Feature Request

Is your feature request related to a problem? Please describe:

Currently, TiDB only supports the built-in authentication and authorization mechanism. The built-in mechanism is not flexible enough to meet the needs of some users. For example, some users may want to use their own authentication and authorization logic, or some users may want to integrate TiDB with their existing authentication and authorization system.

Using the extension system to implement an auth plugin is a good way for users to plug in their own logic.

Auth plugin is a feature supported in MySQL, so implementing this feature in TiDB will make it more compatible with MySQL.

Describe the feature you'd like:

Provide support in the extension system where TiDB users can implement their own authentication plugins with customized authentication (login) and authorization (privilege checking) logic.

Example:

If user implements a plugin called authentication_my_plugin, the user should be able to create a user using:

CREATE USER 'my_user'@'%' IDENTIFIED WITH 'authentication_my_plugin' AS 'optional_authentication_pwd';

where authn/authz for my_user will go through the customized logic in the implementation of authentication_my_plugin.

Describe alternatives you've considered:

• MySQL already supports customized auth plugins
• Currently, additional privilege checks or access control needs to happen outside of TiDB in a service layer above

Teachability, Documentation, Adoption, Migration Strategy:

Design: #53182