Skip to content
Snippets Groups Projects
Commit d40cdc56 authored by Carl Tashian's avatar Carl Tashian
Browse files

WIP TiDB support

parent b229cfb3
No related branches found
No related tags found
No related merge requests found
name: TiDB
protocol: mysql
server_port: 4000
topics:
client:
links:
- text: Enable TLS Between TiDB Clients and Servers
url: https://docs.pingcap.com/tidb/stable/enable-tls-between-clients-and-servers
- text: Enable TLS Between TiDB Components
url: https://docs.pingcap.com/tidb/stable/enable-tls-between-components
docs/tidb/logo.png

11 KiB

Connect to your TiDB database using `mysql` connection parameters to specify the location of your client certificate, private key, and root CA certificate.
```shell-session
$ mysql --host 127.0.0.1 --port 4000 \
-u root --ssl-ca={{ ca_cert }} --ssl-mode=VERIFY_CA ]
--ssl-cert={{ client_cert }} --ssl-key={{ client_key }}"
```
TiDB requires client certificates to be configured on a per-user basis. The requirement can be configured using `CREATE USER` or `ALTER USER` statements. When set, TiDB will reject connections from these users if they don't present a valid certificate signed by your CA.
```sql
mysql> CREATE USER 'myuser'@'myhost' REQUIRE SUBJECT 'CN={{ client_name }}';
mysql> ALTER USER 'myuser'@'myhost' REQUIRE SUBJECT 'CN={{ client_name }}';
```
You can [require other user certificate information](https://docs.pingcap.com/tidb/stable/certificate-authentication#get-user-certificate-information) in order to establish a connection.
Copy the `{{ server_cert }}`, `{{ server_key }}`, and `{{ ca_cert }}` files to the directory that contains your TiDB config file.
```shell-session
$ sudo cp {{ server_cert }} /<tidb-config-dir>/server-cert.pem
$ sudo cp {{ server_key }} /<tidb-config-dir>/server-key.pem
$ sudo cp {{ ca_cert }} /<tidb-config-dir>/ca.pem
```
These files should be owned by the user that runs TiDB. Now add the following to your TiDB config file:
```ini
#...
[security]
# Path of file that contains list of trusted SSL CAs for connection with mysql client.
ssl-ca = "ca.pem"
# Path of file that contains X509 certificate in PEM format for connection with mysql client.
ssl-cert = "server-cert.pem"
# Path of file that contains X509 key in PEM format for connection with mysql client.
ssl-key = "server-key.pem"
require-secure-transport=true
#...
```
Restart your TiDB server for these changes to take effect.
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment