MySQL proxy

    Attention

    The mysql_proxy filter is experimental and is currently under active development. Capabilities will be expanded over time and the configuration structures are likely to change.

    Warning

    The mysql_proxy filter was tested with MySQL v5.7. The filter may not work with other versions of MySQL due to differences in the protocol implementation. The filter won’t work when client turns on ssl communication.

    The MySQL proxy filter should be chained with the TCP proxy filter as shown in the configuration snippet below:

    Every configured MySQL proxy filter has statistics rooted at mysql.<stat_prefix>. with the following statistics:

    The MySQL filter emits the following dynamic metadata for each SQL query parsed:

    Name

    Type

    Description

    <table.db>

    string

    The resource name in table.db format. The resource name defaults to the table being accessed if the database cannot be inferred.

    []

    list

    A list of strings representing the operations executed on the resource. Operations can be one of insert/update/select/drop/delete/create/alter/show.

    The dynamic metadata emitted by the MySQL filter can be used in conjunction with the RBAC filter to control accesses to individual tables in a database. The following configuration snippet shows an example RBAC filter configuration that denies SQL queries with _update_ statements to the _catalog_ table in the _productdb_ database.

    2. - filters:
    3.   - name: envoy.filters.network.mysql_proxy
    4.     typed_config:
    5.       "@type": type.googleapis.com/envoy.extensions.filters.network.mysql_proxy.v3.MySQLProxy
    6.       stat_prefix: mysql
    7.   - name: envoy.filters.network.rbac
    8.       "@type": type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC
    9.       stat_prefix: rbac
    11.         action: DENY
    12.         policies:
    13.           "product-viewer":
    14.             permissions:
    15.             - metadata:
    16.                 filter: envoy.filters.network.mysql_proxy
    17.                 path:
    18.                 - key: catalog.productdb
    20.                     one_of:
    21.                       string_match:
    22.                         exact: update
    23.             principals:
    24.             - any: true
    25.   - name: envoy.filters.network.tcp_proxy
    26.     typed_config:
    27.       "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
    28.       stat_prefix: tcp