5.5.6. Pluggable Authentication

Before MySQL 5.5.7, when a client connects to the server, the server uses the user name provided by the client and the client host to determine which mysql.user table account row to use for authentication. The server authenticates the password provided by the client against the Password column of the account row.

As of MySQL 5.5.7, the server authenticates clients using plugins. Selection of the proper row from the mysql.user table is based on the user name and client host, as before, but the server authenticates the client credentials as follows:

  • The server determines which authentication plugin applies for the user:

    • If the account row specifies no plugin name, the server uses built-in authentication against the password stored in the account row. MySQL includes two built-in authentication plugins that cannot be disabled These plugins provide native password checking and pre-MySQL 4.1.1 authentication that uses shorter password hash values. This is the same authentication provided by MySQL servers older than 5.5.7 that matches the password against the Password column of the account row.

    • If the account row specifies a plugin, the server invokes it to authenticate the user. If the server cannot find the plugin, an error occurs.

  • The plugin returns a status to the server indicating whether the user is permitted to connect.

  • If the user is permitted to connect, the plugin may also return a user name to indicate that the user is a proxy for another user. In this case, the connecting user is a proxy for another user: The proxy user impersonates the proxied user. While the connection lasts, the proxy user has the access privileges of the proxied user. For more information, see Section 5.5.7, “Proxy Users”.

Copyright © 2010-2017 Platon Technologies, s.r.o.           Home | Man pages | tLDP | Documents | Utilities | About
Design by styleshout