server: add auth switch to mysql_native_password (#19603)

[ti-srebot]

cherry-pick #19603 to release-4.0

---

What problem does this PR solve?

Issue Number: Fixes #17875

Problem Summary:

The TiDB server does not allow clients from MySQL 8 servers to connect when they have a password.

What is changed and how it works?

What's Changed:

Support for MySQL 8 clients has been added.

How it Works:

The MySQL protocol allows the server to ask the client to change authentication plugins. This does not explicitly allow support for MySQL 8's caching_sha2_password, but it sidesteps the issue to allow MySQL 8 clients to connect to TiDB. Any client that speaks caching_sha2_password is asked to change to use mysql_native_password.

Related changes

• Need to cherry-pick to the release branch

(It is certainly not required, butI think this is useful enough to cherry-pick.)

Check List

Tests

• Manual test (add detailed scripts or steps below)

The go mysql connector does not permit sending caching_sha2_password, and then being downgraded, so it is hard to include in the testsuite directly under ./server/server_test.go. What I did was used a MySQL 8.0 CLI and performed the following:

$ mysql -e "SET password='test'; SELECT 1";
$ mysql -ptest -e "SELECT 1";

This confirms that it both allows non-passworded accounts and passworded to work correctly.

Side effects

• None

Release note

• TiDB now accepts connections from clients using connectors from MySQL 8.0.

[ti-srebot]

/run-all-tests

[ghost]

/run-all-tests

[jackysp]

lgtm

[tiancaiamao]

LGTM

[jackysp]

/merge

[ti-srebot]

/run-all-tests

[ti-srebot]

@ti-srebot merge failed.

[jackysp]

/run-integration-compatibility-test
/run-sqllogic-test-1