Escolar Documentos
Profissional Documentos
Cultura Documentos
Encryption Atomic
Writes XtraDB
Storage Engine TokuDB
Storage Engine MaxScale
Binlog MaxScale Sehema
Sharding WebScaleSQL
Patches
2
Why consider MariaDB?
Reduced
Costs
Annual Subscriptions
Cloud Infrastructure
Modern Hardware
Economics of Inevitable Change
$5,496,000
On premise…
• Oracle costs 80x more
3 Year
Total Cost of • Organizations can save $9 million
Ownership
In the cloud…
$112,500 • On AWS, Oracle costs 145x more
• On Oracle Cloud, it costs 69x more
5
Default Database on Leading Linux Distros,
Available on Leading Cloud Platforms
Linux Distributions Cloud Services & Stacks
6
MariaDB TX
for Transactional workloads
● MariaDB Server
● MariaDB MaxScale
● database connectors
● services
● support
● tools
Community Enterprise
Innovation Reliability
10
Extensible Architecture
Applications
Original Core
Connectors C JDBC ODBC
MariaDB Engineering
Community Contribution
SQL NoSQL CRUD API
Replicas
STORAGE LAYER EXTENSIBILITY
Supporting
Asynchronous, Lightweight Transactional Performance Analytics Interoperability Graph &
& Scalability Search
Semi-Sync &
Synchronous MyISAM InnoDB Spider
ColumnStore CONNECT
OQGRAPH
Memory XtraDB MyRocks Mroonga
replication
28
Terminology: HA with MariaDB
TX
Failover: when a standby database becomes the the primary database because the
primary database is unreachable/unavailable
Switchover: when a standy database becomes the primary database, and vice-versa
(e.g., to perform a rolling upgrade)
Master Slave
1. request next transaction (GTID = 2)
TX (GTID 3) TX (GTID 3)
2. read next transaction 4. write next transaction
TX (GTID 2) (GTID = 3) (GTID = 3) TX (GTID 2)
TX (GTID 1) TX (GTID 1)
HA with MariaDB TX
– master/slave replication –
Asynchronous or semi-synchronous?
HA with MariaDB TX
– asynchronous with automatic
failover –
Asynchronous Semi-synchronous
Node
Transaction
Row 1
1. get 3. certify and apply
Row 2 writes writes
Row 3
2. send
writes
Node Node
HA with MariaDB TX
– synchronous with automatic
failover –
Synchronous
Transparent sharding
Table A
Spider
InnoDB InnoDB
Database #2 Database #2
Table A
Spider
Table A Table A
Spider Spider
best
practices
The Internet
Threats Defense
Viruses • Do not allow TCP connections to MariaDB from the
Hacker attacks Internet
Threats Defense
Denial of Service • Do not run the application
Attacks created by on your MariaDB Server.
overloading application
• Do not install unnecessary packages
SQL query on your MariaDB Server.
injection attacks – An overloaded application can use
so much memory that MariaDB
could slow or even be killed by the
OS. This is an effective DDoS
attack vector.
– A compromised application or
service can have many serious side
effects
Excessive Trust
Threats Defense
• Disgruntled employees • Limit users who have:
– SSH access
• Mistakes and human error
– Sudo privileges
– Set the secure_file_priv option to
ensure that users with the FILE
privilege cannot write or read
MariaDB data or important system
files.
• Do not run MariaDB process (mysqld) as
root
• Avoid hostname wildcards (“%”), use
specific host names / IP addresses
Excessive Trust
Threats Defense
• Disgruntled employees
• Do not use the MariaDB “root”
• Mistakes and human error user for application access.
• Minimize the privileges granted
to the MariaDB user accounts used
by your applications
– Don’t grant CREATE or
DROP privileges.
– Don’t grant the FILE privilege.
– Don’t grant the SUPER privilege.
– Don’t grant access to the
mysql database
MariaDB
Security
Features
Applications
Ticket
request
Here is my
service ticket,
GSS-API on Linux
1 Service authenticate me • Red Hat
ticket Directory Server
3
• OpenLDAP
2
4 SSPI on Windows
KDC Client MariaDB • Active Directory
Client /
server
session
MariaDB Role Based Access Control
Role: DBA
Permissions:
MariaDB 10
• Update Schema
• View Statistics
• Create Database
Database
Tables
Encryption for Data in Motion
Data-at-Rest Key
Encryption Management
Services
• Everything: • Encryption plugin API offers choice
– Tables or tablespaces – Plugin to implement
– Log files the data encryption
• Independent of encryption – Manage encryption Keys
capabilities of applications
• MariaDB Enterprise options
• Based on encryption keys, – Simple Key Management included
key ids, key rotation and – Amazon AWS KMS Plugin included
key versioning – Eperi KMS for on premise key
management – optional
Attack Protection with MariaDB MaxScale
MaxScale
4 MaxRowsLimit Filter
MaxScale
– DB firewall - limit_queries
rule limit_queries deny limit_queries 15 510 Max Rows Limit =500
– Blind SQL injection This will result in application getting access to entire customer
table instead of just the specific customer
– Second order SQL injection
Maxscale Database Firewall
Database Servers
HIPPA/PCI/GDPR Requirement:
• Selective Data Masking by column SELECT Name, creditcardNum, balance
FROM customerTbl
• Full or partial anonymization
– 4448889901 ⇒ xxxxxx9901 WHERE id=1001
• Pseudo-anonymization
– Column values randomized, Client Name creditcardNum balance
however same value in multiple ---------------------------------------
John Smith xxxxxx9901 1201.07
rows randomizes to same
string
DATABASE NAME, TABLE
NAME CLASSIFIER MAY
BE PROVIDED Database Servers
• commerceDb.customerTbl.creditcardNum
• customerTbl.creditcardNum
• credicardNum