment rule comes from a statement sent automatically by themysql client when it connects to the server.

    Important

    Train the firewall under conditions matching application use. For example, to determine server characteristics and capabilities, a given MySQL connector might send statements to the server at the beginning of each session. If an application normally is used through that connector, train the firewall using the connector, too. That enables those initial statements to become part of the allowlist for the group profile associated with the application.

  6. Invokeset_firewall_group_mode() again to switch the group profile toPROTECTING mode:

    CALLfirewall-database.set_firewall_group_mode('fwgrp', 'PROTECTING');
    Important

    Switching the group profile out ofRECORDING mode synchronizes its cached data to the firewall database tables that provide persistent underlying storage. If you do not switch the mode for a profile that is being recorded, the cached data is not written to persistent storage and is lost when the server is restarted.

  7. Add any other accounts that should be members of this group profile, like this:

    CALLfirewall-database.firewall_group_enlist('fwgrp', 'member2@localhost');CALLfirewall-database.firewall_group_enlist('fwgrp', 'member3@localhost');CALLfirewall-database.firewall_group_enlist('fwgrp', 'member4@localhost');

    The profile allowlist trained using themember1@localhost account now also applies to the accounts just added.

  8. To verify the updated group membership, query thefirewall_membership table again:

    mysql> SELECT * FROM performance_schema.firewall_membership    -> WHERE GROUP_ID = 'fwgrp' ORDER BY MEMBER_ID;+----------+-------------------+| GROUP_ID | MEMBER_ID         |+----------+-------------------+| fwgrp    | member1@localhost || fwgrp    | member2@localhost || fwgrp    | member3@localhost || fwgrp    | member4@localhost |+----------+-------------------+

  9. Test the group profile against the firewall by using any account in the group to execute some acceptable and unacceptable statements. The firewall matches each statement from this account against the profile allowlist and accepts or rejects it based on the result, as described here:

    • This statement is not identical to any of the training statements but produces the same normalized statement as one of them, so the firewall accepts it:

      mysql> SELECT title, release_year FROM film WHERE film_id = 98;+-------------------+--------------+| title             | release_year |+-------------------+--------------+| BRIGHT ENCOUNTERS |         2006 |+-------------------+--------------+

    • These statements match nothing in the allowlist, so the firewall rejects each one with an error:

      mysql> SELECT title, release_year FROM film WHERE film_id = 98 OR TRUE;ERROR 1045 (28000): Statement was blocked by Firewallmysql> SHOW TABLES LIKE 'customer%';ERROR 1045 (28000): Statement was blocked by Firewallmysql> TRUNCATE TABLE mysql.slow_log;ERROR 1045 (28000): Statement was blocked by Firewall

    • Ifcomponent_firewall.trace is enabled, the firewall also writes rejected statements to the error log. These log messages may be helpful in identifying the source of attacks, should that be necessary.

  10. Should members need to be removed from the group profile, use the stored procedurefirewall_group_delist(), like this:

    CALLfirewall-database.firewall_group_delist('fwgrp', 'member3@localhost');

The firewall group profile now is trained for member accounts. When clients connect using any account in the group and attempt to execute statements, the profile protects MySQL against statements not matched by the profile allowlist.

The procedure just shown added only one member to the group profile before training its allowlist. Doing so provides better control over the training period by limiting which accounts can add new acceptable statements to the allowlist. Should additional training be necessary, you can switch the profile back toRECORDING mode, like this:

CALLfirewall-database.set_firewall_group_mode('fwgrp', 'RECORDING');

You should keep in mind that this enables any member of the group to execute statements and to add them to the allowlist. To limit the additional training to a single group member, callset_firewall_group_mode_and_user() instead. This is likeset_firewall_group_mode() but takes an additional argument specifying which account is permitted to train the profile inRECORDING mode. For example, to enable training only bymember4@localhost, callset_firewall_group_mode_and_user() as shown here:

CALLfirewall-database.set_firewall_group_mode_and_user('fwgrp', 'RECORDING', 'member4@localhost');

This enables additional training by the specified account without having to remove the other group members. (They can execute statements, but the statements are not added to the allowlist.) You should also keep in mind that, inRECORDING mode, the other members can executeany statement.

Note

To avoid unexpected behavior when a particular account is specified as the training account for a group profile, always ensure that account is a member of the group.

After the additional training, set the group profile back toPROTECTING mode, like this:

CALLfirewall-database.set_firewall_group_mode('fwgrp', 'PROTECTING');

The training account established byset_firewall_group_mode_and_user() is saved in the group profile, so that the firewall remembers it in case more training is needed later. Thus, if you callset_firewall_group_mode() (which takes no training account argument), the current profile training account,member4@localhost, remains unchanged.

If desired, you can clear the training account, and enable all group members to perform training inRECORDING mode, by callingset_firewall_group_mode_and_user() and passingNULL for the account name, as shown here:

CALLfirewall-database.set_firewall_group_mode_and_user('fwgrp', 'RECORDING', NULL);

It is possible to detect intrusions by logging nonmatching statements as suspicious without denying access. First, put the group profile inDETECTING mode, like this:

CALLfirewall-database.set_firewall_group_mode('fwgrp', 'DETECTING');

Then, using a member account, execute a statement that does not match the group profile allowlist. InDETECTING mode, the firewall permits the nonmatching statement to execute, as shown here:

mysql> SHOW TABLES LIKE 'customer%';+------------------------------+| Tables_in_sakila (customer%) |+------------------------------+| customer                     || customer_list                |+------------------------------+

In addition, the firewall writes a message to the error log.

To disable a group profile, change its mode toOFF, like this:

CALLfirewall-database.set_firewall_group_mode('fwgrp', 'OFF');

To forget all training for a profile and disable it, reset it:

CALLfirewall-database.sp_set_firewall_group_mode('fwgrp', 'RESET');

The reset operation causes the firewall to delete all rules for this profile, and to set its mode toOFF.

Monitoring the Firewall

You can assess firewall activity by examine its associated status variables. For example, after performing the procedure shown earlier to train and protect thefwgrp group profile (seeRegistering Firewall Profiles), these variables have the values shown in the output of thisSHOW GLOBAL STATUS statement:

mysql> SHOW GLOBAL STATUS LIKE 'firewall%';+----------------------------+-------+| Variable_name              | Value |+----------------------------+-------+| firewall_access_denied     | 3     || firewall_access_granted    | 4     || firewall_access_suspicious | 1     || firewall_cached_entries    | 4     |+----------------------------+-------+

These variables indicate the numbers of statements rejected, accepted, logged as suspicious, and added to the cache, respectively.firewall_access_granted is 4 due to the@@version_comment statement sent by themysql client each of the three times the registered account connected to the server, plus theSHOW TABLES statement that was not blocked inDETECTING mode.

8.4.8.2.4 MySQL Enterprise Firewall Component Reference

The following sections provide reference information for elements of the MySQL Enterprise Firewall component, including tables, stored routines, system and status variables, and SQL scripts.

MySQL Enterprise Firewall Component Tables

the MySQL Enterprise Firewall component maintains profile information on a per-group basis, using tables in the firewall database for persistent storage and Information Schema tables to provide views into in-memory cached data. When enabled, the firewall bases operational decisions on the cached data. The firewall database can be themysql system database or one determined when installing the component (seeInstalling the MySQL Enterprise Firewall Component).

Tables in the firewall database are covered in this section. For information about MySQL Enterprise Firewall Performance Schema tables, seeSection 29.12.17, “Performance Schema Firewall Tables”.

The MySQL Enterprise Firewall component maintains group profile information using tables in the firewall database for persistent storage, and Performance Schema tables to provide views into in-memory, cached data.

Each system and Performance Schema table is accessible only by accounts that have theSELECT privilege for it.

Thefirewall-database.firewall_groups table lists names and operational modes of registered firewall group profiles. The table has the following columns (with the corresponding Performance Schemafirewall_groups table having similar but not necessarily identical columns):

  • NAME

    The group profile name.

  • MODE

    The current operational mode for the profile. Permitted mode values areOFF,DETECTING,PROTECTING, andRECORDING. For details about their meanings, seeFirewall Concepts.

  • USERHOST

    The training account for the group profile, to be used when the profile is inRECORDING mode. The value isNULL, or a non-NULL account that has the formatuser_name@host_name:

    • If the value isNULL, the firewall records allowlist rules for statements received from any account that is a member of the group.

    • If the value is non-NULL, the firewall records allowlist rules only for statements received from the named account (which should be a member of the group).

Thefirewall-database.firewall_group_allowlist table lists allowlist rules of registered firewall group profiles. The table has the following columns (with the corresponding Performance Schemafirewall_group_allowlist table having similar but not necessarily identical columns):

  • NAME

    The group profile name.

  • RULE

    A normalized statement indicating an acceptable statement pattern for the profile. A profile allowlist is the union of its rules.

  • ID

    An integer column that is a primary key for the table.

Thefirewall-database.firewall_membership table lists the members (accounts) of registered firewall group profiles. The table has the following columns (with the corresponding Performance Schemafirewall_membership table having similar but not necessarily identical columns):

  • GROUP_ID

    The group profile name.

  • MEMBER_ID

    The name of an account that is a member of the profile.

MySQL Enterprise Firewall Component Stored Procedures

The MySQL Enterprise Firewall component provides the following stored procedures for performing management operations on firewall group profiles:

  • sp_firewall_group_delist(group,user)

    This stored procedure removes an account from a firewall group profile.

    If the call succeeds, the change in group membership is made to both the in-memory cache and persistent storage.

    Arguments:

    • group: The name of the affected group profile.

    • user: The account to remove, as a string inuser_name@host_name format.

    Example:

    CALL mysql.sp_firewall_group_delist('g', 'fwuser@localhost');

  • sp_firewall_group_enlist(group,user)

    This stored procedure adds an account to a firewall group profile. It is not necessary to register the account itself with the firewall before adding the account to the group.

    If the call succeeds, the change in group membership is made to both the in-memory cache and persistent storage.

    Arguments:

    • group: The name of the affected group profile.

    • user: The account to add, as a string inuser_name@host_name format.

    Example:

    CALL mysql.sp_firewall_group_enlist('g', 'fwuser@localhost');

  • sp_firewall_group_remove(name)

    Removes the the group having the supplied name.

  • sp_firewall_group_rename(oldname,newname)

    Renames the group namedoldname tonewname.

  • sp_reload_firewall_group_rules(group)

    This stored procedure provides control over firewall operation for individual group profiles. The procedure uses firewall administrative functions to reload the in-memory rules for a group profile from the rules stored in thefirewall-database.firewall_group_allowlist table.

    Arguments:

    • group: The name of the affected group profile.

    Example:

    CALL mysql.sp_reload_firewall_group_rules('myapp');
    Warning

    This procedure clears the group profile in-memory allowlist rules before reloading them from persistent storage, and sets the profile mode toOFF. If the profile mode was notOFF prior to thesp_reload_firewall_group_rules() call, usesp_set_firewall_group_mode() to restore its previous mode after reloading the rules. For example, if the profile was inPROTECTING mode, that is no longer true after callingsp_reload_firewall_group_rules() and you must set it toPROTECTING again explicitly.

  • sp_set_firewall_group_mode(group,mode)

    This stored procedure establishes the operational mode for a firewall group profile, after registering the profile with the firewall if it was not already registered. The procedure also invokes firewall administrative functions as necessary to transfer firewall data between the cache and persistent storage. This procedure may be called even if themysql_firewall_mode system variable isOFF, although setting the mode for a profile has no operational effect until the firewall is enabled.

    If the profile previously existed, any recording limitation for it remains unchanged. To set or clear the limitation, callsp_set_firewall_group_mode_and_user() instead.

    Arguments:

    • group: The name of the affected group profile.

    • mode: The operational mode for the profile, as a string. Permitted mode values areOFF,DETECTING,PROTECTING, andRECORDING. For details about their meanings, seeFirewall Concepts.

    Example:

    CALL mysql.sp_set_firewall_group_mode('myapp', 'PROTECTING');

  • sp_set_firewall_group_mode_and_user(group,mode,user)

    This stored procedure registers a group with the firewall and establishes its operational mode, similar tosp_set_firewall_group_mode(), but also specifies the training account to be used when the group is inRECORDING mode.

    Arguments:

    • group: The name of the affected group profile.

    • mode: The operational mode for the profile, as a string. Permitted mode values areOFF,DETECTING,PROTECTING, andRECORDING. For details about their meanings, seeFirewall Concepts.

    • user: The training account for the group profile, to be used when the profile is inRECORDING mode. The value isNULL, or a non-NULL account that has the formatuser_name@host_name:

      • If the value isNULL, the firewall records allowlist rules for statements received from any account that is a member of the group.

      • If the value is non-NULL, the firewall records allowlist rules only for statements received from the named account (which should be a member of the group).

    Example:

    CALL mysql.sp_set_firewall_group_mode_and_user('myapp', 'RECORDING', 'myapp_user1@localhost');
MySQL Enterprise Firewall Component Functions

MySQL Enterprise Firewall administrative functions provide an API for lower-level tasks such as synchronizing the firewall cache with the underlying system tables.

Under normal operation, these functions are invoked by the firewall stored procedures, not directly by users. For that reason, these function descriptions do not include details such as information about their arguments and return types.

These functions perform management operations on firewall group profiles:

  • firewall_group_delist(group,user)

    This function removes an account from a group profile. It requires theFIREWALL_ADMIN privilege.

    Example:

    SELECT firewall_group_delist('g', 'fwuser@localhost');

  • firewall_group_enlist(group,user)

    This function adds an account to a group profile. It requires theFIREWALL_ADMIN privilege.

    It is not necessary to register the account itself with the firewall before adding the account to the group.

    Example:

    SELECT firewall_group_enlist('g', 'fwuser@localhost');

  • mysql_firewall_flush_status()

    This function resets several firewall status variables to 0:

    This function requires theFIREWALL_ADMIN privilege or the deprecatedSUPER privilege.

    Example:

    SELECT mysql_firewall_flush_status();

  • read_firewall_group_allowlist(group,rule)

    This aggregate function updates the recorded-statement cache for the named group profile through aSELECT statement on thefirewall-database.firewall_group_allowlist table. It requires theFIREWALL_ADMIN privilege.

    Example:

    SELECT read_firewall_group_allowlist('my_fw_group', fgw.rule)FROM mysql.firewall_group_allowlist AS fgwWHERE NAME = 'my_fw_group';

  • read_firewall_groups(group,mode,user)

    This aggregate function updates the firewall group profile cache through aSELECT statement on thefirewall-database.firewall_groups table. It requires theFIREWALL_ADMIN privilege.

    Example:

    SELECT read_firewall_groups('g', 'RECORDING', 'fwuser@localhost')FROM mysql.firewall_groups;

  • set_firewall_group_mode(group,mode[,user])

    This function manages the group profile cache, establishes the profile operational mode, and optionally specifies the profile training account. It requires theFIREWALL_ADMIN privilege.

    If the optionaluser argument is not given, any previoususer setting for the profile remains unchanged. To change the setting, call the function with a third argument.

    If the optionaluser argument is given, it specifies the training account for the group profile, to be used when the profile is inRECORDING mode. The value isNULL, or a non-NULL account that has the formatuser_name@host_name:

    • If the value isNULL, the firewall records allowlist rules for statements received from any account that is a member of the group.

    • If the value is non-NULL, the firewall records allowlist rules only for statements received from the named account (which should be a member of the group).

    Example:

    SELECT set_firewall_group_mode('g', 'DETECTING');
MySQL Enterprise Firewall Component System Variables

The MySQL Enterprise Firewall component provides the system variables listed in this section. These variables are unavailable unless the component is installed (seeSection 8.4.8.1.2, “Installing or Uninstalling the MySQL Enterprise Firewall Plugin”).

MySQL Enterprise Firewall Component Status Variables

The MySQL Enterprise Firewall component provides the status variables listed in this section; you can them to obtain information about the firewall component's operational status.

Firewall component status variables are set to 0 whenever the component is installed or the server is started.

MySQL Enterprise Firewall Component Scripts

This section contains information about SQL scripts provided by the MySQL Enterprise Firewall component.

  • install_component_firewall.sql

    This script installs all elements of the MySQL Enterprise Firewall component, performing the steps listed here:

    1. Checks whether the firewall plugin is installed; if so, stops with an error.

    2. Creates the component tables (seeMySQL Enterprise Firewall Component Tables).

    3. Installs the component.

    4. Creates the component's stored procedures (seeMySQL Enterprise Firewall Component Stored Procedures.

    SeeInstalling the MySQL Enterprise Firewall Component, for usage instructions.

  • firewall_plugin_to_component.sql

    This script upgrades an existing firewall plugin installation to an installation of the firewall component. It performs the steps listed here:

    1. Runsfirewall_profile_migration.sql (provided by the firewall plugin) to migrate account profiles to group profiles. (The firewall component does not support account profiles.)

    2. Uninstalls the firewall plugin usinguninstall_firewall.sql (also provided by the firewall plugin).

    3. Drops the plugin's stored procedures and functions.

    4. Drops thefirewall_whitelist andfirewall_users tables.

    5. Installs the firewall component usinginstall_component_firewall.sql, skipping the check for the plugin.

    Note

    If the firewall plugin was loaded using--plugin-load-add, you must remove it from that option prior to running the script.

    SeeUpgrading to the MySQL Enterprise Firewall Component, for additional information and instructions.

  • firewall_component_to_plugin.sql

    This script can be used to perform a downgrade from the MySQL Enterprise Firewall component to the firewall plugin.firewall_component_to_plugin.sql performs the following actions:

    1. Uninstalls the firewall component usinguninstall_component_firewall.sql.

    2. Drops the component's stored procedures and functions.

    3. Creates thefirewall_whitelist andfirewall_users tables.

    4. Creates the plugin's stored procedures and functions.

    SeeDowngrading the MySQL Enterprise Firewall Component, for usage and other information.

  • uninstall_component_firewall.sql

    Run this script to remove an installation of the MySQL Enterprise Firewall component. The script performs the steps listed here:

    1. Uninstalls the firewall component tables.

    2. Drops the component's stored procedures and functions.

    3. Uninstalls the firewall component.

    For usage information, seeUninstalling the MySQL Enterprise Firewall Component.