Author Archives: Sergei
As you all know MariaDB supported roles since the MariaDB release 10.0.5. They were implemented almost exactly as specified in the SQL Standard 2003, features T331 “Basic roles” and T332 “Extended Roles”.
But we were often hearing complains, users were not satisfied with purely standard set of features. In particular, the standard specified that one had to do
SET ROLE foobar;
to be able to use privileges, granted to the role foobar. This was not always convenient and sometimes not even possible (imagine, you need to grant role privileges to an account used by a closed-source application). …
This is both hilarious and sad. The new MySQL 5.7 milestone release presents a new feature — replication filters are now dynamic. This is a great and long awaited feature, no doubt about it.
In short, for years MySQL slaves could filter the incoming stream of replication events based on the database or table name these events were applicable to. These filters were configured using the my.cnf file (or command-line), in particular with the following variables:
replicate_do_db
replicate_ignore_db
replicate_do_table
replicate_ignore_table
replicate_wild_do_table
replicate_wild_ignore_table
Naturally, users wanted to be able to change the values of these options without having to restart the server. …
Continue reading “Dynamic replication filters — our wheel will be square!”
I’m getting more and more concerned about the current Oracle approach to MySQL security. And the fact that I was solely responsible for the security@mysql.com for about ten years, doesn’t make it easier, on the contrary, it only emphasizes changes in the attitude.
Starting from the obvious — somewhat slower response to critical bug fixes, which can be expected, Oracle is a big company, right? Very little information about security vulnerabilities is disclosed, CPUs are carefully stripped from anything that might help to understand the problem, it takes hours to map them to code changes. Heck, even test cases are kept private now. …
About a week ago I was looking at MySQL 5.5.27, and noticed a curious thing. Despite the fact that the new MySQL release contained its usual share of bug fixes, not a single one of them was accompanied with a test case.
Now, let me tell you something about tests. For many years MySQL was using its own testing framework, called mysql-test. The first version was written as early as 1999. Over the years it has accumulated a lot of tests. Tests for new features and regression tests — those that guarantee that a bug, once fixed, will never ever show up again. …
Continue reading “Disappearing test cases or did another part of MySQL just become closed source?”
In this primer I will show how to improve the security of your MariaDB installation by using two-step verification and how to use it from your Windows GUI client.
Let’s suppose you have your data in MariaDB, installed, say, on Ubuntu. And your users connect to it to run ad hoc queries, using some sort of a Windows GUI client. You don’t want them to write the access password on post-it notes or have it auto-entered by the client. And you don’t want anyone see the password when one of the salespersons connects to the mother ship from his laptop in the Internet café. …
Continue reading “MariaDB: Improve Security with Two-Step Verification”
As you may know, since version 5.2.0 (released in April 2010) we support Pluggable Authentication. Using this feature one can implement an arbitrary user authentication and account management policy, completely replacing built-in MariaDB authentication with its username/password combination and mysql.user table.
Also, as you might have heard, Oracle has recently released a PAM authentication plugin for MySQL. Alas, this plugin will not run on MariaDB — although the MySQL implementation of pluggable authentication is based on ours, the API is incompatible. And, being closed source, this plugin cannot be fixed to run in MariaDB. And — I’m not making it up — this plugin does not support communication between the client and the server, so even with this plugin and all the power of PAM the only possible authentication method remains a simple username/password combination. …
Continue reading “Writing a MariaDB PAM Authentication Plugin”
If you work with bazaar, you have seen its URIs. You can find the complete list is in the bzr help urlspec. Although I commonly use only a subset of that, like bzr+ssh://bazaar.launchpad.net/~maria-captains/maria/5.2-serg/ and http://bazaar.launchpad.net/%2Bbranch/mysql-server/5.5/.
In addition I often use Launchpad aliases, such as lp:~maria-captains/maria/5.3-serg/, lp:maria/5.3, and lp:869001.
And finally, there are common abbreviations that we have used in MySQL, and others that we use in MariaDB, for example bug#12345 and wl#90.
What’s annoying, I need to remember that wl#90 corresponds to http://askmonty.org/worklog/?tid=90 and type the latter in the location bar of the browser, when I want to look this task up. …
For many years I was using tcsh, with lots of useful customizations, that were created during these years. Now I have bash on my laptop and slowly adding what I’ve got used to.
Yesterday I’ve created command line completion rules for mysql-test-run. It’s not a complete set of everything that’s possible, still it’s quite useful as it is. I need to type much less now when invoking mysql-test-run (and I invoke it quite a lot).
(more…) …