以下部分提供了对 MySQL Enterprise Firewall 元素的参考:
MySQL Enterprise Firewall 使用系统数据库中的表来维护配置文件信息以
mysql进行持久存储,并使用INFORMATION_SCHEMA表来提供内存中缓存数据的视图。启用后,防火墙会根据缓存数据做出操作决策。
每个mysql系统数据库表只能由对其具有
SELECT权限的帐户访问。任何人都可以访问这些
INFORMATION_SCHEMA表。
该mysql.firewall_users表列出了已注册防火墙帐户配置文件的名称和操作模式。该表具有以下列(相应的
INFORMATION_SCHEMA.MYSQL_FIREWALL_USERS
表具有相似但不一定相同的列):
USERHOST帐户配置文件名称。每个帐户名的格式都是 .
user_name@host_nameMODEThe current operational mode for the profile. Permitted mode values are
OFF,DETECTING,PROTECTING,RECORDING, andRESET. For details about their meanings, see Firewall Concepts.
The mysql.firewall_whitelist table lists
allowlist rules of registered firewall account profiles. The
table has the following columns (with the corresponding
INFORMATION_SCHEMA.MYSQL_FIREWALL_WHITELIST
table having similar but not necessarily identical columns):
USERHOSTThe account profile name. Each account name has the format
user_name@host_nameRULEA normalized statement indicating an acceptable statement pattern for the profile. A profile allowlist is the union of its rules.
IDAn integer column that is a primary key for the table. This column was added in MySQL 5.7.23.
MySQL Enterprise Firewall stored procedures perform tasks such as registering profiles with the firewall, establishing their operational mode, and managing transfer of firewall data between the cache and persistent storage. These procedures invoke administrative functions that provide an API for lower-level tasks.
Firewall stored procedures are created in the
mysql system database. To invoke a firewall
stored procedure, either do so while mysql
is the default database, or qualify the procedure name with
the database name. For example:
CALL mysql.sp_set_firewall_mode(user, mode);The following list describes each firewall stored procedure:
sp_reload_firewall_rules(user)This stored procedure provides control over firewall operation for individual account profiles. The procedure uses firewall administrative functions to reload the in-memory rules for an account profile from the rules stored in the
mysql.firewall_whitelisttable.Arguments:
user: The name of the affected account profile, as a string inuser_name@host_name
Example:
CALL mysql.sp_reload_firewall_rules('fwuser@localhost');WarningThis procedure clears the account profile in-memory allowlist rules before reloading them from persistent storage, and sets the profile mode to
OFF. If the profile mode was notOFFprior to thesp_reload_firewall_rules()call, usesp_set_firewall_mode()to restore its previous mode after reloading the rules. For example, if the profile was inPROTECTINGmode, that is no longer true after callingsp_reload_firewall_rules()and you must set it toPROTECTINGagain explicitly.sp_set_firewall_mode(user,mode)This stored procedure establishes the operational mode for a firewall account profile, after registering the profile with the firewall if it was not already registered. The procedure also invokes firewall administrative functions as necessary to transfer firewall data between the cache and persistent storage. This procedure may be called even if the
mysql_firewall_modesystem variable isOFF, although setting the mode for a profile has no operational effect until the firewall is enabled.Arguments:
user: The name of the affected account profile, as a string inuser_name@host_namemode: The operational mode for the profile, as a string. Permitted mode values areOFF,DETECTING,PROTECTING,RECORDING, andRESET. For details about their meanings, see Firewall Concepts.
Switching an account profile to any mode but
RECORDINGsynchronizes its firewall cache data to themysqlsystem database tables that provide persistent underlying storage. Switching the mode fromOFFtoRECORDINGreloads the allowlist from themysql.firewall_whitelisttable into the cache.If an account profile has an empty allowlist, its mode cannot be set to
PROTECTINGbecause the profile would reject every statement, effectively prohibiting the account from executing statements. In response to such a mode-setting attempt, the firewall produces a diagnostic message that is returned as a result set rather than as an SQL error:mysql> CALL mysql.sp_set_firewall_mode('a@b','PROTECTING'); +----------------------------------------------------------------------+ | set_firewall_mode(arg_userhost, arg_mode) | +----------------------------------------------------------------------+ | ERROR: PROTECTING mode requested for a@b but the whitelist is empty. | +----------------------------------------------------------------------+ 1 row in set (0.02 sec) Query OK, 0 rows affected (0.02 sec)
MySQL Enterprise Firewall administrative functions provide an API for lower-level tasks such as synchronizing the firewall cache with the underlying system tables.
Under normal operation, these functions are invoked by the firewall stored procedures, not directly by users. For that reason, these function descriptions do not include details such as information about their arguments and return types.
Firewall Account Profile Functions
These functions perform management operations on firewall account profiles:
read_firewall_users(user,mode)This aggregate function updates the firewall account profile cache through a
SELECTstatement on themysql.firewall_userstable. It requires theSUPERprivilege.Example:
SELECT read_firewall_users('fwuser@localhost', 'RECORDING') FROM mysql.firewall_users;read_firewall_whitelist(user,rule)This aggregate function updates the recorded-statement cache for the named account profile through a
SELECTstatement on themysql.firewall_whitelisttable. It requires theSUPERprivilege.Example:
SELECT read_firewall_whitelist('fwuser@localhost', fw.rule) FROM mysql.firewall_whitelist AS fw WHERE USERHOST = 'fwuser@localhost';This function manages the account profile cache and establishes the profile operational mode. It requires the
SUPERprivilege.Example:
SELECT set_firewall_mode('fwuser@localhost', 'RECORDING');
Firewall Miscellaneous Functions
These functions perform miscellaneous firewall operations:
This function resets several firewall status variables to 0:
This function requires the
SUPERprivilege.Example:
SELECT mysql_firewall_flush_status();This function normalizes an SQL statement into the digest form used for allowlist rules. It requires the
SUPERprivilege.Example:
SELECT normalize_statement('SELECT * FROM t1 WHERE c1 > 2');
MySQL Enterprise Firewall supports the following system variables. Use them to configure firewall operation. These variables are unavailable unless the firewall is installed (see Section 6.4.6.2, “Installing or Uninstalling MySQL Enterprise Firewall”).
-
Command-Line Format --mysql-firewall-mode[={OFF|ON}]System Variable mysql_firewall_modeScope Global Dynamic Yes Type Boolean Default Value ONWhether MySQL Enterprise Firewall is enabled (the default) or disabled.
-
Command-Line Format --mysql-firewall-trace[={OFF|ON}]System Variable mysql_firewall_traceScope Global Dynamic Yes Type Boolean Default Value OFFWhether the MySQL Enterprise Firewall trace is enabled or disabled (the default). When
mysql_firewall_traceis enabled, forPROTECTINGmode, the firewall writes rejected statements to the error log.
MySQL Enterprise Firewall supports the following status variables. Use them to
obtain information about firewall operational status. These
variables are unavailable unless the firewall is installed
(see Section 6.4.6.2, “Installing or Uninstalling MySQL Enterprise Firewall”). Firewall status
variables are set to 0 whenever the
MYSQL_FIREWALL plugin is installed or the
server is started. Many of them are reset to zero by the
mysql_firewall_flush_status()
function (see MySQL Enterprise Firewall Administrative Functions).