Merge pull request #72 from smallstep/tidb

TiDB

Author: alanchrt

docs/tidb/config.yaml

@@ -0,0 +1,4 @@
+name: TiDB
+protocol: mysql
+server_port: 4000
+topics: {}

docs/tidb/logo.png

@@ -0,0 +1,8 @@
+TiDB requires client certificates to be configured on a per-user basis. The requirement can be configured using `CREATE USER` or `ALTER USER` statements. When set, TiDB will reject connections from these users if they don't present a valid certificate signed by your CA.
+
+```sql
+mysql> CREATE USER 'myuser'@'%' REQUIRE SUBJECT 'CN={{ client_name }}';
+mysql> ALTER USER 'myuser'@'%' REQUIRE SUBJECT 'CN={{ client_name }}';
+```
+
+You can [require other user certificate information](https://docs.pingcap.com/tidb/stable/certificate-authentication#get-user-certificate-information) in order to establish a connection.

docs/tidb/topics/client_auth.md

@@ -0,0 +1,27 @@
+Copy the `{{ server_cert }}`, `{{ server_key }}`, and `{{ ca_cert }}` files to the directory that contains your TiDB config file.
+
+```shell-session
+$ sudo cp {{ server_cert }} /<tidb-config-dir>/server-cert.pem
+$ sudo cp {{ server_key }} /<tidb-config-dir>/server-key.pem
+$ sudo cp {{ ca_cert }} /<tidb-config-dir>/ca.pem
+```
+
+These files should be owned by the user that runs TiDB. Now add the following to your TiDB config file:
+
+```ini
+#...
+[security]
+# Path of file that contains list of trusted SSL CAs for connection with mysql client.
+ssl-ca = "ca.pem"
+
+# Path of file that contains X509 certificate in PEM format for connection with mysql client.
+ssl-cert = "server-cert.pem"
+
+# Path of file that contains X509 key in PEM format for connection with mysql client.
+ssl-key = "server-key.pem"
+
+require-secure-transport=true
+#...
+```
+
+Restart your TiDB server for these changes to take effect.