>What about the case where a slave can communicate with the master, but
>clients of the slave can NOT communicate with the master (because of
>firewall setups)?
>
>Security folks like this setup because the number of slaves is fairly
>static. They are easy to keep track of. But the clients could be any
>machines behind the firewall.
If the slave can update the master by proxy, security-wise this is equivalent
to anybody who connects to the slave being able to do anything a replication
user can on the master. So in that case, this is the same as connecting
directly to the master anyway with slave user privileges. Additionally,
access to the master can be compromised by loose security on the slave. So
while security folks may like this setup, it is actually less secure than
allowing direct connection to the master from all places that are allowed to
connect to slaves.
--
MySQL Development Team
__ ___ ___ ____ __
/ |/ /_ __/ __/ __ \/ / Sasha Pachev <sasha@stripped>
/ /|_/ / // /\ \/ /_/ / /__ MySQL AB, http://www.mysql.com/
/_/ /_/\_, /___/\___\_\___/ Provo, Utah, USA
<___/
