Skip to content
Snippets Groups Projects
Unverified Commit 7c57f31b authored by Alan Christopher Thomas's avatar Alan Christopher Thomas Committed by GitHub
Browse files

Merge pull request #72 from smallstep/tidb

TiDB
parents 097cf3e1 b7db7a1a
No related branches found
No related tags found
No related merge requests found
name: TiDB
protocol: mysql
server_port: 4000
topics: {}
docs/tidb/logo.png

11 KiB

TiDB requires client certificates to be configured on a per-user basis. The requirement can be configured using `CREATE USER` or `ALTER USER` statements. When set, TiDB will reject connections from these users if they don't present a valid certificate signed by your CA.
```sql
mysql> CREATE USER 'myuser'@'%' REQUIRE SUBJECT 'CN={{ client_name }}';
mysql> ALTER USER 'myuser'@'%' REQUIRE SUBJECT 'CN={{ client_name }}';
```
You can [require other user certificate information](https://docs.pingcap.com/tidb/stable/certificate-authentication#get-user-certificate-information) in order to establish a connection.
Copy the `{{ server_cert }}`, `{{ server_key }}`, and `{{ ca_cert }}` files to the directory that contains your TiDB config file.
```shell-session
$ sudo cp {{ server_cert }} /<tidb-config-dir>/server-cert.pem
$ sudo cp {{ server_key }} /<tidb-config-dir>/server-key.pem
$ sudo cp {{ ca_cert }} /<tidb-config-dir>/ca.pem
```
These files should be owned by the user that runs TiDB. Now add the following to your TiDB config file:
```ini
#...
[security]
# Path of file that contains list of trusted SSL CAs for connection with mysql client.
ssl-ca = "ca.pem"
# Path of file that contains X509 certificate in PEM format for connection with mysql client.
ssl-cert = "server-cert.pem"
# Path of file that contains X509 key in PEM format for connection with mysql client.
ssl-key = "server-key.pem"
require-secure-transport=true
#...
```
Restart your TiDB server for these changes to take effect.
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment