Skip to content

Commit

Permalink
Update Security Compatibility with MySQL
Browse files Browse the repository at this point in the history
  • Loading branch information
dveeden committed Jul 12, 2021
1 parent 89646b2 commit 19a424c
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 2 deletions.
20 changes: 18 additions & 2 deletions security-compatibility-with-mysql.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,25 @@ aliases: ['/docs/dev/security-compatibility-with-mysql/','/docs/dev/reference/se

TiDB supports similar security functionality to MySQL 5.7, with the following exceptions:

- Only the `mysql_native_password` password-based and certificate-based authentication is supported
- External authentication (such as with LDAP) is not currently supported
- Column level permissions are not supported
- Password expiry, as well as password last-changed tracking and password lifetime are not supported [#9709](https://github.com/pingcap/tidb/issues/9709)
- The permission attributes `max_questions`, `max_updated`, `max_connections`, `max_user_connections` are not supported
- Password validation is not currently supported [#9741](https://github.com/pingcap/tidb/issues/9741)

## Authentication plugin status

Authentication in TiDB supports multiple authentication methods. The authentication method can be specified on a per user basis with [`CREATE USER`](/sql-statements/sql-statement-create-user.md) and [`ALTER USER`](/sql-statements/sql-statement-create-user.md). These authentication methods are compatible with the authentication methods of MySQL with the same name.

The default authentication method the server advertises during connection establishment can be set with the [`default_authentication_format`](/system-variables.md#default_authentication_format).

| Authentication Method | Supported |
| :------------------------| :--------------- |
| `mysql_native_password` | Yes |
| `sha256_password` | No |
| `caching_sha2_password` | Yes, since 5.2.0 |
| `auth_socket` | No |
| TLS Certificates | Yes |
| LDAP | No |
| PAM | No |
| ed25519 (MariaDB) | No |
| GSSAPI (MariaDB) | No |
6 changes: 6 additions & 0 deletions system-variables.md
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,12 @@ mysql> SELECT * FROM t1;
- This variable indicates the location where data is stored. This location can be a local path or point to a PD server if the data is stored on TiKV.
- A value in the format of `ip_address:port` indicates the PD server that TiDB connects to on startup.

### default_authentication_plugin

- Scope: GLOBAL
- Default value: `mysql_native_password`
- This variable sets the authentication method that the server advertises when the server-cient connection is being established. Possible values for this variable are documented in [Authentication plugin status](/security-compatibility-with-mysql.md#authentication-plugin-status)

### ddl_slow_threshold

- Scope: INSTANCE
Expand Down

0 comments on commit 19a424c

Please sign in to comment.