Bug #38564 Proxy should be able to limit hosts that can connect
Submitted: 5 Aug 2008 10:26
Reporter: Victoria Reznichenko Email Updates:
Status: Verified Impact on me:
Category:MySQL Enterprise Monitor: Agent Severity:S4 (Feature request)
Version: OS:Any
Assigned to: Assigned Account CPU Architecture:Any
Tags: windmill

[5 Aug 2008 10:26] Victoria Reznichenko
MySQL proxy should have a way to restrict hosts which can connect, e.g. which user@host can connect. Because currently it leads to situation when any host can connect using particular account to database.

How to repeat:
see above
[18 Dec 2008 20:38] James Day
Partial workarounds for this:

1. Firewall. It shouldn't be possible to even see the server unless your host has permission to access it. If it can be seen, denial of service attacks are possible even without access rights.
2. Non-standard ports. So standard scripted attacks on default ports will fail.

Only once those methods have failed to protect the server do the individual user connection and other access rights start to become significant. Not supporting them is a significant problem for those who want good access control.
[18 Feb 2009 22:31] Mark Matthews
Until such time as the mysql server allows us to pass through originating host information in any way (secure or not), there will always be a limitation that clients connecting through the proxy will appear to be coming from whichever host the proxy is running on (usually localhost), thus making it impossible to use grants that discriminate based on hostname, network, etc. The same issue exists when connections come in via NAT'd subnets, or via Linux HA virtual IPs, etc.

While we do want to add allow/deny type security to the proxy, there does become a point of diminishing returns, addressed by and usable today by the workarounds James posted.