MariaDB & Database Security

Oblog-security-words.jpegne of the key issues in 2016 for DBAs to tackle will be Database Security, mainly associated to the increasing adoption of public and private clouds, as well as mission critical applications running on open source databases in large Enterprises.

Database security is one of the key topics for all the major vendors in the MySQL and MariaDB ecosystem. Oracle has just released version 5.7 of MySQL, with more features for standard authentication and proxy users, long awaited by the Community. Enterprise customers can also benefit of a PAM authentication plugin that can support LDAP. Percona has improved its PAM plugin and it is very much focused on features that are related to security, naming audit.

The recent release of the 10.1 version of MariaDB has given it a significant boost in security features, available, as usual, to the whole Community.

The efforts of the MariaDB team for 10.1 and the development on 10.2 are focused on 5 specific areas:

  • Internal security and password check
  • PAM and LDAP authentication
  • Kerberos
  • User Roles
  • Database Encryption

Internal security and password check

With 10.1, MariaDB has introduced the Password Validation Plugin API. This means that it is now easy for users and contributors to create their own validator beyond what is already available. Does your organisation require a two-factor authentication provided by a selected vendor? It is now possible to implement it with relatively little effort. Some examples of the implementation with Google Authenticator are already available by Community contributors.

10.1 also provides ready-made plugins, such as the simple_password_check, where users can set simple checks like minimum length and mandatory characters, and the cracklib_password_check, where the criteria for a password in MariaDB must match the CrackLib checking library.

PAM and LDAP authentication

The PAM Authentication Plugin has been added to MariaDB long time ago (since 5.2). The plugin allows DBAs to set a database environment where users can share passwords from normal shell logins and other services. In addition to that, an integration with LDAP (using the pam_ldap shared library) allows DB users to authenticate against a LDAP server.

Kerberos

The Kerberos plugin has been in a development stage for quite a long period for MariaDB. The engineering team is now committed to add a production-ready version of this plugin for 10.2. The progress of this plugin can be followed on the public Jira for MariaDB Server here.

User Roles

User roles have been introduced in MariaDB 10.0 and they have been improved with 10.1. Now DBAs can set roles, i.e. they can bundle a set of privileges and associate them to a role, then they can grant a role and automatically grant the related privileges to a user or to a set of users. The SET DEFAULT ROLE statement has been added to 10.1, in order to define a default set of privileges for new users. Extra qualifiers are now available for the CREATE/DROP ROLE statements.

Database Encryption

Database encryption is probably the most important and interesting aspect for database security that is now available in MariaDB 10.1. New features include tablespaces, tables and logs encryption, a new key management file plugin and new parameters used to tune the encryption, such as rotation keys, table scrubbing, binary and relay log encryption.

These features raise MariaDB in database security to a level that goes beyond what has been commonly perceived for open source databases, and make 10.1 the most secure open source database for the Cloud.