This option can be combined with the ISSUER, and SUBJECT options in any order. Also, the encryption used for the connection must use a specific cipher method specified in the string cipher. The account must use TLS, but no valid X509 certificate is required. This option can be combined with the ISSUER, and CIPHER options in any order. Also, the certificate's Subject must be the one specified via the string subject. The account must use TLS and must have a valid X509 certificate. This option can be combined with the SUBJECT, and CIPHER options in any order. Also, the Certificate Authority must be the one specified via the string issuer. This option cannot be combined with other TLS options. TLS is not required for this account, but can still be used. These restrictions can be enabled for a user account with the CREATE USER, ALTER USER, or GRANT statements. For instance, you might use this with user accounts that require access to sensitive data while sending it across networks that you do not control. You can set certain TLS-related restrictions for specific user accounts. See Secure Connections Overview for more information about how to determine whether your MariaDB server has TLS support. The documentation still uses the term SSL often and for compatibility reasons TLS-related server system and status variables still use the prefix ssl_, but internally, MariaDB only supports its secure successors. TLS was formerly known as Secure Socket Layer (SSL), but strictly speaking the SSL protocol is a predecessor to TLS and, that version of the protocol is now considered insecure. To mitigate this concern, MariaDB allows you to encrypt data in transit between the server and clients using the Transport Layer Security (TLS) protocol. However, in cases where the server and client exist on separate networks or they are in a high-risk network, the lack of encryption does introduce security concerns as a malicious actor could potentially eavesdrop on the traffic as it is sent over the network between them. This is generally acceptable when the server and client run on the same host or in networks where security is guaranteed through other means. TLS Optionsīy default, MariaDB transmits data between the server and clients without encrypting it. One can specify many authentication plugins, they all work as alternatives ways of authenticating a user: CREATE USER safe '%' IDENTIFIED VIA ed25519 USING PASSWORD ( 'secret' ) OR unix_socket īy default, when you create a user without specifying an authentication plugin, MariaDB uses the mysql_native_password plugin. The exact meaning of the additional argument would depend on the specific authentication plugin. For example, the PAM authentication plugin accepts a service name: CREATE USER foo2 test IDENTIFIED VIA pam USING 'mariadb' Some authentication plugins allow additional arguments to be specified after a USING or AS keyword. If it doesn't show up in that output, then you will need to install it with INSTALL PLUGIN or INSTALL SONAME.įor example, this could be used with the PAM authentication plugin: CREATE USER foo2 test IDENTIFIED VIA pam The plugin name must be an active authentication plugin as per SHOW PLUGINS. The optional IDENTIFIED VIA authentication_plugin allows you to specify that the account should be authenticated by a specific authentication plugin.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |