Introduction of MariaDB

OLIVIER Security Key

BERTRAND Management Plugin
Spiral Arms –
CONNECT Spider Sharding
MariaDB Optimizer Storage Engine
InnoDB on Power
Galera
Multisource Storage Engine
Cluster
Replication

Encryption Atomic
Writes XtraDB
Storage Engine TokuDB
Storage Engine MaxScale
Binlog MaxScale Sehema
Sharding WebScaleSQL
Patches

2
Why consider MariaDB?
 Reduced
Costs

Annual Subscriptions
Cloud Infrastructure
Modern Hardware
 Economics of Inevitable Change

$5,496,000

On premise…
• Oracle costs 80x more
3 Year
Total Cost of • Organizations can save $9 million
Ownership

In the cloud…
$112,500 • On AWS, Oracle costs 145x more
• On Oracle Cloud, it costs 69x more

5
Default Database on Leading Linux Distros,
Available on Leading Cloud Platforms
Linux Distributions Cloud Services & Stacks

6
 MariaDB TX
for Transactional workloads

● MariaDB Server
● MariaDB MaxScale
● database connectors
● services
● support
● tools
 Community Enterprise
Innovation Reliability

Open Development High Availability

Extensible Architecture Disaster Recovery
Community Collaboration Scalability
Flexible Data Model Performance
Streaming Integration Security
 MariaDB Technology

SERVER MAXSCALE COLUMNSTORE

Enterprise-grade secure, Next-generation database Columnar storage engine
highly available and proxy that manages for massively parallel
scalable relational security, scalability and distributed query execution
database with high availability in scale-out and data loading
a modern, extensible deployments
architecture

10
Extensible Architecture
Applications
Original Core
Connectors C JDBC ODBC
MariaDB Engineering
Community Contribution
SQL NoSQL CRUD API

MariaDB Multi-Master Cluster MariaDB MaxScale

MariaDB Server
KERNEL EXTENSIBILITY
Replication Kernel Production Plugins
BinLog API GTID Connection Cache/Buffer PL/SQL Authentication
Parallel Slave Multi-Source Pool Optimiser AWS KMS Handler Socket

MariaDB SQL Parser Temporal Audit 40+ Plugins

Replicas
STORAGE LAYER EXTENSIBILITY
Supporting
Asynchronous, Lightweight Transactional Performance Analytics Interoperability Graph &
& Scalability Search
Semi-Sync &
Synchronous MyISAM InnoDB Spider
ColumnStore CONNECT
OQGRAPH
Memory XtraDB MyRocks Mroonga
replication

OPERATING SYSTEM / FILE SYSTEM / SAN / CLOUD

28
 Terminology: HA with MariaDB
TX
Failover: when a standby database becomes the the primary database because the
primary database is unreachable/unavailable

Switchover: when a standy database becomes the primary database, and vice-versa
(e.g., to perform a rolling upgrade)

Rejoin: when a failed primary database becomes a standby database because it is

reachable/available (again)
High availability with MariaDB TX
 HA with MariaDB TX
– replication and clustering –

Asynchronous Semi-synchronous Synchronous

(master/slave replication) (master/slave replication) (multi-master clustering)

Master Master Master

Slave Slave Slave Slave Slave Slave Master Master

 Master/slave replication

High availability with MariaDB TX

 HA with MariaDB TX
– master/slave replication –

Master Slave
1. request next transaction (GTID = 2)

3. reply with next transaction (GTID = 3)

Binary log Relay log

TX (GTID 3) TX (GTID 3)
2. read next transaction 4. write next transaction
TX (GTID 2) (GTID = 3) (GTID = 3) TX (GTID 2)

TX (GTID 1) TX (GTID 1)
 HA with MariaDB TX
– master/slave replication –

Asynchronous or semi-synchronous?
 HA with MariaDB TX
– asynchronous with automatic
failover –

MariaDB MaxScale MariaDB MaxScale MariaDB MaxScale

(Proxy) (Proxy) (Proxy)

Master Slave 1 Slave 2 Master Slave 1 Slave 2 Master * Slave 2

(GTID = 3) (GTID = 2) (GTID = 1) (GTID = 3) (GTID = 2) (GTID = 1) (GTID = 2) (GTID = 1)
 HA with MariaDB TX
– semi-synchronous with automatic
failover –

MariaDB MaxScale MariaDB MaxScale MariaDB MaxScale

(Proxy) (Proxy) (Proxy)

Master Slave 1 Slave 2 Master Slave 1 Slave 2 Slave 1 Master *

(GTID = 3) (GTID = 2) (GTID = 3) (GTID = 3) (GTID = 2) (GTID = 3) (GTID = 2) (GTID = 3)
 HA with MariaDB TX
– master/slave replication use cases –

Asynchronous Semi-synchronous

Read-intensive: product catalogs Read-intensive: customer profiles

Mixed: shopping carts Mixed: inventory and pricing
Write-intensive: clickstream data Write-intensive: checkouts
 Multi-master clustering

High availability with MariaDB TX

HA with MariaDB TX
– multi-master clustering –

Node

Transaction

Row 1
1. get 3. certify and apply
Row 2 writes writes
Row 3

2. send
writes

Node Node
 HA with MariaDB TX
– synchronous with automatic
failover –

MariaDB MaxScale MariaDB MaxScale MariaDB MaxScale

(Proxy) (Proxy) (Proxy)

Node 1 Node 2 Node 3 Node 1 Node 2 Node 3 Node 2 Node 3

(Priority = 1) (Priority = 2) (Priority = 3) (Priority = 1) (Priority = 2) (Priority = 3) (Priority = 2) (Priority = 3)
 HA with MariaDB TX
– multi-master clustering use cases –

Synchronous

Read-intensive: account status

Mixed: package tracking
Write-intensive: payments
Purpose-built storage
 Purpose-built storage: Spider

Transparent sharding

Scalability and concurrency

Table partitioning (e.g., range, key, hash, list)
Pushdown (e.g., condition, index, join and aggregate)
High availability and consistency
Two-phase commit
 Database #1

Table A

Spider

Table A (Partition 1) Table A (Parition 2)

InnoDB InnoDB

Database #2 Database #2

Rows: 1-500,000 Rows: 501,000-1,000,000

 Database #1

Table A

Spider

Table A (Partition 1) Table A (Parition 2) Table A (Partition 3)

InnoDB InnoDB InnoDB

Database #2 Database #3 Database #4

Rows: 1-500,000 Rows: 501,000-1,000,000 Rows: 1,000,001-1,500,000

 Database #1 Database #5

Table A Table A

Spider Spider

Table A (Partition 1) Table A (Parition 2) Table A (Partition 3)

InnoDB InnoDB InnoDB

Database #2 Database #3 Database #4

Rows: 1-500,000 Rows: 501,000-1,000,000 Rows: 1,000,001-1,500,000

Securing Production
Deployments
Security
threats

best
practices
 The Internet

Threats Defense
Viruses • Do not allow TCP connections to MariaDB from the
Hacker attacks Internet

Software spoofing • Configure MariaDB to listen on a network interface

that is only accessible from the application
• Design your physical network to connect the app to
MariaDB
• Use bind-address to bind to a specific network
interface
• Use your OS’s firewall
• Keep your OS patched
 Applications

Threats Defense
Denial of Service • Do not run the application
Attacks created by on your MariaDB Server.
overloading application
• Do not install unnecessary packages
SQL query on your MariaDB Server.
injection attacks – An overloaded application can use
so much memory that MariaDB
could slow or even be killed by the
OS. This is an effective DDoS
attack vector.
– A compromised application or
service can have many serious side
effects
 Excessive Trust
Threats
• Disgruntled employees
• Mistakes and human error
Defense
• Limit users who have:
– SSH access
– Sudo privileges
– Set the secure_file_priv option to
ensure that users with the FILE
privilege cannot write or read
MariaDB data or important system
files.
• Do not run MariaDB process (mysqld) as
root
• Avoid hostname wildcards (“%”), use
specific host names / IP addresses
 Excessive Trust
Threats
• Disgruntled employees
• Mistakes and human error
Defense
• Do not use the MariaDB “root”
user for application access.
• Minimize the privileges granted
to the MariaDB user accounts used
by your applications
– Don’t grant CREATE or
DROP privileges.
– Don’t grant the FILE privilege.
– Don’t grant the SUPER privilege.
– Don’t grant access to the
mysql database
MariaDB
Security
Features
 Applications

Password Validation External Authentication

Simple_password_check Single Sign On is becoming
plugin mandatory in most Enterprises.

Enforce a minimum PAM-Authentication Plugin

password allows using /etc/shadow and any
length and type/number of PAM based authentication like LDAP
characters to be used Kerberos-Authentication as a
standardized network authentication
protocol is provided GSSAPI based on
UNIX and SSPI based on Windows
 MariaDB PAM Authentication

Ticket
request
Here is my
service ticket,
GSS-API on Linux
1 Service authenticate me • Red Hat
ticket Directory Server
3
• OpenLDAP
2
4 SSPI on Windows
KDC Client MariaDB • Active Directory
Client /
server
session
MariaDB Role Based Access Control

Role: DBA
Permissions:
MariaDB 10
• Update Schema
• View Statistics
• Create Database

Database
Tables
 Encryption for Data in Motion

Secured Connections External Authentication

SSL Connections based on
the TLSv1.2 Protocol Application control
of data encryption
Between MariaDB Based on the AES
Connectors and Server
(Advanced Encryption
Between MariaDB Standard) or DES
Connectors and MaxScale (Data Encryption
Standard) algorithm
SSL can also be enabled
for the replication channel
 Encryption for Data Rest
Data-at-Rest
Encryption
• Everything:
– Tables or tablespaces
– Log files
• Independent of encryption
capabilities of applications
• Based on encryption keys,
key ids, key rotation and
key versioning
Key
Management
Services
• Encryption plugin API offers choice
– Plugin to implement
the data encryption
– Manage encryption Keys
• MariaDB Enterprise options
– Simple Key Management included
– Amazon AWS KMS Plugin included
– Eperi KMS for on premise key
management – optional
Attack Protection with MariaDB MaxScale

Database Firewall Denial of Service Attack

• Protects against SQL injection Protection
• Prevents unauthorized user
access and data damage
• Connection pooling protects
• White-list or Black-list Queries against connection surges
– Queries that match a set of rules
– Queries matching rules • Cache the connections from
for specific users MaxScale to the database server
– Queries that match certain
• Rate limitation
patterns, columns, statement types

• Multiple ordered rules

MariaDB
MaxScale
Security
Features
 MariaDB MaxScale Concept
Generic Core Insulates client applications
from the complexities
MULTI-THREADED of backend database cluster
E-POLL BASED DATABASE
SERVERS
STATELESS
SHARES THE THREAD POOL CLIENT

Flexible, easy to Simplify replication

write plug-ins for from database
to other databases
PROTOCOL SUPPORT
AUTHENTICATION SLAVES
PARSING
MASTER
DATABASE MONITORING
Binlog Cache
LOAD BALANCING & ROUTING
QUERY TRANSFORMATION & LOGGING
 Server Overload Protection with MaxScale

Client Client Client Client

• Server overload protection

– Persistent connection pool to backend
database Max Client Connections perService

– Client connection limitation

Variable number of connections
– DB firewall - limit_queries

MaxScale

rule limit_queries deny limit_queries 15 510 Connection pool of configurablesize

If queries are executed faster than 15 queries in 5

seconds, following queries are blocked for 10seconds
 Network Overload Protection with MaxScale
Client Client Client Client

• Network overload protection

– Max rows limit 1 5
Query failed: 1141
– Max result size limit Query
Error: No rowsreturned

4 MaxRowsLimit Filter
MaxScale
– DB firewall - limit_queries
rule limit_queries deny limit_queries 15 510 Max Rows Limit =500

3 NumRows Returned > MaxRows Limit

If queries are executed faster than 15 queries in 5 Query 2
seconds, following queries are blocked for 10seconds NumRows returned =1000
 What is SQL Injection?
• A kind of web application attack, where user-supplied input
comes from: URL – www.app.com?id=1
Forms – email=a@app.com
Other elements – e.g., cookies, HTTP headers
and is manipulated so that a vulnerable application executes SQL commands
injected by attacker.

SELECT * from customer WHERE id = ?

• Applications vulnerable to SQL injection:
– Incorrect type handling User supplied value for id = 5, injected value is string ‘5 OR 1=1’

– Incorrectly filtered escape characters SELECT * from customer WHERE id = 5 OR 1=1

– Blind SQL injection This will result in application getting access to entire customer
table instead of just the specific customer
– Second order SQL injection
 Maxscale Database Firewall

Database Firewall Filter

1 3
QUERY FAILED: 1141
Allow/Block queries that ERROR: Required
SELECT * FROM CUSTOMERS; WHERE/HAVING clause is missing
MATCH A SET OF RULES
MATCH RULES FOR SPECIFIC USERS
2 DATABASE FIREWALL FILTER
MATCH ON
• date/time
• a WHERE clause
• query type
rule safe_select deny
• column match
no_where_clause
• a wildcard or regular expression or function name
on_queries select

Protect against SQL injection rule safe_cust_select deny

regex '.*from.*customers.*'
Prevent unauthorized data access user %app-user@% match
all rules safe_cust_select
Prevent data damage safe_select

Database Servers

Function name blocking - New in 2.2

 Data Masking with MaxScale

HIPPA/PCI/GDPR Requirement:
• Selective Data Masking by column SELECT Name, creditcardNum, balance
FROM customerTbl
• Full or partial anonymization
– 4448889901 ⇒ xxxxxx9901 WHERE id=1001

• Pseudo-anonymization
– Column values randomized, Client Name creditcardNum balance
however same value in multiple ---------------------------------------
John Smith xxxxxx9901 1201.07
rows randomizes to same
string
DATABASE NAME, TABLE
NAME CLASSIFIER MAY
BE PROVIDED Database Servers
• commerceDb.customerTbl.creditcardNum
• customerTbl.creditcardNum
• credicardNum

Pseudo-anonymization - New in 2.2

Thank you