From 0fb9bc05548cda7a33bf0123f7ef2462209b08ce Mon Sep 17 00:00:00 2001 From: joccau Date: Fri, 7 Mar 2025 16:02:14 +0800 Subject: [PATCH 01/11] update doc for max-user-connections Signed-off-by: joccau --- mysql-schema/mysql-schema-user.md | 3 ++- security-compatibility-with-mysql.md | 2 +- sql-statements/sql-statement-alter-user.md | 19 ++++++++++++++++ sql-statements/sql-statement-create-user.md | 25 ++++++++++++++++++--- system-variables.md | 12 ++++++++++ 5 files changed, 56 insertions(+), 5 deletions(-) diff --git a/mysql-schema/mysql-schema-user.md b/mysql-schema/mysql-schema-user.md index 5c4564b5134a8..69ef40dce8f45 100644 --- a/mysql-schema/mysql-schema-user.md +++ b/mysql-schema/mysql-schema-user.md @@ -63,8 +63,9 @@ The output is as follows: | Password_expired | enum('N','Y') | NO | | N | | | Password_last_changed | timestamp | YES | | CURRENT_TIMESTAMP | | | Password_lifetime | smallint unsigned | YES | | NULL | | +| max_user_connections | int unsigned | NO | | 0 | | +------------------------+-------------------+------+------+-------------------+-------+ -44 rows in set (0.00 sec) +45 rows in set (0.00 sec) ``` The `mysql.user` table contains several fields that can be categorized into three groups: diff --git a/security-compatibility-with-mysql.md b/security-compatibility-with-mysql.md index d795556f619ab..b0526558f6600 100644 --- a/security-compatibility-with-mysql.md +++ b/security-compatibility-with-mysql.md @@ -11,7 +11,7 @@ TiDB supports security features similar to MySQL 5.7, and also supports some sec ## Unsupported security features - Column level permissions. -- These permission attributes: `max_questions`, `max_updated`, and `max_user_connections`. +- These permission attributes: `max_questions`, `max_updated`. - Password verification policy, which requires you to verify the current password when you change it. - Dual password policy. - Random password generation. diff --git a/sql-statements/sql-statement-alter-user.md b/sql-statements/sql-statement-alter-user.md index 6e4fb809fc5a1..426d9825c4e88 100644 --- a/sql-statements/sql-statement-alter-user.md +++ b/sql-statements/sql-statement-alter-user.md @@ -32,6 +32,9 @@ Username ::= AuthOption ::= ( 'IDENTIFIED' ( 'BY' ( AuthString | 'PASSWORD' HashString ) | 'WITH' StringName ( 'BY' AuthString | 'AS' HashString )? ) )? +ConnectionOptions ::= + ( 'WITH' 'MAX_USER_CONNECTIONS' N )? + PasswordOption ::= ( 'PASSWORD' 'EXPIRE' ( 'DEFAULT' | 'NEVER' | 'INTERVAL' N 'DAY' )? | 'PASSWORD' 'HISTORY' ( 'DEFAULT' | N ) | 'PASSWORD' 'REUSE' 'INTERVAL' ( 'DEFAULT' | N 'DAY' ) | 'FAILED_LOGIN_ATTEMPTS' N | 'PASSWORD_LOCK_TIME' ( N | 'UNBOUNDED' ) )* LockOption ::= ( 'ACCOUNT' 'LOCK' | 'ACCOUNT' 'UNLOCK' )? @@ -155,6 +158,22 @@ ALTER USER 'newuser' PASSWORD REUSE INTERVAL 90 DAY; Query OK, 0 rows affected (0.02 sec) ``` +Use `ALTER USER ... WITH MAX_USER_CONNECTIONS N` to modify the maximum connection limit for `newuser`: + +```sql +ALTER USER 'newuser' WITH MAX_USER_CONNECTIONS 3; +SELECT User, Host, max_user_connections FROM mysql.user WHERE User='newuser'; +``` + +``` ++---------+------+----------------------+ +| User | Host | max_user_connections | ++---------+------+----------------------+ +| newuser | % | 3 | ++---------+------+----------------------+ +1 row in set (0.01 sec) +``` + ### Modify the resource group bound to the user Use `ALTER USER ... RESOURCE GROUP` to modify the resource group of the user `newuser` to `rg1`. diff --git a/sql-statements/sql-statement-create-user.md b/sql-statements/sql-statement-create-user.md index 5ee1ba1f2a4ae..1a4e8e5e0f06e 100644 --- a/sql-statements/sql-statement-create-user.md +++ b/sql-statements/sql-statement-create-user.md @@ -36,6 +36,9 @@ StringName ::= stringLit | Identifier +ConnectionOptions ::= + ( 'WITH' 'MAX_USER_CONNECTIONS' N )? + PasswordOption ::= ( 'PASSWORD' 'EXPIRE' ( 'DEFAULT' | 'NEVER' | 'INTERVAL' N 'DAY' )? | 'PASSWORD' 'HISTORY' ( 'DEFAULT' | N ) | 'PASSWORD' 'REUSE' 'INTERVAL' ( 'DEFAULT' | N 'DAY' ) @@ -142,6 +145,22 @@ Create a user whose password is manually expired: CREATE USER 'newuser9'@'%' PASSWORD EXPIRE; ``` +Create a user with a maximum connection limit of 3: + +```sql +CREATE USER 'newuser10'@'%' WITH MAX_USER_CONNECTIONS 3; +SELECT User, Host, max_user_connections FROM mysql.user WHERE User='newuser10'; +``` + +``` ++-----------+------+----------------------+ +| user | host | max_user_connections | ++-----------+------+----------------------+ +| newuser10 | % | 3 | ++-----------+------+----------------------+ +1 row in set (0.01 sec) +``` + ``` Query OK, 1 row affected (0.02 sec) ``` @@ -149,15 +168,15 @@ Query OK, 1 row affected (0.02 sec) Create a user that uses the resource group `rg1`. ```sql -CREATE USER 'newuser7'@'%' RESOURCE GROUP rg1; -SELECT USER, HOST, USER_ATTRIBUTES FROM MYSQL.USER WHERE USER='newuser7'; +CREATE USER 'newuser11'@'%' RESOURCE GROUP rg1; +SELECT USER, HOST, USER_ATTRIBUTES FROM MYSQL.USER WHERE USER='newuser11'; ``` ```sql +----------+------+---------------------------+ | USER | HOST | USER_ATTRIBUTES | +----------+------+---------------------------+ -| newuser7 | % | {"resource_group": "rg1"} | +| newuser11| % | {"resource_group": "rg1"} | +----------+------+---------------------------+ 1 rows in set (0.00 sec) ``` diff --git a/system-variables.md b/system-variables.md index 74797944249cf..5003f7c53fdeb 100644 --- a/system-variables.md +++ b/system-variables.md @@ -660,6 +660,18 @@ This variable is an alias for [`last_insert_id`](#last_insert_id). - In the `SESSION` scope, this variable is read-only. - This variable is compatible with MySQL. +### `max_user_connections` New in v9.0.0 + +- Scope:GLOBAL +- Persists to cluster: Yes +- Applies to hint [SET_VAR](/optimizer-hints.md#set_varvar_namevar_value): No +- Type: Integer +- Default value: `0` +- Range:`[0, 100000]` +- This variable indicates the maximum connection number for a user allowed to connect to a tidb-server instance in TiDB and is used for resource control. +- The default value `0` means there is no limit for user connection. When the value is greater than `0` and the number of user connections reaches this value, the TiDB server will reject the user's new connection. +- This parameter cannot exceed [`max_connections`](/tidb-configuration-file.md#max_connections). If it exceeds, TiDB will use the value of `max_connections`. For example, if the variable of `max_user_connections` is set to `2000`, and `max_connections` is `1000`, the user can establish the maxinum of 1000 connections to one tidb-server instance. + ### password_history New in v6.5.0 - Scope: GLOBAL From a45d8099ce4d89e6c83f0e179f18ab817e86a91a Mon Sep 17 00:00:00 2001 From: Zack Zhao <57036248+joccau@users.noreply.github.com> Date: Fri, 7 Mar 2025 16:09:45 +0800 Subject: [PATCH 02/11] Update system-variables.md --- system-variables.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/system-variables.md b/system-variables.md index 5003f7c53fdeb..effed6dabf3f4 100644 --- a/system-variables.md +++ b/system-variables.md @@ -662,12 +662,12 @@ This variable is an alias for [`last_insert_id`](#last_insert_id). ### `max_user_connections` New in v9.0.0 -- Scope:GLOBAL +- Scope: GLOBAL - Persists to cluster: Yes - Applies to hint [SET_VAR](/optimizer-hints.md#set_varvar_namevar_value): No - Type: Integer - Default value: `0` -- Range:`[0, 100000]` +- Range: `[0, 100000]` - This variable indicates the maximum connection number for a user allowed to connect to a tidb-server instance in TiDB and is used for resource control. - The default value `0` means there is no limit for user connection. When the value is greater than `0` and the number of user connections reaches this value, the TiDB server will reject the user's new connection. - This parameter cannot exceed [`max_connections`](/tidb-configuration-file.md#max_connections). If it exceeds, TiDB will use the value of `max_connections`. For example, if the variable of `max_user_connections` is set to `2000`, and `max_connections` is `1000`, the user can establish the maxinum of 1000 connections to one tidb-server instance. From f41775dc24d3c038154ee06e2ef918d903666d9a Mon Sep 17 00:00:00 2001 From: Zack Zhao <57036248+joccau@users.noreply.github.com> Date: Fri, 7 Mar 2025 16:21:04 +0800 Subject: [PATCH 03/11] Update system-variables.md --- system-variables.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/system-variables.md b/system-variables.md index effed6dabf3f4..6ffb6edd6fc94 100644 --- a/system-variables.md +++ b/system-variables.md @@ -1753,7 +1753,7 @@ mysql> SELECT job_info FROM mysql.analyze_jobs ORDER BY end_time DESC LIMIT 1; - Default value: `ON`. Before v8.5.0, the default value is `OFF`. - This variable is used to control whether to enable [TiDB Accelerated Table Creation](/accelerated-table-creation.md). - Starting from v8.0.0, TiDB supports accelerating table creation by the [`CREATE TABLE`](/sql-statements/sql-statement-create-table.md) statement using `tidb_enable_fast_create_table`. -- This variable is renamed from the variable [`tidb_ddl_version`](https://docs.pingcap.com/tidb/v7.6/system-variables#tidb_ddl_version-new-in-v760) that is introduced in v7.6.0. Starting from v8.0.0, `tidb_ddl_version` no longer takes effect. +- This variable is renamed from the variable [`tidb_ddl_version`](https://docs-archive.pingcap.com/tidb/v7.6/system-variables#tidb_ddl_version-new-in-v760) that is introduced in v7.6.0. Starting from v8.0.0, `tidb_ddl_version` no longer takes effect. - Starting from TiDB v8.5.0, the accelerated table creation feature is enabled by default for newly created clusters, with `tidb_enable_fast_create_table` set to `ON`. For clusters upgraded from v8.4.0 or earlier versions, the default value of `tidb_enable_fast_create_table` remains unchanged. ### tidb_default_string_match_selectivity New in v6.2.0 @@ -4910,7 +4910,7 @@ SHOW WARNINGS; > > - Depending on the specific business scenario, enabling this option might cause a certain degree of throughput reduction (average latency increase) for transactions with frequent lock conflicts. > - This option only takes effect on statements that need to lock a single key. If a statement needs to lock multiple rows at the same time, this option will not take effect on such statements. -> - This feature is introduced in v6.6.0 by the [`tidb_pessimistic_txn_aggressive_locking`](https://docs.pingcap.com/tidb/v6.6/system-variables#tidb_pessimistic_txn_aggressive_locking-new-in-v660) variable, which is disabled by default. +> - This feature is introduced in v6.6.0 by the [`tidb_pessimistic_txn_aggressive_locking`](https://docs-archive.pingcap.com/tidb/v6.6/system-variables#tidb_pessimistic_txn_aggressive_locking-new-in-v660) variable, which is disabled by default. ### tidb_placement_mode New in v6.0.0 From 2fae63feb168be5029a2f83959f0de78bdd38003 Mon Sep 17 00:00:00 2001 From: Zack Zhao <57036248+joccau@users.noreply.github.com> Date: Fri, 7 Mar 2025 16:28:16 +0800 Subject: [PATCH 04/11] Update system-variables.md --- system-variables.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system-variables.md b/system-variables.md index 5eda1640f080f..c44f3f1130aca 100644 --- a/system-variables.md +++ b/system-variables.md @@ -4282,7 +4282,7 @@ mysql> desc select count(distinct a) from test.t; - Default value: `""` - This variable is used to control some internal behaviors of the optimizer. - The optimizer's behavior might vary depending on user scenarios or SQL statements. This variable provides a more fine-grained control over the optimizer and helps to prevent performance regression after upgrading caused by behavior changes in the optimizer. -- For a more detailed introduction, see [Optimizer Fix Controls](https://docs.pingcap.com/tidb/v7.2/optimizer-fix-controls). +- For a more detailed introduction, see [Optimizer Fix Controls](https://docs-archive.pingcap.com/tidb/v7.2/optimizer-fix-controls). From e2d665db446cddc4d779412abc2eac86dd0a3ec9 Mon Sep 17 00:00:00 2001 From: Zack Zhao <57036248+joccau@users.noreply.github.com> Date: Mon, 17 Mar 2025 13:41:15 +0800 Subject: [PATCH 05/11] Update security-compatibility-with-mysql.md Co-authored-by: Grace Cai --- security-compatibility-with-mysql.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security-compatibility-with-mysql.md b/security-compatibility-with-mysql.md index b0526558f6600..7daed60607a32 100644 --- a/security-compatibility-with-mysql.md +++ b/security-compatibility-with-mysql.md @@ -11,7 +11,7 @@ TiDB supports security features similar to MySQL 5.7, and also supports some sec ## Unsupported security features - Column level permissions. -- These permission attributes: `max_questions`, `max_updated`. +- These permission attributes: `max_questions` and `max_updated`. - Password verification policy, which requires you to verify the current password when you change it. - Dual password policy. - Random password generation. From c799e99fa580cde9ba9c20978c5794d6cffa58e8 Mon Sep 17 00:00:00 2001 From: Zack Zhao <57036248+joccau@users.noreply.github.com> Date: Mon, 17 Mar 2025 13:53:47 +0800 Subject: [PATCH 06/11] Update system-variables.md Co-authored-by: Grace Cai --- system-variables.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system-variables.md b/system-variables.md index dc72dd621be34..11489d21f29ba 100644 --- a/system-variables.md +++ b/system-variables.md @@ -668,7 +668,7 @@ This variable is an alias for [`last_insert_id`](#last_insert_id). - Range: `[0, 100000]` - This variable indicates the maximum connection number for a user allowed to connect to a tidb-server instance in TiDB and is used for resource control. - The default value `0` means there is no limit for user connection. When the value is greater than `0` and the number of user connections reaches this value, the TiDB server will reject the user's new connection. -- This parameter cannot exceed [`max_connections`](/tidb-configuration-file.md#max_connections). If it exceeds, TiDB will use the value of `max_connections`. For example, if the variable of `max_user_connections` is set to `2000`, and `max_connections` is `1000`, the user can establish the maxinum of 1000 connections to one tidb-server instance. +- If the value of this variable exceeds [`max_connections`](/tidb-configuration-file.md#max_connections), TiDB uses `max_connections` to limit the maximum number of connections a single user can establish. For example, if `max_user_connections` of a user is set to `2000`, but `max_connections` is `1000`, the user can actually establish up to `1000` connections to a TiDB server instance. ### password_history New in v6.5.0 From eda19c5c447a6995dc4ebeb41d4de9f3909ecead Mon Sep 17 00:00:00 2001 From: Zack Zhao <57036248+joccau@users.noreply.github.com> Date: Mon, 17 Mar 2025 13:55:16 +0800 Subject: [PATCH 07/11] Update system-variables.md Co-authored-by: Grace Cai --- system-variables.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system-variables.md b/system-variables.md index 11489d21f29ba..9bbcc4d22ae01 100644 --- a/system-variables.md +++ b/system-variables.md @@ -667,7 +667,7 @@ This variable is an alias for [`last_insert_id`](#last_insert_id). - Default value: `0` - Range: `[0, 100000]` - This variable indicates the maximum connection number for a user allowed to connect to a tidb-server instance in TiDB and is used for resource control. -- The default value `0` means there is no limit for user connection. When the value is greater than `0` and the number of user connections reaches this value, the TiDB server will reject the user's new connection. +- The default value `0` means there is no limit for user connections. When the value is greater than `0` and the number of user connections reaches this value, the TiDB server will reject the user's new connection. - If the value of this variable exceeds [`max_connections`](/tidb-configuration-file.md#max_connections), TiDB uses `max_connections` to limit the maximum number of connections a single user can establish. For example, if `max_user_connections` of a user is set to `2000`, but `max_connections` is `1000`, the user can actually establish up to `1000` connections to a TiDB server instance. ### password_history New in v6.5.0 From 14aa22fcac4cbbe64d6ff1cd79cc484581f34c3f Mon Sep 17 00:00:00 2001 From: Zack Zhao <57036248+joccau@users.noreply.github.com> Date: Mon, 17 Mar 2025 13:57:27 +0800 Subject: [PATCH 08/11] Update system-variables.md Co-authored-by: Grace Cai --- system-variables.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system-variables.md b/system-variables.md index 9bbcc4d22ae01..67903f8aeef55 100644 --- a/system-variables.md +++ b/system-variables.md @@ -658,7 +658,7 @@ This variable is an alias for [`last_insert_id`](#last_insert_id). - In the `SESSION` scope, this variable is read-only. - This variable is compatible with MySQL. -### `max_user_connections` New in v9.0.0 +### max_user_connections New in v9.0.0 - Scope: GLOBAL - Persists to cluster: Yes From 65e7fc0cc583851b5eb99bc4f525a37a153b86a5 Mon Sep 17 00:00:00 2001 From: Zack Zhao <57036248+joccau@users.noreply.github.com> Date: Mon, 17 Mar 2025 14:00:33 +0800 Subject: [PATCH 09/11] Update system-variables.md Co-authored-by: Grace Cai --- system-variables.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system-variables.md b/system-variables.md index 67903f8aeef55..2edda5361ac4c 100644 --- a/system-variables.md +++ b/system-variables.md @@ -666,7 +666,7 @@ This variable is an alias for [`last_insert_id`](#last_insert_id). - Type: Integer - Default value: `0` - Range: `[0, 100000]` -- This variable indicates the maximum connection number for a user allowed to connect to a tidb-server instance in TiDB and is used for resource control. +- This variable controls the maximum number of connections a user can establish to a TiDB server instance. It is used for resource control. - The default value `0` means there is no limit for user connections. When the value is greater than `0` and the number of user connections reaches this value, the TiDB server will reject the user's new connection. - If the value of this variable exceeds [`max_connections`](/tidb-configuration-file.md#max_connections), TiDB uses `max_connections` to limit the maximum number of connections a single user can establish. For example, if `max_user_connections` of a user is set to `2000`, but `max_connections` is `1000`, the user can actually establish up to `1000` connections to a TiDB server instance. From 624615493c91bceaf7d9682a7dec5773ea402773 Mon Sep 17 00:00:00 2001 From: Zack Zhao <57036248+joccau@users.noreply.github.com> Date: Mon, 17 Mar 2025 14:11:09 +0800 Subject: [PATCH 10/11] Update sql-statement-create-user.md --- sql-statements/sql-statement-create-user.md | 1 - 1 file changed, 1 deletion(-) diff --git a/sql-statements/sql-statement-create-user.md b/sql-statements/sql-statement-create-user.md index 1a4e8e5e0f06e..9bd54c08d0612 100644 --- a/sql-statements/sql-statement-create-user.md +++ b/sql-statements/sql-statement-create-user.md @@ -188,7 +188,6 @@ The following `CREATE USER` options are not yet supported by TiDB, and will be p * `PASSWORD REQUIRE CURRENT DEFAULT` * `WITH MAX_QUERIES_PER_HOUR` * `WITH MAX_UPDATES_PER_HOUR` -* `WITH MAX_USER_CONNECTIONS` The following `CREATE USER` options are not supported by TiDB either, and are *not* accepted by the parser: From c84f1d0fc1d1ad3ee8731741e2e8c40d27a6821b Mon Sep 17 00:00:00 2001 From: xixirangrang Date: Mon, 17 Mar 2025 22:25:24 +0800 Subject: [PATCH 11/11] Update system-variables.md --- system-variables.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system-variables.md b/system-variables.md index ed87a0797a6f4..8eef5f8fe6730 100644 --- a/system-variables.md +++ b/system-variables.md @@ -668,7 +668,7 @@ This variable is an alias for [`last_insert_id`](#last_insert_id). - Range: `[0, 100000]` - This variable controls the maximum number of connections a user can establish to a TiDB server instance. It is used for resource control. - The default value `0` means there is no limit for user connections. When the value is greater than `0` and the number of user connections reaches this value, the TiDB server will reject the user's new connection. -- If the value of this variable exceeds [`max_connections`](/tidb-configuration-file.md#max_connections), TiDB uses `max_connections` to limit the maximum number of connections a single user can establish. For example, if `max_user_connections` of a user is set to `2000`, but `max_connections` is `1000`, the user can actually establish up to `1000` connections to a TiDB server instance. +- If the value of this variable exceeds [`max_connections`](https://docs.pingcap.com/tidb/stable/tidb-configuration-file#max_connections), TiDB uses `max_connections` to limit the maximum number of connections a single user can establish. For example, if `max_user_connections` of a user is set to `2000`, but `max_connections` is `1000`, the user can actually establish up to `1000` connections to a TiDB server instance. ### password_history New in v6.5.0