TiCDC Client Authentication
Starting from v8.1.0, TiCDC supports client authentication using Mutual Transport Layer Security (mTLS) or TiDB username and password.
- mTLS authentication provides security control at the transport layer, enabling TiCDC to verify the client identity.
- TiDB username and password authentication provides security control at the application layer, ensuring that only authorized users can log in through the TiCDC node.
These two authentication methods can be used either independently or in combination to meet different scenarios and security requirements.
Use mTLS for client authentication
In the TiCDC server, configure the
security.mtlsparameter astrueto enable mTLS authentication:[security] # This parameter controls whether to enable the TLS client authentication. The default value is false. mtls = trueConfigure the client certificate.
- TiCDC command-line tool
- TiCDC OpenAPI
When using the TiCDC command-line tool, you can specify the client certificate using the following methods. TiCDC will attempt to read the client certificate in the following order:
Specify the certificate and private key using the command-line parameters
--certand--key. If the server uses a self-signed certificate, you also need to specify the trusted CA certificate using the--caparameter.cdc cli changefeed list --cert client.crt --key client.key --ca ca.crtSpecify the paths to the certificate, private key, and CA certificate using the environment variables
TICDC_CERT_PATH,TICDC_KEY_PATH, andTICDC_CA_PATH.export TICDC_CERT_PATH=client.crt export TICDC_KEY_PATH=client.key export TICDC_CA_PATH=ca.crtSpecify the certificate using the shared credential file
~/.ticdc/credentials. You can modify the configuration using thecdc cli configure-credentialscommand.
When using TiCDC OpenAPI, you can specify the client certificate and private key using
--certand--key. If the server uses a self-signed certificate, you also need to specify the trusted CA certificate using the--cacertparameter. For example:curl -X GET http://127.0.0.1:8300/api/v2/status --cert client.crt --key client.key --cacert ca.crt
Use TiDB username and password for client authentication
Create a user in TiDB and grant the user permission to log in from the TiCDC node.
CREATE USER 'test'@'ticdc_ip_address' IDENTIFIED BY 'password';In the TiCDC server, configure
security.client-user-requiredandsecurity.client-allowed-userto enable username and password authentication:[security] # This parameter controls whether to use username and password for client authentication. The default value is false. client-user-required = true # This parameter lists the usernames that are allowed for client authentication. Authentication requests with usernames not in this list will be rejected. The default value is null. client-allowed-user = ["test"]Specify the username and password of the user created in step 1.
- TiCDC command-line tool
- TiCDC OpenAPI
When using the TiCDC command-line tool, you can specify the username and password using the following methods. TiCDC will attempt to read the client certificate in the following order:
Specify the username and password using the command-line parameters
--userand--password:cdc cli changefeed list --user test --password passwordSpecify the username using the command-line parameter
--user. Then, enter the password in the terminal:cdc cli changefeed list --user testSpecify the username and password using the environment variables
TICDC_USERandTICDC_PASSWORD:export TICDC_USER=test export TICDC_PASSWORD=passwordSpecify the username and password using the shared credential file
~/.ticdc/credentials. You can modify the configuration using thecdc cli configure-credentialscommand.
When using TiCDC OpenAPI, you can specify the username and password using
--user <user>:<password>. For example:curl -X GET http://127.0.0.1:8300/api/v2/status --user test:password