diff --git a/keywords.md b/keywords.md index 6723c1f57224a..59cea2565f1b9 100644 --- a/keywords.md +++ b/keywords.md @@ -606,6 +606,7 @@ The following list shows the keywords in TiDB. Reserved keywords are marked with - TINYINT (R) - TINYTEXT (R) - TO (R) +- TOKEN_ISSUER - TOPN (R) - TRACE - TRADITIONAL diff --git a/security-compatibility-with-mysql.md b/security-compatibility-with-mysql.md index 03f8ceb1fb2ae..682c02865436d 100644 --- a/security-compatibility-with-mysql.md +++ b/security-compatibility-with-mysql.md @@ -17,7 +17,7 @@ TiDB supports similar security functionality to MySQL 5.7, with the following ex TiDB supports multiple authentication methods. These methods can be specified on a per user basis using [`CREATE USER`](/sql-statements/sql-statement-create-user.md) and [`ALTER USER`](/sql-statements/sql-statement-create-user.md). These methods are compatible with the authentication methods of MySQL with the same names. -You can use one of the following supported authentication methods in the table. To specify a default method that the server advertises when the client-server connection is being established, set the [`default_authentication_plugin`](/system-variables.md#default_authentication_plugin) variable. `tidb_sm3_password` is the SM3 authentication method only supported in TiDB. Therefore, to authenticate using this method, you must connect to TiDB using [TiDB-JDBC](https://github.com/pingcap/mysql-connector-j/tree/release/8.0-sm3). +You can use one of the following supported authentication methods in the table. To specify a default method that the server advertises when the client-server connection is being established, set the [`default_authentication_plugin`](/system-variables.md#default_authentication_plugin) variable. `tidb_sm3_password` is the SM3 authentication method only supported in TiDB. Therefore, to authenticate using this method, you must connect to TiDB using [TiDB-JDBC](https://github.com/pingcap/mysql-connector-j/tree/release/8.0-sm3). `tidb_auth_token` is a JSON Web Token (JWT) based authentication method used only in TiDB Cloud. @@ -38,7 +38,8 @@ The support for TLS authentication is configured differently. For detailed infor | `caching_sha2_password` | Yes, since 5.2.0 | | `auth_socket` | Yes, since 5.3.0 | | `tidb_sm3_password` | Yes, since 6.3.0 | -| TLS Certificates | Yes | +| `tidb_auth_token` | Yes, since 6.4.0 | +| TLS Certificates | Yes | | LDAP | No | | PAM | No | | ed25519 (MariaDB) | No | diff --git a/system-variables.md b/system-variables.md index a0a423605a5cf..3fd4c5e63f05d 100644 --- a/system-variables.md +++ b/system-variables.md @@ -208,7 +208,8 @@ mysql> SELECT * FROM t1; - Persists to cluster: Yes - Type: Enumeration - Default value: `mysql_native_password` -- Possible values: `mysql_native_password`, `caching_sha2_password`, and `tidb_sm3_password` +- Possible values: `mysql_native_password`, `caching_sha2_password`, `tidb_sm3_password`, and `tidb_auth_token` +- The `tidb_auth_token` authentication method is used only for the internal operation of TiDB Cloud. **DO NOT** set the variable to this value. - This variable sets the authentication method that the server advertises when the server-client connection is being established. - To authenticate using the `tidb_sm3_password` method, you can connect to TiDB using [TiDB-JDBC](https://github.com/pingcap/mysql-connector-j/tree/release/8.0-sm3). diff --git a/tidb-configuration-file.md b/tidb-configuration-file.md index 312de1cc18ac1..7eafed2eeab0b 100644 --- a/tidb-configuration-file.md +++ b/tidb-configuration-file.md @@ -327,6 +327,24 @@ Configuration items related to security. - Default value: "", which allows TLSv1.1 or higher. - Optional values: `"TLSv1.0"`, `"TLSv1.1"`, `"TLSv1.2"` and `"TLSv1.3"` +### `auth-token-jwks` New in v6.4.0 + +> **Warning:** +> +> The `tidb_auth_token` authentication method is used only for the internal operation of TiDB Cloud. **DO NOT** change the value of this configuration. + +- Set the local file path of the JSON Web Key Sets (JWKS) for the `tidb_auth_token` authentication method. +- Default value: `""` + +### `auth-token-refresh-interval` New in v6.4.0 + +> **Warning:** +> +> The `tidb_auth_token` authentication method is used only for the internal operation of TiDB Cloud. **DO NOT** change the value of this configuration. + +- Set the JWKS refresh interval for the `tidb_auth_token` authentication method. +- Default value: `1h` + ## Performance Configuration items related to performance.