Dual-password capability makes it possible to seamlessly perform credential changes without downtime.
DBA can configure user accounts such that too many consecutive login failures cause temporary account locking.
MySQL 8.0 has introduced an optional behavior that authorize users to change their password only if they could provide the current password.
MySQL provides password-reuse capability, which allows database administrators to determine the number of unique passwords a user must use before they can use an old password again.
MySQL provides password-expiration capability, which enables database administrators to require that users reset their password.
MySQL has the capability of generating random passwords for user accounts, as an alternative to requiring explicit administrator-specified literal passwords.
MySQL Enterprise Data Masking and De-Identification hides sensitive information by replacing real values with substitutes in order to protect sensitive data while they are still look real and consistent.
From time to time people wonder how to implement roles in MySQL. This can be useful for companies having to deal with many user accounts or for companies with tight security requirements (PCI or HIPAA for instance). Roles do not exist in regular MySQL but here is an example on how to emulate them using Percona Server, the PAM plugin and proxy users.
Say we have 2 databases: db1 and db2, and we want to be able to create 3 roles:
- db1_dev: can read and write on db1 only.
- db2_dev: can read and write on db2 only.
- stats: can read on db1 and db2
For each role, we will create one user: joe (db1_dev), mike (db2_dev) and tom (stats).
Setting up the Percona PAM plugin
The Percona PAM plugin is distributed with Percona Server 5.5 and 5.6. I will be using …[Read more]