MySQL / MariaDB

Description

The MySQL/MariaDB connector scans a MySQL or MariaDB instance via JDBC (MySQL Connector/J) to discover database user accounts and their global privilege grants. MySQL 8.x and MariaDB 10.x role memberships are discovered where available.

System Type Classification

Field	Value
System Type	Infrastructure
Default Scan Priority	500

Version Support

OrbisID Edition	Supported
Community	No
Pro	Yes
Enterprise	Yes

MySQL/MariaDB scanning requires a Pro or Enterprise licence.

Supported Protocol

Protocol	Port	Notes
JDBC / MySQL Protocol (TCP)	3306 TCP	Default; configurable per instance

What OrbisID Discovers

Data	Source	Minimum Version
User accounts	mysql.user	MySQL 5.7 / MariaDB 10.x
Account lock status	mysql.user.account_locked	MySQL 5.7.6+
Password expiry status	mysql.user.password_expired	MySQL 5.7+
Global privilege flags	mysql.user columns	MySQL 5.7 / MariaDB 10.x
Role memberships	mysql.role_edges	MySQL 8.0+ / MariaDB 10.3+

Privileged Flag Detection

A user is flagged as privileged when any of the following mysql.user columns is set to Y:

Super_priv, Grant_priv, Shutdown_priv, Reload_priv, Process_priv, File_priv, Create_user_priv

Connection Requirements

Credential Requirements

Recommended: Create a dedicated MySQL user for OrbisID with minimal permissions:

-- MySQL / MariaDB
CREATE USER 'orbisid_scanner'@'%' IDENTIFIED BY '<strong-password>';
GRANT SELECT ON mysql.user TO 'orbisid_scanner'@'%';
GRANT SELECT ON mysql.role_edges TO 'orbisid_scanner'@'%';   -- MySQL 8+ / MariaDB 10.3+
FLUSH PRIVILEGES;

Host Binding

Replace % with the OrbisID server IP address for tighter access control (e.g., 'orbisid_scanner'@'10.0.1.50').

Credential Mapping

OrbisID Field	MySQL Value
credential.username	MySQL username
credential.password	MySQL password

System Attributes

Attribute	Required	Default	Description
mysqlDatabase	No	mysql	Initial database to connect to. Account discovery always reads from the mysql system schema regardless of this setting.
mysqlSslMode	No	PREFERRED	SSL mode for the JDBC connection. Values: DISABLED, PREFERRED, REQUIRED, VERIFY_CA, VERIFY_IDENTITY.

Network Requirements

Requirement	Detail
TCP port 3306	Must be accessible from the OrbisID server (or On-Premise Agent)
MySQL remote connections	The bind-address in my.cnf must not restrict connections from the OrbisID server

Configuration Steps

1. Create the orbisid_scanner user with the grants above
2. Create a Credential in OrbisID:
   • Username: orbisid_scanner
   • Password: The scanning user's password
3. Navigate to Systems → Add System
4. Fill in the fields:

Field	Value
Name	Descriptive name (e.g., MySQL – prod-db01 or MariaDB – prod-db01)
Hostname / IP	MySQL/MariaDB host
Port	3306 (or custom port)
OS Type	MySQL
System Type	Infrastructure
Credential	The scanning credential

5. Optionally, set mysqlSslMode in system attributes
6. Click Test Connection to verify connectivity and authentication
7. Click Save

MariaDB Compatibility

MySQL Connector/J is fully compatible with MariaDB when using the standard jdbc:mysql:// URL. For strict MariaDB-native behaviour (e.g., specific MariaDB features), consider using the On-Premise Agent with a Custom Script scanner backed by the MariaDB JDBC driver.

Troubleshooting

Symptom	Likely Cause	Resolution
Access denied for user	Invalid credentials or host not allowed	Verify the password; check the user's host column in mysql.user — it must match the OrbisID server IP
Connection refused / timeout	Port blocked or bind-address restricts access	Check bind-address in my.cnf; open port 3306 in firewall rules
SELECT command denied … mysql.user	Insufficient privileges	Grant SELECT ON mysql.user to the scanning user
No roles returned	MySQL < 8.0 or mysql.role_edges not accessible	Role discovery is skipped on MySQL 5.x; grant SELECT ON mysql.role_edges on MySQL 8+
SSL error	SSL certificate validation failed	Set mysqlSslMode to DISABLED for testing; use REQUIRED with a valid certificate for production