-
Notifications
You must be signed in to change notification settings - Fork 5.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support ACCOUNT LOCK/UNLOCK for TiDB #37051
Labels
type/feature-request
Categorizes issue or PR as related to a new feature.
Comments
CbcWestwolf
added
the
type/feature-request
Categorizes issue or PR as related to a new feature.
label
Aug 11, 2022
/assign |
12 tasks
bb7133
changed the title
TiDB doesn't support ACCOUNT LOCK
Support ACCOUNT LOCK/UNLOCK for TiDB
Aug 22, 2022
ti-chi-bot
pushed a commit
that referenced
this issue
Aug 25, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Motivation
In MySQL, you can lock or unlock a user/role by
CREATE USER
orALTER USER
. For compatibility, TiDB should support this feature.Feature Acquirement
According to the description in MySQL account locking, the feature is mainly related to
CREATE USER
andALTER USER
statements in TiDB.account_locked
column of themysql.user
system table. The output from SHOW CREATE USER indicates whether an account is locked or unlocked.ErrAccountHasBeenLocked
error.ALTER USER
, the role can also log in normally.Note that these behaviors are different from MySQL8:
validate_password
component (at least not in v6.1.0)Background
Related Data Structures
For accelerating the reading of
mysql.user
, TiDB has atype MySQLPrivilege struct
to cache the users' privilege:The state of the account lock can be accessed by the
User
field, sinceUserRecord
contains a fieldAccountLocked bool
:Update of Privilege
Each time to run a command related to change privilege, such as
CREATE USER
,ALTER USER
andFLUSH
, the functionNotifyUpdatePrivilege
would be called to:mysql.user
, andDesign
Since #9377 has
account_locked
column to themysql.user
table, which appeared first in an early version v3.0.5, we don't have to modify the definition ofmysql.user
table.AccountLocked
field intotype UserRecord struct
, which is included inMySQLPrivilege
, we don't have to modify thie definition of priviledge.And the check of lock is placed in
func (p *UserPrivileges) ConnectionVerification
. The check of lock happens after the check of password.Testing
func (cli *testServerClient) runTestAccountLock
The text was updated successfully, but these errors were encountered: