Securing Access to Facebook's Databases

自从开始,Facebook就使用了一个常规的使用者/密码,以确保安全的存取到MySQL实例。在过去几年中,我们一直在努力争取X509 TLS客户证书认证连接。给脸书上的许多语言和系统类型,在某种方式上使用神秘——这就需要一大批的变换队伍。
这是一个部分技术综述,我们的新解决方案是如何工作的,一部分艰难的学习作弊,让整个公司在神秘的客户图书馆下改变自己。

展开查看详情

1. Securing Access to Facebook's Databases A multi-year journey
 presented by Andrew Regner

2. Securing Access to Facebook's Databases

3.Words

4.Words

5.Words

6.Words

7.MySQL Security c. 2004

8.MySQL Security c. 2015

9.Know how x509 works?

10.x509 - pub/priv

11.x509 - signing

12.x509 - handshake

13.The ACLs

14.The ACLs

15.The ACLs

16.Client Identities

17.Life of a Connection

18.Life of a Connection

19.Life of a Connection

20.Life of a Connection

21.Life of a Connection

22.Life of a Connection

23.+-----------------------------------------------------------------------------------------------------------+ | Grants for readonly:xdb@% | +-----------------------------------------------------------------------------------------------------------+ | GRANT SELECT, SHOW VIEW ON `potatoes_17`.* TO 'readonly:xdb'@'%' REQUIRE SUBJECT '/CN=mysql:readonly:xdb' | +-----------------------------------------------------------------------------------------------------------+

24.Generating Grants - shards +-----------------------------------------------------------------------------------------------------------+ | Grants for readonly:xdb@% | +-----------------------------------------------------------------------------------------------------------+ | GRANT SELECT, SHOW VIEW ON `potatoes_17`.* TO 'readonly:xdb'@'%' REQUIRE SUBJECT '/CN=mysql:readonly:xdb' | +-----------------------------------------------------------------------------------------------------------+

25.Generating Grants - universal

26.SSL Problems at Scale

27.SSL Problems at Scale

28.SSL Problems at Scale

29.SSL Problems at Scale