自从开始,Facebook就使用了一个常规的使用者/密码,以确保安全的存取到MySQL实例。在过去几年中,我们一直在努力争取X509 TLS客户证书认证连接。给脸书上的许多语言和系统类型,在某种方式上使用神秘——这就需要一大批的变换队伍。
这是一个部分技术综述,我们的新解决方案是如何工作的,一部分艰难的学习作弊,让整个公司在神秘的客户图书馆下改变自己。
展开查看详情
1. Securing Access to Facebook's Databases A multi-year journey presented by Andrew Regner
2. Securing Access to Facebook's Databases
3.Words
4.Words
5.Words
6.Words
7.MySQL Security c. 2004
8.MySQL Security c. 2015
9.Know how x509 works?
10.x509 - pub/priv
11.x509 - signing
12.x509 - handshake
13.The ACLs
14.The ACLs
15.The ACLs
16.Client Identities
17.Life of a Connection
18.Life of a Connection
19.Life of a Connection
20.Life of a Connection
21.Life of a Connection
22.Life of a Connection
23.+-----------------------------------------------------------------------------------------------------------+ | Grants for readonly:xdb@% | +-----------------------------------------------------------------------------------------------------------+ | GRANT SELECT, SHOW VIEW ON `potatoes_17`.* TO 'readonly:xdb'@'%' REQUIRE SUBJECT '/CN=mysql:readonly:xdb' | +-----------------------------------------------------------------------------------------------------------+
24.Generating Grants - shards +-----------------------------------------------------------------------------------------------------------+ | Grants for readonly:xdb@% | +-----------------------------------------------------------------------------------------------------------+ | GRANT SELECT, SHOW VIEW ON `potatoes_17`.* TO 'readonly:xdb'@'%' REQUIRE SUBJECT '/CN=mysql:readonly:xdb' | +-----------------------------------------------------------------------------------------------------------+
25.Generating Grants - universal
26.SSL Problems at Scale
27.SSL Problems at Scale
28.SSL Problems at Scale
29.SSL Problems at Scale