You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In MySQL, you can lock or unlock a user/role by CREATE USER or ALTER USER. For compatibility, TiDB should support this feature.
Feature Acquirement
According to the description in MySQL account locking, the feature is mainly related to CREATE USER and ALTER USER statements in TiDB.
When used with CREATE USER, these clauses specify the initial locking state for a new account. In the absence of either clause, the account is created in an unlocked state.
When used with ALTER USER, these clauses specify the new locking state for an existing account. In the absence of either clause, the account locking state remains unchanged.
Account locking state is recorded in the account_locked column of the mysql.user system table. The output from SHOW CREATE USER indicates whether an account is locked or unlocked.
If a client attempts to connect to a locked account, the attempt fails, and returns an ErrAccountHasBeenLocked error.
The ability to use views is not affected by locking the account.
After a role is created, the role is locked by default and cannot log in to TiDB; after unlocking through ALTER USER, the role can also log in normally.
Note that these behaviors are different from MySQL8:
TiDB would not support temporary lock when encountering too many consecutive login failures.
Background
Related Data Structures
For accelerating the reading of mysql.user, TiDB has a type MySQLPrivilege struct to cache the users' privilege:
typeMySQLPrivilegestruct {
User []UserRecordUserMapmap[string][]UserRecord// Accelerate User searchingGlobalmap[string][]globalPrivRecordDynamicmap[string][]dynamicPrivRecordDB []dbRecordDBMapmap[string][]dbRecord// Accelerate DB searchingTablesPriv []tablesPrivRecordTablesPrivMapmap[string][]tablesPrivRecord// Accelerate TablesPriv searchingColumnsPriv []columnsPrivRecordDefaultRoles []defaultRoleRecordRoleGraphmap[string]roleGraphEdgesTable
}
The state of the account lock can be accessed by the User field, since UserRecord contains a field AccountLocked bool:
typeUserRecordstruct {
baseRecordAuthenticationStringstringPrivileges mysql.PrivilegeTypeAccountLockedbool// A role record when this field is trueAuthPluginstring
}
Update of Privilege
Each time to run a command related to change privilege, such as CREATE USER, ALTER USER and FLUSH, the function NotifyUpdatePrivilege would be called to:
imported account_locked column to the mysql.user table, which appeared first in an early version v3.0.5, we don't have to modify the definition of mysql.user table.
imported AccountLocked field into type UserRecord struct, which is included in MySQLPrivilege, we don't have to modify thie definition of priviledge.
And the check of lock is placed in func (p *UserPrivileges) ConnectionVerification. The check of lock happens after the check of password.
Testing
The unit test is in the func (cli *testServerClient) runTestAccountLock
The related mysql-test is also ported
The text was updated successfully, but these errors were encountered:
Motivation
In MySQL, you can lock or unlock a user/role by
CREATE USER
orALTER USER
. For compatibility, TiDB should support this feature.Feature Acquirement
According to the description in MySQL account locking, the feature is mainly related to
CREATE USER
andALTER USER
statements in TiDB.account_locked
column of themysql.user
system table. The output from SHOW CREATE USER indicates whether an account is locked or unlocked.ErrAccountHasBeenLocked
error.ALTER USER
, the role can also log in normally.Note that these behaviors are different from MySQL8:
validate_password
component (at least not in v6.1.0)Background
Related Data Structures
For accelerating the reading of
mysql.user
, TiDB has atype MySQLPrivilege struct
to cache the users' privilege:The state of the account lock can be accessed by the
User
field, sinceUserRecord
contains a fieldAccountLocked bool
:Update of Privilege
Each time to run a command related to change privilege, such as
CREATE USER
,ALTER USER
andFLUSH
, the functionNotifyUpdatePrivilege
would be called to:mysql.user
, andDesign
Since #9377 has
account_locked
column to themysql.user
table, which appeared first in an early version v3.0.5, we don't have to modify the definition ofmysql.user
table.AccountLocked
field intotype UserRecord struct
, which is included inMySQLPrivilege
, we don't have to modify thie definition of priviledge.And the check of lock is placed in
func (p *UserPrivileges) ConnectionVerification
. The check of lock happens after the check of password.Testing
func (cli *testServerClient) runTestAccountLock
The text was updated successfully, but these errors were encountered: