Home > Developer > MySQL

High Availability MySQL excerpt-security and binary logs

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

High Availability MySQL p59

Security and binary logs

 

Generally, a user with the replication slave permission has the permission to read all events on the master. Therefore, to ensure security, the account should not be damaged. Here are some examples of preventive measures:

1. Try to make it impossible to log on to this account outside the firewall;

2. Record all logs that attempt to log on to the account and place the logs on a separate security server;

3. encrypt the connections used between the master and salve, for example, MySQL's built-in SSL (Secure Sockets Layer) support.

Even if this account is secure, there is still some information that does not need to be stored in binary logs. Therefore, it makes sense not to store it in the first place.

A common sensitive information is the password. When you execute a statement that changes the table on the server and contains the password required to access the table, events that contain the password are written into binary logs.

A typical example is:

UpdateEmployeeSetPass=Password ('Foobar')WhereEmail= 'Mats@example.com';

If the copy is correct, it is best to rewrite the statement without a password. You can use the following method to calculate and store the hash password to a user-defined variable, and then use it in the expression:

Set @ Password =Password ('Foobar');UpdateEmployeeSetPass= @ Password WhereEmail= 'Mats@example.com';

Because the set statement is not copied, the original password will not be stored in the binary log, but will only be stored in the server's memory when the statement is executed.

This method works as long as you store the password hash to the table without a plain text password. If the original password is directly stored in the table, is there any way to prevent the password from ending in the binary log. However, it is a standard practice to store a hash password, which can prevent the original data from being obtained by learning the password.

the encapsulated Connection provides some protection for the connection between the encrypted master and the salve. However, if the binary log itself is broken, the encrypted connection is useless.

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More