From fa3065093b645bcaf8fd0c2a2cea5882c6eb09e1 Mon Sep 17 00:00:00 2001 From: Aolin Date: Tue, 1 Nov 2022 23:25:02 +0800 Subject: [PATCH 1/3] Add description about tidb_auth_token authentication --- keywords.md | 1 + security-compatibility-with-mysql.md | 5 +++-- system-variables.md | 3 ++- tidb-configuration-file.md | 18 ++++++++++++++++++ 4 files changed, 24 insertions(+), 3 deletions(-) diff --git a/keywords.md b/keywords.md index 6723c1f57224a..59cea2565f1b9 100644 --- a/keywords.md +++ b/keywords.md @@ -606,6 +606,7 @@ The following list shows the keywords in TiDB. Reserved keywords are marked with - TINYINT (R) - TINYTEXT (R) - TO (R) +- TOKEN_ISSUER - TOPN (R) - TRACE - TRADITIONAL diff --git a/security-compatibility-with-mysql.md b/security-compatibility-with-mysql.md index 03f8ceb1fb2ae..d4c4d94e43cf2 100644 --- a/security-compatibility-with-mysql.md +++ b/security-compatibility-with-mysql.md @@ -17,7 +17,7 @@ TiDB supports similar security functionality to MySQL 5.7, with the following ex TiDB supports multiple authentication methods. These methods can be specified on a per user basis using [`CREATE USER`](/sql-statements/sql-statement-create-user.md) and [`ALTER USER`](/sql-statements/sql-statement-create-user.md). These methods are compatible with the authentication methods of MySQL with the same names. -You can use one of the following supported authentication methods in the table. To specify a default method that the server advertises when the client-server connection is being established, set the [`default_authentication_plugin`](/system-variables.md#default_authentication_plugin) variable. `tidb_sm3_password` is the SM3 authentication method only supported in TiDB. Therefore, to authenticate using this method, you must connect to TiDB using [TiDB-JDBC](https://github.com/pingcap/mysql-connector-j/tree/release/8.0-sm3). +You can use one of the following supported authentication methods in the table. To specify a default method that the server advertises when the client-server connection is being established, set the [`default_authentication_plugin`](/system-variables.md#default_authentication_plugin) variable. `tidb_sm3_password` is the SM3 authentication method only supported in TiDB. Therefore, to authenticate using this method, you must connect to TiDB using [TiDB-JDBC](https://github.com/pingcap/mysql-connector-j/tree/release/8.0-sm3). `tidb_auth_token` is a JSON Web Token (JWT) based internal authentication method used only within TiDB Cloud. @@ -38,7 +38,8 @@ The support for TLS authentication is configured differently. For detailed infor | `caching_sha2_password` | Yes, since 5.2.0 | | `auth_socket` | Yes, since 5.3.0 | | `tidb_sm3_password` | Yes, since 6.3.0 | -| TLS Certificates | Yes | +| `tidb_auth_token` | Yes, since 6.4.0 | +| TLS Certificates | Yes | | LDAP | No | | PAM | No | | ed25519 (MariaDB) | No | diff --git a/system-variables.md b/system-variables.md index a0a423605a5cf..b9203c844f98e 100644 --- a/system-variables.md +++ b/system-variables.md @@ -208,7 +208,8 @@ mysql> SELECT * FROM t1; - Persists to cluster: Yes - Type: Enumeration - Default value: `mysql_native_password` -- Possible values: `mysql_native_password`, `caching_sha2_password`, and `tidb_sm3_password` +- Possible values: `mysql_native_password`, `caching_sha2_password`, `tidb_sm3_password` and `tidb_auth_token` +- The `tidb_auth_token` authentication method is used only for the internal operation of TiDB Cloud. **DO NOT** set the variable to this value. - This variable sets the authentication method that the server advertises when the server-client connection is being established. - To authenticate using the `tidb_sm3_password` method, you can connect to TiDB using [TiDB-JDBC](https://github.com/pingcap/mysql-connector-j/tree/release/8.0-sm3). diff --git a/tidb-configuration-file.md b/tidb-configuration-file.md index 312de1cc18ac1..d51171ee1c6b3 100644 --- a/tidb-configuration-file.md +++ b/tidb-configuration-file.md @@ -327,6 +327,24 @@ Configuration items related to security. - Default value: "", which allows TLSv1.1 or higher. - Optional values: `"TLSv1.0"`, `"TLSv1.1"`, `"TLSv1.2"` and `"TLSv1.3"` +### `auth-token-jwks` New in v6.4.0 + +> **Warning:** +> +> The `tidb_auth_token` authentication method is used only for the internal operation of TiDB Cloud. **DO NOT** set the variable to this value. + +- Set the local file path of the JSON Web Key Sets (JWKS) of the `tidb_auth_token` authentication method. +- Default value: `""` + +### `auth-token-refresh-interval` New in v6.4.0 + +> **Warning:** +> +> The `tidb_auth_token` authentication method is used only for the internal operation of TiDB Cloud. **DO NOT** set the variable to this value. + +- Set the JSON Web Key Sets refresh interval of the `tidb_auth_token` authentication method. +- Default value: `1h` + ## Performance Configuration items related to performance. From 9b90504a207fcff0cedc2b5200c1ab4f39e173b7 Mon Sep 17 00:00:00 2001 From: Aolin Date: Wed, 2 Nov 2022 10:25:50 +0800 Subject: [PATCH 2/3] Apply suggestions from code review Co-authored-by: CbcWestwolf <1004626265@qq.com> --- tidb-configuration-file.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tidb-configuration-file.md b/tidb-configuration-file.md index d51171ee1c6b3..9ad67c6a63758 100644 --- a/tidb-configuration-file.md +++ b/tidb-configuration-file.md @@ -331,7 +331,7 @@ Configuration items related to security. > **Warning:** > -> The `tidb_auth_token` authentication method is used only for the internal operation of TiDB Cloud. **DO NOT** set the variable to this value. +> The `tidb_auth_token` authentication method is used only for the internal operation of TiDB Cloud. **DO NOT** change the value of this configuration. - Set the local file path of the JSON Web Key Sets (JWKS) of the `tidb_auth_token` authentication method. - Default value: `""` @@ -340,7 +340,7 @@ Configuration items related to security. > **Warning:** > -> The `tidb_auth_token` authentication method is used only for the internal operation of TiDB Cloud. **DO NOT** set the variable to this value. +> The `tidb_auth_token` authentication method is used only for the internal operation of TiDB Cloud. **DO NOT** change the value of this configuration. - Set the JSON Web Key Sets refresh interval of the `tidb_auth_token` authentication method. - Default value: `1h` From 47b6ef82a1f1a060d46dff53071cc475504b9381 Mon Sep 17 00:00:00 2001 From: Aolin Date: Wed, 2 Nov 2022 11:35:16 +0800 Subject: [PATCH 3/3] Apply suggestions from code review Co-authored-by: shichun-0415 <89768198+shichun-0415@users.noreply.github.com> --- security-compatibility-with-mysql.md | 2 +- system-variables.md | 2 +- tidb-configuration-file.md | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/security-compatibility-with-mysql.md b/security-compatibility-with-mysql.md index d4c4d94e43cf2..682c02865436d 100644 --- a/security-compatibility-with-mysql.md +++ b/security-compatibility-with-mysql.md @@ -17,7 +17,7 @@ TiDB supports similar security functionality to MySQL 5.7, with the following ex TiDB supports multiple authentication methods. These methods can be specified on a per user basis using [`CREATE USER`](/sql-statements/sql-statement-create-user.md) and [`ALTER USER`](/sql-statements/sql-statement-create-user.md). These methods are compatible with the authentication methods of MySQL with the same names. -You can use one of the following supported authentication methods in the table. To specify a default method that the server advertises when the client-server connection is being established, set the [`default_authentication_plugin`](/system-variables.md#default_authentication_plugin) variable. `tidb_sm3_password` is the SM3 authentication method only supported in TiDB. Therefore, to authenticate using this method, you must connect to TiDB using [TiDB-JDBC](https://github.com/pingcap/mysql-connector-j/tree/release/8.0-sm3). `tidb_auth_token` is a JSON Web Token (JWT) based internal authentication method used only within TiDB Cloud. +You can use one of the following supported authentication methods in the table. To specify a default method that the server advertises when the client-server connection is being established, set the [`default_authentication_plugin`](/system-variables.md#default_authentication_plugin) variable. `tidb_sm3_password` is the SM3 authentication method only supported in TiDB. Therefore, to authenticate using this method, you must connect to TiDB using [TiDB-JDBC](https://github.com/pingcap/mysql-connector-j/tree/release/8.0-sm3). `tidb_auth_token` is a JSON Web Token (JWT) based authentication method used only in TiDB Cloud. diff --git a/system-variables.md b/system-variables.md index b9203c844f98e..3fd4c5e63f05d 100644 --- a/system-variables.md +++ b/system-variables.md @@ -208,7 +208,7 @@ mysql> SELECT * FROM t1; - Persists to cluster: Yes - Type: Enumeration - Default value: `mysql_native_password` -- Possible values: `mysql_native_password`, `caching_sha2_password`, `tidb_sm3_password` and `tidb_auth_token` +- Possible values: `mysql_native_password`, `caching_sha2_password`, `tidb_sm3_password`, and `tidb_auth_token` - The `tidb_auth_token` authentication method is used only for the internal operation of TiDB Cloud. **DO NOT** set the variable to this value. - This variable sets the authentication method that the server advertises when the server-client connection is being established. - To authenticate using the `tidb_sm3_password` method, you can connect to TiDB using [TiDB-JDBC](https://github.com/pingcap/mysql-connector-j/tree/release/8.0-sm3). diff --git a/tidb-configuration-file.md b/tidb-configuration-file.md index 9ad67c6a63758..7eafed2eeab0b 100644 --- a/tidb-configuration-file.md +++ b/tidb-configuration-file.md @@ -333,7 +333,7 @@ Configuration items related to security. > > The `tidb_auth_token` authentication method is used only for the internal operation of TiDB Cloud. **DO NOT** change the value of this configuration. -- Set the local file path of the JSON Web Key Sets (JWKS) of the `tidb_auth_token` authentication method. +- Set the local file path of the JSON Web Key Sets (JWKS) for the `tidb_auth_token` authentication method. - Default value: `""` ### `auth-token-refresh-interval` New in v6.4.0 @@ -342,7 +342,7 @@ Configuration items related to security. > > The `tidb_auth_token` authentication method is used only for the internal operation of TiDB Cloud. **DO NOT** change the value of this configuration. -- Set the JSON Web Key Sets refresh interval of the `tidb_auth_token` authentication method. +- Set the JWKS refresh interval for the `tidb_auth_token` authentication method. - Default value: `1h` ## Performance