Before MySQL 5.5.7, when a client connects to the server, the
server uses the user name provided by the client and the client
host to determine which mysql.user
table
account row to use for authentication. The server authenticates
the password provided by the client against the
Password
column of the account row.
As of MySQL 5.5.7, the server authenticates clients using plugins.
Selection of the proper row from the mysql.user
table is based on the user name and client host, as before, but
the server authenticates the client credentials as follows:
The server determines which authentication plugin applies for the user:
If the account row specifies no plugin name, the server uses built-in authentication against the password stored in the account row. MySQL includes two built-in authentication plugins that cannot be disabled These plugins provide native password checking and pre-MySQL 4.1.1 authentication that uses shorter password hash values. This is the same authentication provided by MySQL servers older than 5.5.7 that matches the password against the
Password
column of the account row.If the account row specifies a plugin, the server invokes it to authenticate the user. If the server cannot find the plugin, an error occurs.
The plugin returns a status to the server indicating whether the user is permitted to connect.
If the user is permitted to connect, the plugin may also return a user name to indicate that the user is a proxy for another user. In this case, the connecting user is a proxy for another user: The proxy user impersonates the proxied user. While the connection lasts, the proxy user has the access privileges of the proxied user. For more information, see Section 5.5.7, “Proxy Users”.