[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
GRANT
Options MySQL can check X509 certificate attributes in addition to the normal username/password scheme. All the usual options are still required (username, password, IP address mask, database/table name).
There are different possibilities to limit connections:
REQUIRE SSL
option limits the server to allow only SSL
encrypted connections. Note that this option can be omitted
if there are any ACL records which allow non-SSL connections.
mysql> GRANT ALL PRIVILEGES ON test.* TO root@localhost -> IDENTIFIED BY 'goodsecret' REQUIRE SSL; |
REQUIRE X509
means that the client should have a valid certificate
but we do not care about the exact certificate, issuer or subject.
The only restriction is that it should be possible to verify its
signature with one of the CA certificates.
mysql> GRANT ALL PRIVILEGES ON test.* TO root@localhost -> IDENTIFIED BY 'goodsecret' REQUIRE X509; |
REQUIRE ISSUER 'issuer'
places a restriction on connection attempts:
The client must present a valid X509 certificate issued by CA 'issuer'
.
Using X509 certificates always implies encryption, so the SSL
option
is unneccessary.
mysql> GRANT ALL PRIVILEGES ON test.* TO root@localhost -> IDENTIFIED BY 'goodsecret' -> REQUIRE ISSUER 'C=FI, ST=Some-State, L=Helsinki, '> O=MySQL Finland AB, CN=Tonu Samuel/Email=tonu@mysql.com'; |
REQUIRE SUBJECT 'subject'
requires clients to have valid X509
certificate with subject 'subject'
on it. If the client presents a
certificate that is valid but has a different 'subject'
, the connection
is disallowed.
mysql> GRANT ALL PRIVILEGES ON test.* TO root@localhost -> IDENTIFIED BY 'goodsecret' -> REQUIRE SUBJECT 'C=EE, ST=Some-State, L=Tallinn, '> O=MySQL demo client certificate, '> CN=Tonu Samuel/Email=tonu@mysql.com'; |
REQUIRE CIPHER 'cipher'
is needed to assure enough strong ciphers
and keylengths will be used. SSL itself can be weak if old algorithms
with short encryption keys are used. Using this option, we can ask for
some exact cipher method to allow a connection.
mysql> GRANT ALL PRIVILEGES ON test.* TO root@localhost -> IDENTIFIED BY 'goodsecret' -> REQUIRE CIPHER 'EDH-RSA-DES-CBC3-SHA'; |
The SUBJECT
, ISSUER
, and CIPHER
options can be
combined in the REQUIRE
clause like this:
mysql> GRANT ALL PRIVILEGES ON test.* TO root@localhost -> IDENTIFIED BY 'goodsecret' -> REQUIRE SUBJECT 'C=EE, ST=Some-State, L=Tallinn, '> O=MySQL demo client certificate, '> CN=Tonu Samuel/Email=tonu@mysql.com' -> AND ISSUER 'C=FI, ST=Some-State, L=Helsinki, '> O=MySQL Finland AB, CN=Tonu Samuel/Email=tonu@mysql.com' -> AND CIPHER 'EDH-RSA-DES-CBC3-SHA'; |
Starting from MySQL 4.0.4 the AND
keyword is optional between
REQUIRE
options.
The order of the options does not matter, but no option can be specified twice.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |