Prevent non-replication writes to MySQL slave?

mysql mysql-replication replication

We have some MySQL database servers set up with row-based replication, for performance. The software writes to the master, and reads from either the master or the slave. Everything's working great, for the most part.

It's my understanding that MySQL will allow writes to the slave, even though it knows it's a MySQL slave. Ideally, I'd kind of like to close this, so even if somebody writes some bad code that gets a read-connection and does an UPDATE, it will throw an error rather than put data on the slave.

Is there a way to do this in MySQL? Obviously we'd like to make this impossible from our software, as well, but like a firewall on our servers, I'd like to be as defensive as possible.

Thanks!


Enable the read-only option in my.cnf. It can also be specified as a flag on the command line using --read-only with mysqld.


As an alternative to setting read_only=1 (e.g. when there are other scratchpad/reporting/development databases on the slave instance), I sometimes strip all privileges other than SELECT from all users to the DB that I am replicating.

That is, after running the GRANT command on the master, I run the REVOKE command on the slave.


As of MySQL 5.7.8, there is now a super_read_only option, which prevents even SUPER users from performing client updates. It does not disrupt the replication process. As with other settings, it can be set:

  • in command line format (--super_read_only=ON),
  • as a variable in my.cnf (super_read_only=1), or
  • from the client prompt (SET GLOBAL super_read_only = 1;).

Note that:

  • Enabling super_read_only implicitly enables read_only
  • Disabling read_only implicitly disables super_read_only

Some caveats:

  • Neither read_only nor super_read_only will prevent operations on temporary tables.
  • They will not prevent metadata operations like ANALYZE TABLE and OPTIMIZE TABLE.
  • Bugs for certain queries with super_read_only enabled have been reported.

Reference: https://www.percona.com/blog/2016/09/27/using-the-super_read_only-system-variable/


As the first post somewhat suggests, you do it with permissions. Read-only option does not work for super users as an FYI and its also not really a workable solution for a slave where you want to prevent writes. You need to prevent writes with user/database/table permissions. For one, the replication user still must be able to write to the slave to keep it in sync with the master. Better way to control writes is you need to revoke options that allow writes (ie- inserts, creates, etc.) for the user in question that should be doing reads only on the slave.

Related

"Error 1067: The process terminated unexpectedly" when trying to install MySQL on Win7 x64 [closed]
How to exclude certain directories while using wget?
Forcing CloudFront to pass-through the latest HTML file from S3
nginx pcre_compile error when using quantifiers
Should we mount with data=writeback and barrier=0 on ext3?
Why is ansible notify not working?
How do I handle abuse reports as an ISP?
SQL Server - Force DB in memory?
How can you shrink an XFS filesystem?
How to recursively move all files (including hidden) in a subfolder into a parent folder in *nix?
Why after deleting a 110+ GB collection, my /var/lib/mongodb directory still have same size?
serve all requests via proxy *except* a specific one