From 077dec9586088e152bf0aedd138fa413f4c34299 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20van=20Eeden?= Date: Mon, 5 Jul 2021 11:09:15 +0200 Subject: [PATCH] Update Security Compatibility with MySQL Related to https://github.com/pingcap/tidb/pull/24991 --- security-compatibility-with-mysql.md | 20 ++++++++++++++++++-- system-variables.md | 6 ++++++ 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/security-compatibility-with-mysql.md b/security-compatibility-with-mysql.md index fce6496e8e1ad..e1f08bfc4e35b 100644 --- a/security-compatibility-with-mysql.md +++ b/security-compatibility-with-mysql.md @@ -8,9 +8,25 @@ aliases: ['/docs/dev/security-compatibility-with-mysql/','/docs/dev/reference/se TiDB supports similar security functionality to MySQL 5.7, with the following exceptions: -- Only the `mysql_native_password` password-based and certificate-based authentication is supported -- External authentication (such as with LDAP) is not currently supported - Column level permissions are not supported - Password expiry, as well as password last-changed tracking and password lifetime are not supported [#9709](https://github.com/pingcap/tidb/issues/9709) - The permission attributes `max_questions`, `max_updated`, `max_connections`, `max_user_connections` are not supported - Password validation is not currently supported [#9741](https://github.com/pingcap/tidb/issues/9741) + +## Authentication plugin status + +Authentication in MySQL supports multiple authentication methods. The authentication method can be specified on a per user basis with [`CREATE USER`](/sql-statements/sql-statement-create-user.md) and [`ALTER USER`](/sql-statements/sql-statement-create-user.md). These authentication methods are compatible with the authentication methods of MySQL with the same name. + +The default authentication method the server advertises during connection establishment can be set with the [`default_authetication_format`](/system-variables.md#default_authentication_format). + +| Authentication Method | Supported | +| :------------------------| :--------------- | +| `mysql_native_password` | Yes | +| `sha256_password` | No | +| `caching_sha2_password` | Yes, since 5.2.0 | +| `auth_socket` | No | +| TLS Certificates | Yes | +| LDAP | No | +| PAM | No | +| ed25519 (MariaDB) | No | +| GSSAPI (MariaDB) | No | diff --git a/system-variables.md b/system-variables.md index ea7a58394fdaa..eeb13f77005d0 100644 --- a/system-variables.md +++ b/system-variables.md @@ -127,6 +127,12 @@ mysql> SELECT * FROM t1; - This variable indicates the location where data is stored. This location can be a local path or point to a PD server if the data is stored on TiKV. - A value in the format of `ip_address:port` indicates the PD server that TiDB connects to on startup. +### default_authentication_plugin + +- Scope: GLOBAL +- Default value: `mysql_native_password` +- This variable sets the authentication method that the server advertises when the server-cient connection is being established. Possible values for this variable are documented in [Authentication plugin status](/security-compatibility-with-mysql.md#authentication-plugin-status) + ### ddl_slow_threshold - Scope: INSTANCE