Skip to content

Commit

Permalink
Update Security Compatibility with MySQL
Browse files Browse the repository at this point in the history
Related to pingcap/tidb#24991

Co-authored-by: TomShawn <41534398+TomShawn@users.noreply.github.com>
  • Loading branch information
dveeden and TomShawn committed Jul 20, 2021
1 parent 9300917 commit fbc92d9
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 2 deletions.
22 changes: 20 additions & 2 deletions security-compatibility-with-mysql.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,27 @@ aliases: ['/docs/dev/security-compatibility-with-mysql/','/docs/dev/reference/se

TiDB supports similar security functionality to MySQL 5.7, with the following exceptions:

- Only the `mysql_native_password` password-based and certificate-based authentication is supported
- External authentication (such as with LDAP) is not currently supported
- Column level permissions are not supported
- Password expiry, as well as password last-changed tracking and password lifetime are not supported [#9709](https://github.com/pingcap/tidb/issues/9709)
- The permission attributes `max_questions`, `max_updated`, `max_connections`, `max_user_connections` are not supported
- Password validation is not currently supported [#9741](https://github.com/pingcap/tidb/issues/9741)

## Authentication plugin status

TiDB supports multiple authentication methods. These methods can be specified on a per user basis using [`CREATE USER`](/sql-statements/sql-statement-create-user.md) and [`ALTER USER`](/sql-statements/sql-statement-create-user.md). These methods are compatible with the authentication methods of MySQL with the same names.

You can use one of the following supported authentication methods in the table. To specify a default method that the server advertises when the client-server connection is being established, set the [`default_authentication_format`](/system-variables.md#default_authentication_format) variable. Support for TLS authentication is configured differently, for that see [Enable TLS between TiDB Clients and Servers](https://docs.pingcap.com/tidb/stable/enable-tls-between-clients-and-servers).

| Authentication Method | Supported |
| :------------------------| :--------------- |
| `mysql_native_password` | Yes |
| `sha256_password` | No |
| `caching_sha2_password` | Yes, since 5.2.0 |
| `auth_socket` | No |
| [TLS Certificates] | Yes |
| LDAP | No |
| PAM | No |
| ed25519 (MariaDB) | No |
| GSSAPI (MariaDB) | No |

[TLS Certificates]: /enable-tls-between-clients-and-servers.md
7 changes: 7 additions & 0 deletions system-variables.md
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,13 @@ mysql> SELECT * FROM t1;
- This variable indicates the location where data is stored. This location can be a local path or point to a PD server if the data is stored on TiKV.
- A value in the format of `ip_address:port` indicates the PD server that TiDB connects to on startup.

### default_authentication_plugin

- Scope: GLOBAL
- Default value: `mysql_native_password`
- This variable sets the authentication method that the server advertises when the server-client connection is being established. Possible values for this variable are documented in [Authentication plugin status](/security-compatibility-with-mysql.md#authentication-plugin-status)
- Value options: `mysql_native_password` and `caching_sha2_password` (since v5.2.0). For more details, see [Authentication plugin status](/security-compatibility-with-mysql.md#authentication-plugin-status).

### ddl_slow_threshold

- Scope: INSTANCE
Expand Down

0 comments on commit fbc92d9

Please sign in to comment.