Setting the Service mode to MYSQL enables it to operate in application-layer aware MySQL mode. This mode enables you to provide secret-less access for Users to the protected upstream MySQL-based server without having to share the upstream's password. This mode also provides you with clear application-layer aware visibility where your MySQL sessions and queries are logged and audited in real-time.
Secret-less Access
You can simply provide your database configuration (i.e. user, database and password) to provide secret-less access for your Users as follows:
1kind: Service2metadata:3name: mysql-db-014spec:5# Set the mode to MYSQL6mode: MYSQL7port: 12348config:9upstream:10url: mysql://address-to-db11mysql:12# RECOMMENDED. Override the DB user. If not set, then the value from the downstream is used.13user: user0114# RECOMMENDED. Override the DB name. If not set, then the value from the downstream is used.15database: db0116# RECOMMENDED. Set the password of the user.17auth:18password:19fromSecret: <SECRET_NAME>20# Set isTLS to true if the MySQL server is running over TLS21isTLS: true
Access Control
You can control access based on the MySQL request information. Such information are stored in ctx.request.mysql where it contains the username and database. Here is a detailed example of a inline Policy that controls access based on MySQL-specific information:
1kind: Service2metadata:3name: svc14spec:5mode: MYSQL6port: 12347config:8upstream:9url: mysql://address-to-db10# rest of the config11authorization:12inlinePolicies:13- spec:14rules:15- effect: ALLOW16condition:17any:18of:19- match: ctx.request.mysql.connect.user == "db-user-1"20- match: ctx.request.mysql.connect.database == "db-01"
You do not actually need to control access by checking against the database user since you already override the database user in your Service configuration as illustrated above regardless of the database user value provided by the User. You can also use dynamic configuration in order to map different databases and/or database users to different Users under different conditions. You can read more about dynamic configuration here
Dynamic Configuration
You can use dynamic configuration in order to, for example, route to different upstreams and/or setting different users, databases and passwords depending on the request's context (read more about dynamic configuration here). Here is an example:
1metadata:2name: example-svc3spec:4mode: MYSQL5dynamicConfig:6configs:7- name: prod8upstream:9url: mysql://address10mysql:11user: prod12database: prod-db13auth:14password:15fromSecret: prod-password16- name: dev17upstream:18url: mysql://address19mysql:20user: dev21database: dev-db22auth:23password:24fromSecret: dev-password25rules:26- condition:27match: '"prod" in ctx.user.spec.groups'28configName: prod29- condition:30matchAny: true31configName: dev
Visibility
The Service emits access logs in real time to the audit collector. Each log provides MySQL application-layer aware information about the request such as the command type, the query details, etc.... Here is an example:
1{2"apiVersion": "core/v1",3"kind": "Log",4"metadata": {5// Omitted for the sake of brevity of the example6},7"entry": {8"service": {9"info": {10"common": {11"status": "ALLOWED"12// Omitted for the sake of brevity of the example13},14"mysql": {15"query": {16"query": "CREATE DATABASE db01;"17},18"type": "QUERY"19}20}21// Omitted for the sake of brevity of the example22}23}24}
As you can see in the above example, the type of this MYSQL access Log is a QUERY. The MYSQL mode has currently 8 Log types: SESSION_START, SESSION_END, QUERY, PARSE, CLOSE, EXECUTE, BIND, FUNCTION_CALL and some of these types include different detailed information according to their type. You can read more in the API reference.