Document MySQL-compatible dual password support#23228
Conversation
TiDB supports the MySQL 8.0 dual password policy (RETAIN CURRENT PASSWORD / DISCARD OLD PASSWORD on ALTER USER, SET PASSWORD ... RETAIN CURRENT PASSWORD, and the APPLICATION_PASSWORD_ADMIN dynamic privilege) via pingcap/tidb#68393. - password-management.md: new "Dual password policy" section — rotation walkthrough, storage location, required privileges, restrictions (capable plugins, 3894/3895/3878 error conditions), rolling-upgrade note. - sql-statement-alter-user.md: DualPasswordOption in the synopsis and a no-downtime rotation example. - sql-statement-set-password.md: RETAIN CURRENT PASSWORD in the synopsis, example, privilege note, and the REPLACE-clause compatibility caveat. - privilege-management.md: APPLICATION_PASSWORD_ADMIN in the dynamic privileges list. - security-compatibility-with-mysql.md: remove "Dual password policy" from the unsupported security features list. Co-Authored-By: Claude <noreply@anthropic.com>
|
Hi @takaidohigasi. Thanks for your PR. I'm waiting for a pingcap member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Code Review
This pull request documents the new dual password policy feature introduced in TiDB v9.0.0, which allows for zero-downtime password rotation by supporting primary and secondary passwords. The changes span password management, privilege management, and SQL statement documentation (ALTER USER and SET PASSWORD). The review feedback focuses on aligning the new text with the style guide, specifically by addressing the user in the second person ('you') and converting passive voice constructions to active voice.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
| - Password reuse policy: prevent users from reusing old passwords. | ||
| - Failed-login tracking and temporary account locking policy: temporarily lock a user account to prevent the same user from trying to log in after multiple login failures caused by wrong passwords. | ||
|
|
||
| Starting from v9.0.0, TiDB also supports the dual password policy, which lets applications rotate passwords without downtime. For details, see [Dual password policy](#dual-password-policy). |
There was a problem hiding this comment.
Starting from v9.0.0
Need to consul
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
| - Password reuse policy: prevent users from reusing old passwords. | ||
| - Failed-login tracking and temporary account locking policy: temporarily lock a user account to prevent the same user from trying to log in after multiple login failures caused by wrong passwords. | ||
|
|
||
| Starting from v9.0.0, TiDB also supports the dual password policy, which lets you rotate passwords for applications without downtime. For details, see [Dual password policy](#dual-password-policy). |
There was a problem hiding this comment.
Starting from v9.0.0,
Need to consult
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
| 1 row in set (0.00 sec) | ||
| ``` | ||
|
|
||
| Starting from v9.0.0, `SET PASSWORD ... RETAIN CURRENT PASSWORD` retains the current password as the secondary password while setting the new primary password, so both passwords remain valid during a password rotation. For details, see [Dual password policy](/password-management.md#dual-password-policy). |
There was a problem hiding this comment.
Starting from v9.0.0
also need to consul
…ributes The User_attributes column also stores the secondary password under $.additional_password when dual passwords are used; note it in both the TiDB and TiDB Cloud descriptions with a link to the dual password policy section. Co-Authored-By: Claude <noreply@anthropic.com>
MySQL-compatibility docs verificationAudited every compatibility-related page for dual-password impact. Result:
Also verified the statement-level compatibility notes:
|
|
I found this is planned to release at 8.5.x, so will fix some. |
|
8.5.7 or 8.5.8 which is the proper version...? |
pingcap/tidb#69735 backported the feature to release-8.5 and it ships in the v8.5.7 train, so "Starting from v9.0.0" becomes "Starting from v8.5.7" in the three version notes (password-management.md intro + section, sql-statement-set-password.md). Co-Authored-By: Claude <noreply@anthropic.com>
|
pingcap/tidb#69735 (release-8.5 backport) has merged and the feature ships in the v8.5.7 train, so |
|
One behavioral nuance for reviewers (and for anyone extending these pages later): On release-8.5 (v8.5.7), Impact on this PR: none — the current text never references Please keep this in mind for future edits, though: if a "verify the privilege with |
First-time contributors' checklist
What is changed, added or deleted? (Required)
Documents the MySQL 8.0-compatible dual password feature being added in pingcap/tidb#68393 (
ALTER USER ... RETAIN CURRENT PASSWORD/DISCARD OLD PASSWORD,SET PASSWORD ... RETAIN CURRENT PASSWORD, and theAPPLICATION_PASSWORD_ADMINdynamic privilege).password-management.md: new Dual password policy section — no-downtime rotation walkthrough, storage location (mysql.user.User_attributes), required privileges (self vs cross-account), restrictions (capable auth plugins;ER_CURRENT_PASSWORD_CANNOT_BE_RETAINED,ER_SECOND_PASSWORD_CANNOT_BE_EMPTY,ER_PASSWORD_CANNOT_BE_RETAINED_ON_PLUGIN_CHANGE), and a rolling-upgrade note.sql-statements/sql-statement-alter-user.md:DualPasswordOptionin the synopsis + rotation example.sql-statements/sql-statement-set-password.md:RETAIN CURRENT PASSWORDin the synopsis + example + privilege note; also notes that theREPLACEclause is not supported.privilege-management.md:APPLICATION_PASSWORD_ADMINadded to the dynamic privileges list.security-compatibility-with-mysql.md: removed "Dual password policy" from the unsupported security features list.Which TiDB version(s) do your changes apply to? (Required)
Tips for choosing the affected version(s):
By default, CHOOSE MASTER ONLY so your changes will be applied to the next TiDB major or minor releases. If your PR involves a product feature behavior change or a compatibility change, CHOOSE THE AFFECTED RELEASE BRANCH(ES) AND MASTER.
For details, see tips for choosing the affected versions.
What is the related PR or file link(s)?
Do your changes match any of the following descriptions?