MySQL 8.0.20 New Features Summary

May 26, 2020

Presentation of some of the new features of MySQL 8.0.20 released on April 27th, 2020.


Highlight

  • Hash Joins
  • New InnoDB Doublewrite Buffer
  • Index-Level Optimizer Hints
  • SHOW_ROUTINE Privilege
  • MySQL Shell Enhancements
  • MySQL Router Enhancements
  • MySQL InnoDB Cluster Enhancements
  • MySQL Replication Enhancements
  • MySQL NDB Cluster Enhancements
  • MySQL Enterprise New Features
  • Thanks to the Contributors


Slides


Download this presentation and others on my SlideShare account.


Video


Watch this video and others on my YouTube channel.



Thanks for using MySQL!

Follow me on twitter

0

MySQL Security – Dual Password Support

May 19, 2020

When thinking about security within a MySQL installation, you can consider a wide range of possible procedures / best practices and how they affect the security of your MySQL server and related applications.

MySQL provides many tools / features / plugins or components in order to protect your data including some advanced features like Transparent Data Encryption (TDE)Audit, Data Masking & De-Identification, Firewall, Random Password Generation, Password Expiration Policy, Password Reuse Policy, Password Verification-Required Policy, Failed-Login Tracking and Temporary Account Locking, Connection-Control Plugins, Password Validation Component, etc…

MySQL Security

TL;DR

Dual-password capability makes it possible to seamlessly perform credential changes without downtime.



MySQL implements dual-password capability with syntax that saves and discards secondary passwords :

  • The RETAIN CURRENT PASSWORD clause for the ALTER USER and SET PASSWORD statements saves an account current password as its secondary password when you assign a new primary password.
  • The DISCARD OLD PASSWORD clause for ALTER USER discards an account secondary password, leaving only the primary password.

The purpose is to avoid downtime while changing passwords in a replicated environment.

Clients can use the old password while a new password is being established in a group of servers and retire the old password only when the new password has been established across the whole group.


The workflow is :

  1. On each server that is not a replication slave, establish the new password
    e.g.
    ALTER USER ‘myApp’@’host’ IDENTIFIED BY ‘NEW_password’ RETAIN CURRENT PASSWORD;
  2. Wait for the password change to replicate throughout the system to all slave servers
  3. Modify each application that uses the myApp account so that it connects to the servers using a password of ‘NEW_password’ rather than ‘OLD_password’
  4. On each server that is not a replication slave, discard the secondary password
    e.g.
    ALTER USER ‘myApp’@’host’ DISCARD OLD PASSWORD;


Let’s take a quick look using MySQL 8.0


Create a user account myApp@localhost with password pwd1 :

Now we can connect with the name and the password :

Note:
As indicated in the output, it is a very bad practice to put the password on the command line interface.


Now the DBA (super user) use ALTER USER statement with the RETAIN CURRENT PASSWORD clause to perform credential changes using the dual password mechanism by adding as primary password pwd2.
Thus pwd1 is now the secondary password :

We can use the user name and the new password (pwd2) to connect :

But the old password (pwd1) is still valid :


Now it is the time to discard the secondary password (pwd1) :

As you can see, only the new password (pwd2) is valid.



To Go Further

Reference Manual



MySQL Security Serie (1st edition)



Thanks for using MySQL!

Follow me on twitter

2

MySQL Security – Failed-Login Tracking and Temporary Account Locking

May 12, 2020

When thinking about security within a MySQL installation, you can consider a wide range of possible procedures / best practices and how they affect the security of your MySQL server and related applications.

MySQL provides many tools / features / plugins or components in order to protect your data including some advanced features like Transparent Data Encryption (TDE)Audit, Data Masking & De-Identification, Firewall, Random Password Generation, Password Expiration Policy, Password Reuse Policy, Password Verification-Required Policy, Dual Password Support, Connection-Control Plugins, Password Validation Component, etc…

MySQL Security

Basic password policy practices teaches us :

  • Each user must have a password
  • A user’s password should be changed periodically

However, often this is unfortunately not enough.
Good news, MySQL 8.0 provide an easy way to increase database security with its failed-login tracking and temporary account locking feature.



TL;DR

DBA can configure user accounts such that too many consecutive login failures cause temporary account locking.


Temporary Account Locking in MySQL


After a number of consecutive time when the client failed to provide a correct password during a connection attempt, the user account can be temporary locked.

The required number of failures and the lock time are configurable per account, using the FAILED_LOGIN_ATTEMPTS (track consecutive login failures) and PASSWORD_LOCK_TIME (how many days to lock the account).

Both are options of the CREATE USER and ALTER USER statements.


Let’s have a quick look using MySQL 8.0


Account lock

Create a user that would have his account locked for 1 day after 1 consecutive failed logins :

FAILED_LOGIN_ATTEMPTS : how many consecutive incorrect passwords cause temporary account locking.
A value of 0 disables the option.

PASSWORD_LOCK_TIME : number of days the account remains locked or UNBOUNDED (ie the duration of that state does not end until the account is unlocked).
A value of 0 disables the option.


We can see the user account details with mysql.user table :

If login failed a “FAILED_LOGIN_ATTEMPTS” number of time (1 time in this example), the account will be locked :


Tracking and locking could also be set up after the user creation :

In this example this user account will be locked (until the account is unlocked – more on that later) after 2 consecutive failed attempts.


You can also lock an account explicitly using ACCOUNT LOCK clause :

In this example I created a user account with a random password generated by MySQL. This account is created locked.

Details are visible with mysql.user table :

Any connection to this account will raised error 3118 :

This account can be activate with something like :

Again mysql.user table will give you some information :


Account unlock

Account can be unlocked with an ALTER USERACCOUNT UNLOCK statement :


Other possibilities to unlock an account are :

  • Execution of an ALTER USER statement for the account that sets either FAILED_LOGIN_ATTEMPTS or PASSWORD_LOCK_TIME (or both) to any value.
    e.g.
  • Obviously when the lock duration passes.
    In this case, failed-login counting resets at the time of the next login attempt.
  • Execution of FLUSH PRIVILEGES
  • A server restart



To Go Further

Reference Manual



MySQL Security Serie (1st edition)



Thanks for using MySQL!

Follow me on twitter

4

MySQL Security – Password Verification-Required Policy

May 5, 2020

When thinking about security within a MySQL installation, you can consider a wide range of possible procedures / best practices and how they affect the security of your MySQL server and related applications.

MySQL provides many tools / features / plugins or components in order to protect your data including some advanced features like Transparent Data Encryption (TDE)Audit, Data Masking & De-Identification, Firewall, Random Password Generation, Password Expiration Policy, Password Reuse Policy, Failed-Login Tracking and Temporary Account Locking, Dual Password Support, Connection-Control Plugins, Password Validation Component, etc…

MySQL Security

Basic password policy practices teaches us :

  • Each user must have a password
  • A user’s password should be changed periodically

However, often this is not enough.
Password Verification-Required Policy can help you to protect your database.
It will make it harder to modify a user’s password if someone get access to user’s session and not the credentials themselves.



TL;DR

MySQL 8.0 has introduced an optional behavior that authorize users to change their password only if they could provide the current password.


Require MySQL users to provide their current password to change it


There are different clauses a DBA can use with CREATE USER or ALTER USER to establish a per account password verification-required policy.

Let’s play using MySQL 8.0


PASSWORD REQUIRE CURRENT

Require that password changes specify the current password.

Syntax:
CREATE USER <user>@<host> PASSWORD REQUIRE CURRENT;
ALTER USER <user>@<host> PASSWORD REQUIRE CURRENT;


Create a user account with a password generated by MySQL and enable the password verification required policy :

We can see the policy is enable for this account with mysql.user table :

Note that Password_require_current column is Y.


We can test the policy.
Connect to the new created account :

Then modify the password :

To avoid the error 3892, we must use the REPLACE clause and provide the current password.


Please note that privileged users (users having the global CREATE USER privilege or the UPDATE privilege for the mysql system database) can change any account password without specifying the current password, regardless of the verification-required policy.

In other words, as a DBA privileged user I am able to change someone else password without the REPLACE clause :


PASSWORD REQUIRE CURRENT OPTIONAL

Do not require that password changes specify the current password (the current password may but need not be given).

Syntax:
CREATE USER <user>@<host> PASSWORD REQUIRE CURRENT OPTIONAL;
ALTER USER <user>@<host> PASSWORD REQUIRE CURRENT OPTIONAL;


Create a user account with a password generated by MySQL and enable the password verification policy but it is not required :

Note that Password_require_current column is N.


We can test the policy.
Connect to the new created account :

Then modify the password :

The current password is not required to change the password, well it is… optional 🙂


Global policy

The password verification-required policy is controlled by the password_require_current global system variable.

It can be changed online and persisted with SET PERSIST.

An alternative is to write it in the configuration file (usually my.cnf or my.ini) and restart the MySQL instance.


PASSWORD REQUIRE CURRENT DEFAULT

Defer to the global password verification-required policy for all accounts named by the statement.

Syntax:
CREATE USER <user>@<host> PASSWORD REQUIRE CURRENT DEFAULT;
ALTER USER <user>@<host> PASSWORD REQUIRE CURRENT DEFAULT;


Create a user account where its password verification policy take the global default value set a the instance level :

We can test the policy.
Connect to the new created account :

Because the global policy enable the Password Verification-Required Policy, we must use the REPLACE clause.



To Go Further

Reference Manual



MySQL Security Serie (1st edition)



Thanks for using MySQL!

Follow me on twitter

4

MySQL Security – Password Reuse Policy

April 28, 2020

When thinking about security within a MySQL installation, you can consider a wide range of possible procedures / best practices and how they affect the security of your MySQL server and related applications.

MySQL provides many tools / features / plugins or components in order to protect your data including some advanced features like Transparent Data Encryption (TDE)Audit, Data Masking & De-Identification, Firewall, Random Password Generation, Password Expiration Policy, Password Verification-Required Policy, Failed-Login Tracking and Temporary Account Locking, Dual Password Support, Connection-Control Plugins, Password Validation Component, etc…

MySQL Security

Basic password policy practices teaches us :

  • Each user must have a password
  • A user’s password should be changed periodically

However, often this is not enough. Actually, some regulations may require that users can not reuse a previous password.

You can do that by setting how often and / or how long an old password can be reuses. In this article, from my new MySQL Security series, we will see how to establish a policy for password reuse with MySQL 8.0 Password Reuse Policy.



TL;DR

MySQL provides password-reuse capability, which allows database administrators to determine the number of unique passwords a user must use before they can use an old password again.


Enable restrictions on reuse of previous passwords with MySQL


The main goal of Password Reuse Policy is to enable restrictions to be placed on reuse of previous passwords.
It can be established globally, and individual accounts can be set to either defer to the global policy or override the global policy with specific per-account behavior.

There are different clauses a DBA can use with CREATE USER or ALTER USER to establish a per account password reuse policy.

Let’s dig into it using MySQL 8.0.


PASSWORD HISTORY

Prohibit reusing any of the last 10 (then 24) passwords :


PASSWORD REUSE INTERVAL n DAY

Require a minimum of 180 (then 365) days elapsed before permitting reuse :


Combine types of reuse restrictions

It is also possible to combine both types of reuse restrictions.
Simply use PASSWORD HISTORY and PASSWORD REUSE INTERVAL n DAY together :


Global Policy

Reuse policy can be established globally, as specified by the password_history and password_reuse_interval system variables.

The default password_history value is 0, which disables automatic password expiration.
Same for password_reuse_interval.

password_history and password_reuse_interval variables can be set in the MySQL configuration file (usually my.cnf or my.ini) but it can also be set and persisted at runtime using SET PERSIST :

The same behavior can be achieved using the my.cnf (or my.ini) file :

However it requires a server restart.


To defer the global policy for an account for both types of reuse restrictions you must use the DEFAULT clause :


To establish a global policy such that none of these restriction exist, set password_history and password_reuse_interval to 0 :


Please note that the empty password does not count in the password history and is subject to reuse at any time.



To Go Further

Reference Manual



MySQL Security Serie (1st edition)



Thanks for using MySQL!

Follow me on twitter

3

MySQL Security – Password Expiration Policy

April 21, 2020

When thinking about security within a MySQL installation, you can consider a wide range of possible procedures / best practices and how they affect the security of your MySQL server and related applications.

MySQL provides many tools / features / plugins or components in order to protect your data including some advanced features like Transparent Data Encryption (TDE)Audit, Data Masking & De-Identification, Firewall, Random Password Generation, Password Reuse Policy, Password Verification-Required Policy, Failed-Login Tracking and Temporary Account Locking, Dual Password Support, Connection-Control Plugins, Password Validation Component, etc…

MySQL Security

Basic password policy practices teaches us :

  • Each user must have a password
  • A user’s password should be changed periodically

However, often this is not enough. Actually, some regulations required that the password is renewed in a timely and appropriate manner (e.g. every 90 days).

In this article, we will see how to establish a policy for password expiration with MySQL 8.0 Password Expiration Policy.



TL;DR

MySQL provides password-expiration capability, which enables database administrators to require that users reset their password.


Establish a policy for password expiration with MySQL


The main goal of Password Expiration Policy is to require passwords to be changed periodically.
It can be established globally, and individual accounts can be set to either defer to the global policy or override the global policy with specific per-account behavior.

There are different clauses a DBA can use with CREATE USER or ALTER USER to establish a per account password expiration policy.

Let’s take a closer look using MySQL 8.0.


PASSWORD EXPIRE

Force user to change its password at the first connection.

Create a user with a random password and mark that password expired :

We can see if the password is expired with mysql.user table :

Note that password_expired column is Y.

In clear, this new MySQL user will be able to connect to the server but he must reset its password before being able to executing statements

Column password_expired is now N.


PASSWORD EXPIRE INTERVAL n DAY

Force user to change its password every N days.

Create a user with password that will expire in 90 days :

We can see the password options in the mysql.user table :

Note that password_lifetime column is 90.

After 90 days any statement will generate error 1820 :

Password could be reset with ALTER USER command :


PASSWORD EXPIRE DEFAULT

This clause sets the account so that the global password expiration policy applies, as specified by the default_password_lifetime system variable.

The default default_password_lifetime value is 0, which disables automatic password expiration.
If the value of default_password_lifetime is a positive integer N, it indicates the permitted password lifetime; passwords must be changed every N days.

default_password_lifetime can be set in the MySQL configuration file but it can also be set and persisted at runtime using SET PERSIST :

The same behavior can be achieved using the configuration file (usually my.cnf or my.ini) :

but it will require a server restart.

To defer the global expiration policy for an account you should use Password Expire Default clause :

Lastly, to establish a global policy such that passwords never expire, set default_password_lifetime to 0 :


PASSWORD EXPIRE NEVER

It’s also possible to disable password expiration for an account.

Note that password_lifetime column is 0.

This expiration option overrides the global policy for all accounts named by the statement.



To Go Further

Reference Manual



MySQL Security Serie (1st edition)



Thanks for using MySQL!

Follow me on twitter

3

MySQL Security – Random Password Generation

April 15, 2020

When thinking about security within a MySQL installation, you can consider a wide range of possible procedures / best practices and how they affect the security of your MySQL server and related applications.

MySQL provides many tools / features / plugins or components in order to protect your data including some advanced features like Transparent Data Encryption (TDE)Audit, Data Masking & De-Identification, Firewall, Password Expiration Policy, Password Reuse Policy, Password Verification-Required Policy, Failed-Login Tracking and Temporary Account Locking, Dual Password Support, Connection-Control Plugins, Password Validation Component, etc…

MySQL Security

Basic password policy practices teaches us :

  • Each user must have a password
  • A user’s password should be changed periodically

Indeed this is a good start !

What if MySQL make your life easier by helping you to create user with strong secure password?
Well it is now possible in MySQL 8.0 🙂



TL;DR

MySQL has the capability of generating random passwords for user accounts, as an alternative to requiring explicit administrator-specified literal passwords.




A DBA can use CREATE USER, ALTER USER or SET PASSWORD for generate random passwords for user accounts.

Let’s have a quick look using MySQL 8.0


Create a user account

To create a new MySQL user account with a random password use the statement CREATE USER with the clause IDENTIFIED BY RANDOM PASSWORD :


Modify a user account

To assign a new random password to a MySQL user account use the statement ALTER USER with the clause IDENTIFIED BY RANDOM PASSWORD :


Assign a password

Another way to assign a new random password to a MySQL user account is to use the statement SET PASSWORD with the clause TO RANDOM :


Please note that by default, generated random passwords have a length of 20 characters.
This length is controlled by the generated_random_password_length system variable, which has a range from 5 to 255.



To Go Further

Reference Manual



MySQL Security Serie (1st edition)



Thanks for using MySQL!

Follow me on twitter

4

MySQL 8.0.19 New Features Summary

February 17, 2020

Presentation of some of the new features of MySQL 8.0.19 released on January 13, 2020.

Agenda

  • InnoDB ReplicaSet
  • SQL Improvements
    • Table Value Constructors
    • LIMIT in recursive CTE
    • ALTER TABLE… DROP/ALTER CONSTRAINT
    • More information to Duplicate Key Error
  • Account Management Enhancements
  • Time zone offset for Timestamp & Datetime
  • Information Schema views for SQL Roles
  • MySQL Document Store Enhancements
  • MySQL Shell Enhancements
  • MySQL Router Enhancements
  • MySQL InnoDB Cluster Enhancements
  • MySQL Replication Enhancements
  • MySQL NDB Cluster Enhancements
  • MySQL Enterprise New Features
  • Thanks to the Contributors


Download this presentation and others on my SlideShare account.


Thanks for using MySQL!

Follow me on twitter

0

Webinar – Migrating from MariaDB to MySQL

December 16, 2019

This webinar will cover the advantages and process for migrating from MariaDB/Galera cluster to MySQL InnoDB Cluster.

Over these last 2 years and especially with MySQL 8.0, MySQL InnoDB Cluster has matured a lot.
In this webinar our guest speaker Matthias Crauwels from Pythian will go over the key difference between both solutions.
Matthias will use his experience to show how to migrate your application from MariaDB/Galera cluster over to MySQL InnoDB Cluster with the least possible amount of downtime.

WHEN:

Thu, Dec 19: 09:00 Pacific time (America)
Thu, Dec 19: 10:00 Mountain time (America)
Thu, Dec 19: 11:00 Central time (America)
Thu, Dec 19: 12:00 Eastern time (America)
Thu, Dec 19: 14:00 São Paulo time
Thu, Dec 19: 17:00 UTC
Thu, Dec 19: 17:00 Western European time
Thu, Dec 19: 18:00 Central European time
Thu, Dec 19: 19:00 Eastern European time
Thu, Dec 19: 22:30 India, Sri Lanka
Fri, Dec 20: 00:00 Indonesia Western Time
Fri, Dec 20: 01:00 Singapore/Malaysia/Philippines time
Fri, Dec 20: 01:00 China time
Fri, Dec 20: 02:00 ??
Fri, Dec 20: 04:00 NSW, ACT, Victoria, Tasmania (Australia)

The presentation will be approximately 60 minutes long followed by Q&A.

Register for this web presentation

0

MySQL 8.0.18 New Features Summary

November 26, 2019

Presentation of some of the new features of MySQL 8.0.18 released on October 14, 2019.

Agenda

  • Hash Join
  • EXPLAIN ANALYZE
  • Only OpenSSL
  • Random Password
  • MySQL Shell Enhancements
  • MySQL Router Enhancements
  • InnoDB Cluster Enhancements
  • Group Replication Enhancements
  • Replication Enhancements
  • Enterprise New Features
  • Thanks to the Contributors


Download this presentation and others on my SlideShare account.


Thanks for using MySQL!

Follow me on twitter

3