From cbc474f4be60d718c21af0947e933f4d86b096cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20van=20Eeden?= Date: Mon, 5 Jul 2021 11:09:15 +0200 Subject: [PATCH 1/2] Update Security Compatibility with MySQL Related to https://github.com/pingcap/tidb/pull/24991 Co-authored-by: TomShawn <41534398+TomShawn@users.noreply.github.com> --- security-compatibility-with-mysql.md | 22 ++++++++++++++++++++-- system-variables.md | 7 +++++++ 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/security-compatibility-with-mysql.md b/security-compatibility-with-mysql.md index fce6496e8e1ad..365d0434b68ac 100644 --- a/security-compatibility-with-mysql.md +++ b/security-compatibility-with-mysql.md @@ -8,9 +8,27 @@ aliases: ['/docs/dev/security-compatibility-with-mysql/','/docs/dev/reference/se TiDB supports similar security functionality to MySQL 5.7, with the following exceptions: -- Only the `mysql_native_password` password-based and certificate-based authentication is supported -- External authentication (such as with LDAP) is not currently supported - Column level permissions are not supported - Password expiry, as well as password last-changed tracking and password lifetime are not supported [#9709](https://github.com/pingcap/tidb/issues/9709) - The permission attributes `max_questions`, `max_updated`, `max_connections`, `max_user_connections` are not supported - Password validation is not currently supported [#9741](https://github.com/pingcap/tidb/issues/9741) + +## Authentication plugin status + +TiDB supports multiple authentication methods. These methods can be specified on a per user basis using [`CREATE USER`](/sql-statements/sql-statement-create-user.md) and [`ALTER USER`](/sql-statements/sql-statement-create-user.md). These methods are compatible with the authentication methods of MySQL with the same names. + +You can use one of the following supported authentication methods in the table. To specify a default method that the server advertises when the client-server connection is being established, set the [`default_authentication_plugin`](/system-variables.md#default_authentication_plugin) variable. Support for TLS authentication is configured differently, for that see [Enable TLS between TiDB Clients and Servers](https://docs.pingcap.com/tidb/stable/enable-tls-between-clients-and-servers). + +| Authentication Method | Supported | +| :------------------------| :--------------- | +| `mysql_native_password` | Yes | +| `sha256_password` | No | +| `caching_sha2_password` | Yes, since 5.2.0 | +| `auth_socket` | No | +| [TLS Certificates] | Yes | +| LDAP | No | +| PAM | No | +| ed25519 (MariaDB) | No | +| GSSAPI (MariaDB) | No | + +[TLS Certificates]: /enable-tls-between-clients-and-servers.md diff --git a/system-variables.md b/system-variables.md index 40d2933076cd1..688c28bcdd672 100644 --- a/system-variables.md +++ b/system-variables.md @@ -128,6 +128,13 @@ mysql> SELECT * FROM t1; - This variable indicates the location where data is stored. This location can be a local path or point to a PD server if the data is stored on TiKV. - A value in the format of `ip_address:port` indicates the PD server that TiDB connects to on startup. +### default_authentication_plugin + +- Scope: GLOBAL +- Default value: `mysql_native_password` +- This variable sets the authentication method that the server advertises when the server-client connection is being established. Possible values for this variable are documented in [Authentication plugin status](/security-compatibility-with-mysql.md#authentication-plugin-status) +- Value options: `mysql_native_password` and `caching_sha2_password` (since v5.2.0). For more details, see [Authentication plugin status](/security-compatibility-with-mysql.md#authentication-plugin-status). + ### ddl_slow_threshold - Scope: INSTANCE From 7ac50a3557fc12eb848e2fe95ca2bfa9f88261f0 Mon Sep 17 00:00:00 2001 From: TomShawn <41534398+TomShawn@users.noreply.github.com> Date: Thu, 29 Jul 2021 21:15:38 +0800 Subject: [PATCH 2/2] Apply suggestions from code review --- security-compatibility-with-mysql.md | 4 +++- system-variables.md | 4 ++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/security-compatibility-with-mysql.md b/security-compatibility-with-mysql.md index 365d0434b68ac..766ae1203de10 100644 --- a/security-compatibility-with-mysql.md +++ b/security-compatibility-with-mysql.md @@ -17,7 +17,9 @@ TiDB supports similar security functionality to MySQL 5.7, with the following ex TiDB supports multiple authentication methods. These methods can be specified on a per user basis using [`CREATE USER`](/sql-statements/sql-statement-create-user.md) and [`ALTER USER`](/sql-statements/sql-statement-create-user.md). These methods are compatible with the authentication methods of MySQL with the same names. -You can use one of the following supported authentication methods in the table. To specify a default method that the server advertises when the client-server connection is being established, set the [`default_authentication_plugin`](/system-variables.md#default_authentication_plugin) variable. Support for TLS authentication is configured differently, for that see [Enable TLS between TiDB Clients and Servers](https://docs.pingcap.com/tidb/stable/enable-tls-between-clients-and-servers). +You can use one of the following supported authentication methods in the table. To specify a default method that the server advertises when the client-server connection is being established, set the [`default_authentication_plugin`](/system-variables.md#default_authentication_plugin) variable. + +The support for TLS authentication is configured differently. For detailed information, see [Enable TLS between TiDB Clients and Servers](/enable-tls-between-clients-and-servers.md). | Authentication Method | Supported | | :------------------------| :--------------- | diff --git a/system-variables.md b/system-variables.md index 688c28bcdd672..d3d09b7e58541 100644 --- a/system-variables.md +++ b/system-variables.md @@ -132,8 +132,8 @@ mysql> SELECT * FROM t1; - Scope: GLOBAL - Default value: `mysql_native_password` -- This variable sets the authentication method that the server advertises when the server-client connection is being established. Possible values for this variable are documented in [Authentication plugin status](/security-compatibility-with-mysql.md#authentication-plugin-status) -- Value options: `mysql_native_password` and `caching_sha2_password` (since v5.2.0). For more details, see [Authentication plugin status](/security-compatibility-with-mysql.md#authentication-plugin-status). +- This variable sets the authentication method that the server advertises when the server-client connection is being established. Possible values for this variable are documented in [Authentication plugin status](/security-compatibility-with-mysql.md#authentication-plugin-status). +- Value options: `mysql_native_password` and `caching_sha2_password`. For more details, see [Authentication plugin status](/security-compatibility-with-mysql.md#authentication-plugin-status). ### ddl_slow_threshold