Security Compatibility with MySQL
TiDB supports similar security functionality to MySQL 5.7, with the following exceptions:
- Column level permissions are not supported
- Password expiry, as well as password last-changed tracking and password lifetime are not supported #9709
- These permission attributes are not supported:
max_questions
,max_updated
, andmax_user_connections
- Password validation is not currently supported #9741
Authentication plugin status
TiDB supports multiple authentication methods. These methods can be specified on a per user basis using CREATE USER
and ALTER USER
. These methods are compatible with the authentication methods of MySQL with the same names.
You can use one of the following supported authentication methods in the table. To specify a default method that the server advertises when the client-server connection is being established, set the default_authentication_plugin
variable. tidb_sm3_password
is the SM3 authentication method only supported in TiDB. Therefore, to authenticate using this method, you must connect to TiDB using TiDB-JDBC. tidb_auth_token
is a JSON Web Token (JWT) based authentication method used only in TiDB Cloud.
The support for TLS authentication is configured differently. For detailed information, see Enable TLS between TiDB Clients and Servers.
Authentication Method | Supported |
---|---|
mysql_native_password | Yes |
sha256_password | No |
caching_sha2_password | Yes, since 5.2.0 |
auth_socket | Yes, since 5.3.0 |
tidb_sm3_password | Yes, since 6.3.0 |
tidb_auth_token | Yes, since 6.4.0 |
TLS Certificates | Yes |
LDAP | No |
PAM | No |
ed25519 (MariaDB) | No |
GSSAPI (MariaDB) | No |
FIDO | No |