Transactd Security

There are two ways for the Transactd client authentication.

There are 2 ways to set user and host or access privileges, the way with MySQL command line client and the way with Transactd. We use MySQL command line client in this page.

Authentication by host address

Authenticate IP address of client host. Username or password does not required.

The default way is the authentication by host address. If transactd_auth_type="" is set in my.cnf, or setting is empty, this way will be used.

Setting host permission to access Transactd

Run following command from MySQL command line client to register accessible host(s):

CREATE USER root@192.168.0.10, root@192.168.0.11;
GRANT USAGE ON *.* TO root@192.168.0.10, root@192.168.0.11;

In the above example, access from 192.168.0.10 and 192.168.0.11 is allowed.

root is proxy username. This is used because MySQL GRANT statement specify value with username@host.

The proxy username is root by default. If you want to change it, set transactd_hostcheck_username = "username" in my.cnf.

The host name, such as host.domain.com, is not available. It prevents delay or failure by DNS lookup.

Specify address range

You can also specify a range of addresses (one of the IP Address Class A, B and C).

CREATE USER root@'192.168.0.0/255.255.255.0';
GRANT USAGE ON *.* TO root@'192.168.0.0/255.255.255.0';

In the case of class C, add .0/255.255.255.0 after class C IP address. Similarly, add .0.0/255.255.0.0 for class B, add .0.0.0/255.0.0.0 for class A. The address range which is narrower than class C is not available. For example, 192.168.0.0/255.255.240.0 is not available.

In addition, you can use wild card with %. Class C is 192.168.0.%, Class B is 192.168.%, Class A is 10.%. These host formats are same as host format in MySQL.

Access privileges

In the host authentication, host address is checked, but privileges for each operations are not checked. The host which is allowed to access to database has the privileges for whole operations.

Authentication by combination of users and hosts

Authentication by combination of users and hosts is compatible with MySQL native_password. Username and password for MySQL clients is available in Transactd.

This authentication is used if you specify transactd_auth_type="mysql_native" in my.cnf.

The client which is allowed to connect can do operations within its privileges.

Specify username and password at connection

Three APIs nsdatabase::connect()nsdatabase::create()nsdatabase::open() can specify username and password. Specify them in URI parameter:

tdap://username@server/database?dbfile=schema&pwd=password

Access privileges

Access privileges are almost the same as privileges in MySQL. See MySQL documents for detail. However, the privileges for function which is not in Transactd (e.g. trigger) are ignored. In addition, the access privileges for each field is not used now.

Privilege table

The access privileges are stored in mysql.user(global), mysql.db(database), mysql.tabels_priv(table). They will be calculated in OR operation.

Use wildcard with database.table format to identify global, database or table. Three format, *.* database.* database.table can be specified after GRANT ON.

For example, if you want to restrict access to each database, disable global privileges on mysql.user, set privilege to mysql.db.

CREATE USER username@host IDENTIFIED BY 'set_your_password';
GRANT USAGE ON *.* TO username@host;
GRANT ALL PRIVILEGES ON databasename.* TO username@host;

When changes will be enabled

Access privilege information is cached in server. Changes will be enable at:

For example, if you change global access privileges, it will be enabled in the database which opened after that. It will not be enabled in the databases which has been opened before that.