Security Compatibility with MySQL
TiDB supports similar security functionality to MySQL 5.7, with the following exceptions:
- Column level permissions are not supported
- Password expiry, as well as password last-changed tracking and password lifetime are not supported #9709
- These permission attributes are not supported:
max_questions
,max_updated
, andmax_user_connections
- Password validation is not currently supported #9741
Authentication plugin status
TiDB supports multiple authentication methods. These methods can be specified on a per user basis using CREATE USER
and ALTER USER
. These methods are compatible with the authentication methods of MySQL with the same names.
You can use one of the following supported authentication methods in the table. To specify a default method that the server advertises when the client-server connection is being established, set the default_authentication_plugin
variable. tidb_sm3_password
is the SM3 authentication method only supported in TiDB. Therefore, to authenticate using this method, you must connect to TiDB using TiDB-JDBC.
The support for TLS authentication is configured differently. For detailed information, see Enable TLS between TiDB Clients and Servers.
Authentication Method | Supported |
---|---|
mysql_native_password | Yes |
sha256_password | No |
caching_sha2_password | Yes, since 5.2.0 |
auth_socket | Yes, since 5.3.0 |
tidb_sm3_password | Yes, since 6.3.0 |
TLS Certificates | Yes |
LDAP | No |
PAM | No |
ed25519 (MariaDB) | No |
GSSAPI (MariaDB) | No |
FIDO | No |