Oracle Cloud Infrastructure Documentation

MySQL Server

Crash Recovery

MySQL Server supports crash recovery, which ensures durability and enables data recovery in the event of an unexpected server exit.

While this redundancy is advantageous during normal operation of the server, it can lower the performance of large data imports. You can disable the crash recovery processes, temporarily, enabling you to execute DML statements without the overhead of synchronization.
Note

If any component of a standalone DB system fails while crash recovery is disabled, the DB system enters a FAILED state and is unrecoverable. It is recommended to perform a full manual backup before disabling crash recovery. Highly available DB systems in multi-availability domains are more failure resistant but in certain circumstances, can also become unrecoverable.

Disabling crash recovery disables the following:

  • InnoDB redo log
  • Doublewrite buffer
  • Binary log synchronization

If you disable crash recovery, you cannot use the following MySQL HeatWave Service processes:

  • Backups (manual and automatic)
  • DB system stop and restart
Note

It is not recommended to run a DB system without crash recovery except when performing large imports of data.

If crash recovery is disabled when a DB system upgrade operation begins, it is re-enabled for the duration of the upgrade process, and disabled again when the upgrade is finished. The same is true during a failover of a highly available DB system primary to secondary. When the promotion process is complete, crash recovery is disabled again.

Plugins and Components

Certain MySQL Server plugins and components are loaded in the DB system automatically. You do not need to install any of these plugins.

  • MySQL Enterprise Thread Pool: The thread pool plugin provides an alternative thread-handling model designed to reduce overhead and improve performance. See MySQL Enterprise Thread Pool.
  • MySQL Enterprise Audit plugin: The audit plugin enables MySQL Server to produce a log file containing an audit record of server activity. The log contents include when clients connect and disconnect, and what actions they perform while connected, such as which databases and tables they access. You can add statistics for the time and size of each query to detect outliers. You cannot change the default values of the plugin.
    • audit_log_buffer_size: 10485760
    • audit_log_compression: GZIP
    • audit_log_database: mysql_audit
    • audit_log_file: /db/audit/audit.log
    • audit_log_flush_interval_seconds: 60
    • audit_log_format: JSON
    • audit_log_format_unix_timestamp: ON
    • audit_log_max_size: 5368709120
    • audit_log_prune_seconds: 604800
    • audit_log_rotate_on_size: 52428800
    By default, audit plugin logs are disabled, and you have to define filters to enable logging all auditable events for all users. See Defining Audit Plugin Filters. By default, there are few global privileges granted and few privileges revoked from the mysql_audit schema. See Default MySQL Privileges, and MySQL Enterprise Audit Plugin.
  • The connection_control plugin: MySQL Server includes a plugin library that enables administrators to introduce an increasing delay in server response to connection attempts after a configurable number of consecutive failed attempts. The default value of the variables of the connection-control plugin are as follows, and you cannot change the default values:
    • connection_control_failed_connections_threshold : 3
    • connection_control_max_connection_delay: 10000
    • connection_control_min_connection_delay:1000
    See Connection-Control Plugins.
  • The validate_password component: The component serves to improve security by requiring account passwords and enabling strength testing of potential passwords. The default value of the variables of the validate_password component are as follows, and you cannot change the default values:
    • validate_password.check_user_name: ON
    • validate_password.length: 8
    • validate_password.mixed_case_count:1
    • validate_password.number_count:1
    • validate_password.policy: MEDIUM
    • validate_password.special_char_count :1
    See Password Validation Component.
  • Data masking: The general-purpose masking functions mask arbitrary strings, special-purpose masking functions mask specific types of values, and generate functions generate random values. See Data Masking.

MySQL Enterprise Audit Plugin

The MySQL Enterprise Audit plugin enables MySQL Server to produce a log file containing an audit record of server activity. The log content includes when clients connect and disconnect, and what actions they perform while connected, such as which databases and tables they access.

You can add statistics for the time and size of each query to detect outliers. By default, audit plugin logs are disabled, and you have to define audit plugin filters to enable logging auditable events for all or specific users.

Related Topics

Granting Audit Administration Privileges

By default, the MySQL HeatWave administrator user you defined while creating the DB system has the AUDIT_ADMIN privilege. You can grant audit administration privileges to more users.

Using a Command-Line Client

Use a command-line client such as MySQL Client or MySQL Shell to grant audit administration privileges to more users.

  1. Connect to the DB system using the command-line client of your choice.
  2. Run the following command to grant the user, User001, the audit administration privilege:
    GRANT AUDIT_ADMIN ON *.* TO <User001>;

Defining Audit Plugin Filters

You have to define audit plugin filters to enable logging auditable events for all or specific users. By default, audit plugin logs are disabled.

Using a Command-Line Client

Use a command-line client such as MySQL Client or MySQL Shell to define audit plugin filters to enable logging auditable events for all or specific users.

This task requires the following:
  • MySQL version 8.0.34-u2 or higher.
  1. Connect to the DB system using the command-line client of your choice.
  2. Define audit filters to enable logging. See Writing Audit Log Filter Definitions.
    1. To audit all events, run the following command:
      SELECT audit_log_filter_set_filter('log_all', '{ "filter": { "log": true } }');
    2. To audit connection events only, run the following command:
      SELECT audit_log_filter_set_filter('log_conn_events','{ "filter": { "class": { "name": "connection" } } }');
    3. To view audit filters, run the following command:
      SELECT * FROM mysql_audit.audit_log_filter;
  3. Assign the filters you created in Step 2 to users. You can assign the audit filters to all users or to a specific user.
    1. To assign the default audit filter to log all events from any account, use the wildcard character %:
      SELECT audit_log_filter_set_user('%', 'log_all');
    2. To assign the default audit filter to log all connect events from any account, use the wildcard character %:
      SELECT audit_log_filter_set_user('%', 'log_conn_events');
    3. To assign the default audit filter to log all events from a specific user such as user_dba, run the following command:
      SELECT audit_log_filter_set_user('user_dba@%', 'log_all');
    4. To view the assigned rules, run the following command:
      SELECT * FROM mysql_audit.audit_log_user;
    5. To unassign the rules from the user, user_dba, run the following command:
      SELECT audit_log_filter_remove_user('user_dba@%');
  4. (Optional) You can insert your own event data with the component, audit_api_message_emit. See Audit Message Function. For example:
    SELECT audit_api_message_emit_udf('component_text', 'producer_text', 'message_text', 'key1', 'value1', 'key2', 123, 'key3', NULL) AS 'Message';

Accessing and Analyzing Audit Data

Use the audit data to monitor the DB system.

Using a Command-Line Client

Use a command-line client such as MySQL Client or MySQL Shell to access and analyze audit data.

  1. Connect to the DB system using the command-line client of your choice.
  2. To view any new logs since you last checked, run the following command. This ensures you are always updated with the latest audit logs without revisiting older logs.
    SELECT audit_log_read(audit_log_read_bookmark());
  3. To extract audit logs starting from a particular timestamp, provide additional parameters within the audit_log_read() function:
    SELECT audit_log_read('{ "start": { "timestamp": "2023-08-24 12:30:00" }, "max_array_length": 500 }');
  4. To view the audit data in an easier to read format, use the JSON_PRETTY() and CONVERT() functions:
    SELECT JSON_PRETTY(CONVERT(audit_log_read( ... ) USING UTF8MB4));
  5. To transform data to tabular format, use the MySQL JSON functions. For example, you can transform a subset of the JSON name-value pairs into a structured table format, making it easier to interact with and analyze data:
    SELECT @@server_uuid as server_uuid, ts, class, event, login_ip,login_user,connection_id,
 status,connection_type,_client_name,_client_version,
 command,sql_command,command_status
FROM
JSON_TABLE
(
  AUDIT_LOG_READ( '{ "start": {\"timestamp\": \"2023-08-16 15:33:37\"}, \"max_array_length\": 10 }' ), 
  '$[*]'
  COLUMNS
  ( 
    ts TIMESTAMP PATH '$.timestamp',
    class VARCHAR(20) PATH '$.class',
    event VARCHAR(80) PATH '$.event',      
    login_ip VARCHAR(200) PATH '$.login.ip',
    login_user VARCHAR(200) PATH '$.login.user',
    connection_id VARCHAR(80) PATH '$.connection_id',
    status INT PATH '$.connection_data.status',
    connection_type VARCHAR(40) PATH '$.connection_data.connection_type',
    _client_name VARCHAR(80) PATH '$.connection_data.connection_attributes._client_name',
    _client_version VARCHAR(80) PATH '$.connection_data.connection_attributes._client_version',
    command VARCHAR(40) PATH '$.general_data.command',
    sql_command VARCHAR(40) PATH '$.general_data.sql_command',
    command_status VARCHAR(40) PATH '$.general_data.status'
   )) as audit_log;
  6. To further refine the data extraction, use WHERE clauses in the SQL statements. For example, WHERE connection_type <> 'SSL'.

Data Masking

MySQL HeatWave Service supports various MySQL data masking functions that mask data to remove identifying characteristics and generate random data with specific characteristics.

MySQL HeatWave Service supports the following data masking functions:

  • gen_range
  • gen_rnd_email
  • gen_rnd_ssn
  • gen_rnd_us_phone
  • mask_inner
  • mask_outer
  • mask_pan
  • mask_pan_relaxed
  • mask_ssn

MySQL HeatWave Service does not support the following data masking functions:

  • gen_blocklist
  • gen_dictionary
  • gen_dictionary_drop
  • gen_dictionary_load
  • gen_rnd_pan

Reserved Usernames

Certain usernames are reserved and you cannot use them for the administrator username.

  • administrator
  • ociadmin
  • ocirpl
  • mysql.sys
  • mysql.session
  • mysql.infoschema

MySQL Server Versions

With the new MySQL versioning model, you have the flexibility to select an innovation or a bug fix release (while creating or editing a DB system) as per the application and environment needs. Both the releases are production-grade quality.

Innovation Releases

If you desire access to the latest features and improvements and enjoy staying on top of the latest technologies, then MySQL innovation releases are the best fit for you. These releases are ideal for developers and database administrators working in fast-paced environments with high levels of automated tests and modern continuous integration techniques for faster upgrade cycles. For example, MySQL 8.1.0 is the first innovation release. If you want the latest features, improvements, and all bug fixes for the MySQL database, use the innovation release track, 8.1.x, 8.2.x, 8.3.x, and so on.

Bug Fix Releases

Bug fix releases contain only necessary fixes, so they reduce the risks associated with changes in the database software's behavior. For example, 8.0.x is a bug fix release.

To view the most recent innovation and bug fix release versions, see the Release Notes.

To update the MySQL version of a DB system, see Creating a DB System and Editing a DB System.

Retrieving the Version of a MySQL Server

Retrieve the version of a MySQL Server. MySQL HeatWave Service supports the two most recent release versions of MySQL.

Using a Command-Line Client

Use a command-line client such as MySQL Client or MySQL Shell to retrieve the version of a MySQL Server.

  1. Connect to the DB system using the command-line client of your choice.
  2. Run the following command:
    SELECT @@version;
You get a response similar to the following:
 SELECT @@version;
+-----------------+
| @@version       |
+-----------------+
| 8.0.34-u1-cloud |
+-----------------+
1 row in set (0.1687 sec)

8.0.34-u1-cloud is a MySQL Server version.

  • First number: Specifies the major release number such as 8.
  • Second number: Specifies the minor release number such as 0. The major and minor numbers together constitute the release series number. The series number describes the stable feature set.
  • Third number: Specifies the patch number within the release series such as 34. This is incremented for each new bug fix release.
  • u*: Specifies the MySQL HeatWave Service-specific update number such as u1. Fixes and feature development for the Oracle Cloud Infrastructure version of MySQL Server are delivered according to a different schedule to the on-premise version.
  • cloud: Specifies that this version of MySQL server was built for use in MySQL HeatWave Service only.

Default MySQL Privileges

Related Topics

Listing Privileges Using a Command-Line Client

Use a command-line client such as MySQL Client or MySQL Shell to list the privileges granted to a user.

  1. Do one of the following to list the privileges granted to a user:
    • To view the privileges granted to the current user, run the following command:
      SHOW GRANTS \G
    • To view the privileges granted to a named user, run the following command:
      SHOW GRANTS FOR <Username> \G
    If the command was run for an administrator user, User001, the command returns the following:
    *************************** 1. row ***************************
Grants for User001@%: GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, 
PROCESS, REFERENCES, INDEX, ALTER, SHOW DATABASES, CREATE TEMPORARY TABLES, 
LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, 
SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, 
CREATE ROLE, DROP ROLE ON *.* TO `User001`@`%` WITH GRANT OPTION
*************************** 2. row ***************************
Grants for User001@%: GRANT APPLICATION_PASSWORD_ADMIN,AUDIT_ADMIN,BACKUP_ADMIN,
CONNECTION_ADMIN,FLUSH_OPTIMIZER_COSTS,FLUSH_STATUS,FLUSH_TABLES,FLUSH_USER_RESOURCES,
REPLICATION_APPLIER,ROLE_ADMIN,XA_RECOVER_ADMIN ON *.* TO `User001`@`%` WITH GRANT OPTION
*************************** 3. row ***************************
Grants for User001@%: REVOKE INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, 
INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW,
 CREATE ROUTINE, ALTER ROUTINE, EVENT, TRIGGER ON `mysql`.* FROM `User001`@`%`
*************************** 4. row ***************************
Grants for User001@%: REVOKE CREATE, DROP, REFERENCES, INDEX, ALTER, 
CREATE TEMPORARY TABLES, LOCK TABLES, CREATE VIEW, CREATE ROUTINE, 
ALTER ROUTINE, EVENT, TRIGGER ON `mysql_audit`.* FROM `User001`@`%`
*************************** 5. row ***************************
Grants for User001@%: REVOKE CREATE, DROP, REFERENCES, INDEX, ALTER, 
CREATE TEMPORARY TABLES, LOCK TABLES, CREATE VIEW, CREATE ROUTINE, 
ALTER ROUTINE, EVENT, TRIGGER ON `sys`.* FROM `User001`@`%`
*************************** 6. row ***************************
Grants for User001@%: GRANT PROXY ON ``@`` TO `User001`@`%` WITH GRANT OPTION
*************************** 7. row ***************************
Grants for User001@%: GRANT `administrator`@`%` TO `User001`@`%` WITH ADMIN OPTION
7 rows in set (0.11 sec)

    The rows correspond to the following:

Global Static Privileges Granted

Certain global static MySQL privileges are granted to the DB system administrator.

Table 5-3 Global Static Privileges Granted

Global Static Privileges Granted
ALTER ALTER ROUTINE
CREATE CREATE ROLE
CREATE ROUTINE CREATE TEMPORARY TABLES
CREATE USER CREATE VIEW
DELETE DROP
EVENT EXECUTE
INDEX INSERT
LOCK TABLES PROCESS
REFERENCES REPLICATION CLIENT
REPLICATION SLAVE SELECT
SHOW DATABASES SHOW VIEW
TRIGGER UPDATE

Global Dynamic Privileges Granted

Certain global dynamic MySQL privileges are granted to the DB system administrator.

Table 5-4 Global Dynamic Privileges Granted

Global Dynamic Privileges
APPLICATION_PASSWORD_ADMIN AUDIT_ADMIN
FLUSH_TABLES CONNECTION_ADMIN
FLUSH_OPTIMIZER_COSTS REPLICATION_APPLIER
FLUSH_USER_RESOURCES FLUSH_STATUS
ROLE_ADMIN XA_RECOVER_ADMIN
BACKUP_ADMIN  

Privileges Revoked from mysql Schema

Certain privileges are revoked from the mysql schema. You cannot grant these privileges to any DB system user.

Table 5-5 Privileges Revoked from mysql Schema

Privileges Revoked from mysql Schema
INSERT UPDATE
DELETE CREATE VIEW
DROP REFERENCES
INDEX ALTER
CREATE TEMPORARY TABLES LOCK TABLES
CREATE VIEW CREATE ROUTINE
EXECUTE ALTER ROUTINE
TRIGGER EVENT

Related Topics

Privileges Revoked from mysql_audit Schema

Certain privileges are revoked from the mysql_audit schema. You cannot grant these privileges to any DB system user.

Table 5-6 Privileges Revoked from mysql_audit Schema

Privileges Revoked from mysql_audit Schema
ALTER ALTER ROUTINE
CREATE CREATE ROUTINE
CREATE TEMPORARY TABLES CREATE VIEW
DROP EVENT
INDEX LOCK TABLES
REFERENCES TRIGGER

Related Topics

Privileges Revoked from sys Schema

Certain privileges are revoked from the sys schema. You cannot grant these privileges to any DB system user.

Table 5-7 Privileges Revoked from sys Schema

Privileges Revoked from sys Schema
ALTER ALTER ROUTINE
CREATE CREATE ROUTINE
CREATE TEMPORARY TABLES CREATE VIEW
DROP EVENT
INDEX LOCK TABLES
REFERENCES TRIGGER

Related Topics

Unsupported Features

Some features of MySQL Server are not natively supported in MySQL HeatWave Service, but you can use the alternative functionalities.

Table 5-8 Unsupported Features

Self-Managed MySQL Server MySQL HeatWave Service
Setting global variables or persisted system variables (SET PERSIST) Use MySQL HeatWave Configurations. See Configuration of a DB System.
Direct modification of system tables (mysql schema) Not supported.
Error logging to system log Limited to SQL access. No direct file access. See Viewing the Error Log.
Binary log access Limited to SQL access. No direct file access. Use SHOW BINLOG EVENTS or mysqlbinlog --read-from-remote-server
Audit log access Limited to SQL access. No direct file access.
Slow query log Not supported. Use SYS, PERFORMANCE_SCHEMA tables, or Audit query statistics. See MySQL Enterprise Audit Plugin.
Group replication plugin Use high availability. See High Availability.
Asynchronous replication (inbound) Use MySQL HeatWave Channels. See Inbound Replication.
Replication filters Use MySQL HeatWave Channels filters. See Channel Filter Rules.
Delayed replication Use MySQL HeatWave Channels delay. See Creating a Replication Channel.
Multi-source replication Not supported.
Semisynchronous replication Not supported.
Transportable tablespace Not supported.
READ ONLY and SUPER READ ONLY Not supported.
InnoDB Tablespace Encryption (TDE) MySQL HeatWave volumes are always encrypted at rest using keys managed by Oracle. Customers managed keys are not supported. See Data Security.
Authentication Plugins Use OCI IAM integration. See Authenticating Using authentication_oci Plugin and Plugins and Components.
Custom TLS certificates Use OCI Certificates integration. See Advanced Option: Connections.
Password Validation Plugin Available, but currently not configurable. Implement password policies at the application level when necessary. See Plugins and Components.
Granting privileges using wildcards You must use fully-qualified database grants. By default, the system variable partial-revokes is enabled and you cannot disable it. As a result, wildcards in database name are treated literally. See partial_revokes.
Adding loadable functions - previously known as User-Defined Functions (UDFs) Not supported.