Documentation Home
MySQL 9.2 Reference Manual
Related Documentation Download this Manual
PDF (US Ltr) - 40.8Mb
PDF (A4) - 40.9Mb
Man Pages (TGZ) - 259.7Kb
Man Pages (Zip) - 366.9Kb
Info (Gzip) - 4.1Mb
Info (Zip) - 4.1Mb


MySQL 9.2 Reference Manual  /  ...  /  Connection Control Component Configuration

8.4.2.2 Connection Control Component Configuration

The Connection Control component exposes the following system variables:

If component_connection_control.failed_connections_threshold is greater than zero, counting of failed connections and thus connection control is enabled, and applies as follows for each user account:

The Connection Control component also exposes a status variable; Component_connection_control_delay_generated is the number of times the server has added a delay to its response to a failed connection attempt. This does not count attempts that occur before reaching the limit set by the component_connection_control.failed_connections_threshold system variable, since no delay was imposed for these attempts.

This variable provides a simple counter. You can obtain more detailed connection control monitoring information from the Performance Schema the connection_control_failed_login_attempts table.

Assigning a value to component_connection_control.failed_connections_threshold at runtime resets Component_connection_control_delay_generated to zero.

When the component_connection_control component is installed, it checks connection attempts and tracks whether they fail or succeed. For this purpose, a failed connection attempt is one for which the client user and host match a known MySQL account but the provided credentials are incorrect, or do not match any known account.

Proxies.  Counting of failed connection attempts is based on the combination of user name and host name (user@host) used for each connection attempt. Determination of the applicable user name and host name takes proxying into account, as follows:

  • If the client user proxies another user, the account for failed-connection counting is the proxying user, not the proxied user. For example, if [email protected] proxies [email protected], connection counting uses the proxying user, [email protected], rather than the proxied user, [email protected]. Both [email protected] and [email protected] must have valid entries in the mysql.user system table and a proxy relationship between them must be defined in the mysql.proxies_priv system table (see Section 8.2.19, “Proxy Users”).

  • If the client user does not proxy another user, but does match a mysql.user entry, counting uses the CURRENT_USER() value corresponding to that entry. For example, if a user user1 connecting from a host host1.example.com matches a [email protected] entry, counting uses [email protected]. If the user matches a user1@%.example.com, user1@%.com, or user1@% entry instead, counting uses user1@%.example.com, user1@%.com, or user1@%, respectively.

For the cases just described, the connection attempt matches some mysql.user entry, and whether the request succeeds or fails depends on whether the client provides the correct authentication credentials. For example, if the client presents an incorrect password, the connection attempt fails.

If the connection attempt matches no mysql.user entry, the attempt fails. In this case, no CURRENT_USER() value is available and connection-failure counting uses the user name provided by the client and the client host as determined by the MySQL server. For example, if a client attempts to connect as user user2 from host host2.example.com, the user name part is available in the client request and the server determines the host information. The user/host combination used for counting is [email protected].

Note

The MySQL server maintains information about which client hosts can possibly connect to the server (essentially the union of host values for mysql.user entries). If a client attempts to connect from any other host, the server rejects the attempt at an early stage of connection setup:

ERROR 1130 (HY000): Host 'host_name' is not
allowed to connect to this MySQL server

This type of rejection occurs before password authentication is attempted; thus, the Connection Control component does not see it, and it is not included in the count shown by Component_connection_control_delay_generated or in the performance_schema.connection_control_failed_login_attempts table.

Failure monitoring.  You can use the following information sources to monitor failed connections:

Assigning a value to component_connection_control.failed_connections_threshold at runtime has the effects listed here: