Security Compatibility with MySQL
TiDB supports similar security functionality to MySQL 5.7, with the following exceptions:
- Column level permissions are not supported
- Password expiry, as well as password last-changed tracking and password lifetime are not supported #9709
- The permission attributes
max_questions
,max_updated
,max_connections
,max_user_connections
are not supported - Password validation is not currently supported #9741
Authentication plugin status
TiDB supports multiple authentication methods. These methods can be specified on a per user basis using CREATE USER
and ALTER USER
. These methods are compatible with the authentication methods of MySQL with the same names.
You can use one of the following supported authentication methods in the table. To specify a default method that the server advertises when the client-server connection is being established, set the default_authentication_plugin
variable.
The support for TLS authentication is configured differently. For detailed information, see Enable TLS between TiDB Clients and Servers.
Authentication Method | Supported |
---|---|
mysql_native_password | Yes |
sha256_password | No |
caching_sha2_password | Yes, since 5.2.0 |
auth_socket | Yes, since 5.3.0 |
[TLS Certificates] | Yes |
LDAP | No |
PAM | No |
ed25519 (MariaDB) | No |
GSSAPI (MariaDB) | No |
FIDO | No |