Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/pingcap/tidb/llms.txt

Use this file to discover all available pages before exploring further.

TiDB supports multiple layers of security: TLS for client and inter-component communication, MySQL-compatible user authentication and privileges, Role-Based Access Control (RBAC), Security Enhanced Mode (SEM), and encryption at rest via TiKV.

TLS for client connections

Configure TLS in tidb.toml under the [security] section. The following options are drawn from config.toml.example: 
[security]
# Path of file that contains list of trusted SSL CAs for connection with mysql client.
ssl-ca = "/path/to/ca.pem"

# Path of file that contains X509 certificate in PEM format for connection with mysql client.
ssl-cert = "/path/to/server-cert.pem"

# Path of file that contains X509 key in PEM format for connection with mysql client.
ssl-key = "/path/to/server-key.pem"

# Automatic creation of TLS certificates (recommended).
# If commented/missing, defaults to false for backward compatibility.
auto-tls = true

# Minimum TLS version to accept. Example: "TLSv1.2"
tls-version = "TLSv1.2"

# RSA key size for automatically generated keys.
rsa-key-size = 4096
With auto-tls = true, TiDB generates a self-signed certificate on startup. For production, provide your own CA-signed certificates.

TLS for inter-component communication

Secure communication between TiDB, TiKV, PD, and TiFlash uses separate certificates: 
[security]
# Trusted CA for cluster component connections.
cluster-ssl-ca = "/path/to/cluster-ca.pem"

# Certificate for cluster component connections.
cluster-ssl-cert = "/path/to/cluster-cert.pem"

# Key for cluster component connections.
cluster-ssl-key = "/path/to/cluster-key.pem"

User authentication

TiDB uses MySQL-compatible user accounts and the mysql.user system table. Create users and assign passwords with standard SQL: 
-- Create an application user with password authentication
CREATE USER 'app'@'%' IDENTIFIED BY 'strong_password';

-- Create a read-only user restricted to a specific host
CREATE USER 'readonly'@'10.0.1.0/255.255.255.0' IDENTIFIED BY 'another_password';

Privilege management (RBAC)

TiDB implements MySQL-compatible privilege levels: global, database, table, and column. 
-- Grant specific privileges on a database
GRANT SELECT, INSERT, UPDATE, DELETE ON mydb.* TO 'app'@'%';

-- Grant read-only access to a single table
GRANT SELECT ON mydb.orders TO 'readonly'@'%';

-- Grant all privileges (use sparingly)
GRANT ALL PRIVILEGES ON mydb.* TO 'admin'@'%';

-- Revoke a privilege
REVOKE INSERT ON mydb.* FROM 'app'@'%';

-- View current grants
SHOW GRANTS FOR 'app'@'%';

Roles

Use roles to group privileges and assign them to multiple users: 
-- Create a role
CREATE ROLE 'analyst';

-- Grant privileges to the role
GRANT SELECT ON analytics.* TO 'analyst';

-- Assign the role to a user
GRANT 'analyst' TO 'alice'@'%';

-- User must activate the role in their session
SET DEFAULT ROLE 'analyst' FOR 'alice'@'%';

Security Enhanced Mode (SEM)

SEM restricts the SUPER privilege and requires fine-grained privileges instead. This limits the blast radius of a compromised superuser account. Enable SEM in tidb.toml: 
[security]
enable-sem = true
Enabling SEM changes privilege requirements for several administrative operations. Test in a non-production environment before enabling in production.
When SEM is enabled, operations that previously required SUPER (such as reading INFORMATION_SCHEMA internal tables) require specific restricted privileges. Use SHOW GRANTS to identify what is needed for each operation.

Encryption at rest

TiKV supports encryption at rest for data files. Configure it in the TiKV configuration file: 
[security.encryption]
# Encryption method: "plaintext" (disabled), "aes128-ctr", "aes192-ctr", "aes256-ctr"
data-encryption-method = "aes256-ctr"

# Key rotation period in days
data-key-rotation-period = "168h"

[security.encryption.master-key]
# Master key type: "plaintext", "kms", "file"
type = "kms"
key-id = "your-kms-key-id"
region = "us-east-1"
TiDB also supports encrypting spilled temporary data files. Configure this in tidb.toml: 
[security]
# Possible values: "plaintext", "aes128-ctr"
spilled-file-encryption-method = "aes128-ctr"

Connecting with TLS as a client

mysql -h 127.0.0.1 -P 4000 -u app -p \
  --ssl-ca=/path/to/ca.pem \
  --ssl-cert=/path/to/client-cert.pem \
  --ssl-key=/path/to/client-key.pem
To require TLS for a specific user: 
ALTER USER 'app'@'%' REQUIRE SSL;

Build docs developers (and LLMs) love

Get started for freeTalk to us