From ee8e517f0247407a72dc0ad0ab4583f7859445a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20van=20Eeden?= Date: Fri, 5 Sep 2025 16:06:44 +0200 Subject: [PATCH 1/8] Add details to the `--initialize-secure` option --- command-line-flags-for-tidb-configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/command-line-flags-for-tidb-configuration.md b/command-line-flags-for-tidb-configuration.md index 42216e6deddb4..21825a1e9b85f 100644 --- a/command-line-flags-for-tidb-configuration.md +++ b/command-line-flags-for-tidb-configuration.md @@ -48,7 +48,7 @@ When you start the TiDB cluster, you can use command-line options or environment ## `--initialize-secure` -- Bootstraps tidb-server in secure mode +- Bootstraps tidb-server in secure mode. This will setup a root account with the `auth_socket` authentication method, requiring initial access to be over a socket connection. - Default: `false` ## `--initialize-sql-file` From 5c1b1ef284a5e986a4c356827185f452e299b0c2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20van=20Eeden?= Date: Fri, 5 Sep 2025 16:10:13 +0200 Subject: [PATCH 2/8] Update command-line-flags-for-tidb-configuration.md Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --- command-line-flags-for-tidb-configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/command-line-flags-for-tidb-configuration.md b/command-line-flags-for-tidb-configuration.md index 21825a1e9b85f..16d276f90dfd1 100644 --- a/command-line-flags-for-tidb-configuration.md +++ b/command-line-flags-for-tidb-configuration.md @@ -48,7 +48,7 @@ When you start the TiDB cluster, you can use command-line options or environment ## `--initialize-secure` -- Bootstraps tidb-server in secure mode. This will setup a root account with the `auth_socket` authentication method, requiring initial access to be over a socket connection. +- Bootstraps tidb-server in secure mode. This option creates a `root` account with the `auth_socket` authentication method. To connect for the first time, you must use a socket file. - Default: `false` ## `--initialize-sql-file` From 18040cfe3cf3bb76e2ace3c1cf3c7d62e241a9a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20van=20Eeden?= Date: Fri, 5 Sep 2025 16:10:46 +0200 Subject: [PATCH 3/8] fixup --- command-line-flags-for-tidb-configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/command-line-flags-for-tidb-configuration.md b/command-line-flags-for-tidb-configuration.md index 16d276f90dfd1..e807c62a46a71 100644 --- a/command-line-flags-for-tidb-configuration.md +++ b/command-line-flags-for-tidb-configuration.md @@ -48,7 +48,7 @@ When you start the TiDB cluster, you can use command-line options or environment ## `--initialize-secure` -- Bootstraps tidb-server in secure mode. This option creates a `root` account with the `auth_socket` authentication method. To connect for the first time, you must use a socket file. +- Bootstraps tidb-server in secure mode. This option creates a `root` account with the `auth_socket` authentication method. To connect for the first time, you must use a socket connection. - Default: `false` ## `--initialize-sql-file` From 3b3b58c2b9d07c02beac34de01dff777b1098b4c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20van=20Eeden?= Date: Fri, 5 Sep 2025 16:14:57 +0200 Subject: [PATCH 4/8] Add link to initialize-secure on security best practices --- best-practices-for-security-configuration.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/best-practices-for-security-configuration.md b/best-practices-for-security-configuration.md index 1b684ce86f96d..6e8eebb0dc712 100644 --- a/best-practices-for-security-configuration.md +++ b/best-practices-for-security-configuration.md @@ -20,6 +20,8 @@ To avoid this risk, it is recommended to set a root password during deployment: - For deployments using TiUP, refer to [Deploy TiDB Cluster Using TiUP](/production-deployment-using-tiup.md#step-7-start-a-tidb-cluster) to generate a random password for the root user. - For deployments using TiDB Operator, refer to [Set initial account and password](https://docs.pingcap.com/tidb-in-kubernetes/stable/initialize-a-cluster#set-initial-account-and-password) to set the root password. +It is also possible to use the [`--initialize-secure`](/command-line-flags-for-tidb-configuration.md#--initialize-secure) option to restrict network access to the initial root user. + ## Enable password complexity checks By default, TiDB does not enforce password complexity policies, which might lead to the use of weak or empty passwords, increasing security risks. From b93fa66192a4d95c6de8d6503284ae38672b5e44 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20van=20Eeden?= Date: Wed, 10 Sep 2025 11:08:17 +0200 Subject: [PATCH 5/8] Update best-practices-for-security-configuration.md Co-authored-by: Grace Cai --- best-practices-for-security-configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/best-practices-for-security-configuration.md b/best-practices-for-security-configuration.md index 6e8eebb0dc712..9f5320ebf32f1 100644 --- a/best-practices-for-security-configuration.md +++ b/best-practices-for-security-configuration.md @@ -20,7 +20,7 @@ To avoid this risk, it is recommended to set a root password during deployment: - For deployments using TiUP, refer to [Deploy TiDB Cluster Using TiUP](/production-deployment-using-tiup.md#step-7-start-a-tidb-cluster) to generate a random password for the root user. - For deployments using TiDB Operator, refer to [Set initial account and password](https://docs.pingcap.com/tidb-in-kubernetes/stable/initialize-a-cluster#set-initial-account-and-password) to set the root password. -It is also possible to use the [`--initialize-secure`](/command-line-flags-for-tidb-configuration.md#--initialize-secure) option to restrict network access to the initial root user. +You can also use the [`--initialize-secure`](/command-line-flags-for-tidb-configuration.md#--initialize-secure) option to restrict network access for the initial root user. ## Enable password complexity checks From 65d17b08f6cfd11c1e8ee66f37e09655941a35f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20van=20Eeden?= Date: Wed, 10 Sep 2025 11:08:40 +0200 Subject: [PATCH 6/8] Update command-line-flags-for-tidb-configuration.md Co-authored-by: Grace Cai --- command-line-flags-for-tidb-configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/command-line-flags-for-tidb-configuration.md b/command-line-flags-for-tidb-configuration.md index e807c62a46a71..ac567f446a7ce 100644 --- a/command-line-flags-for-tidb-configuration.md +++ b/command-line-flags-for-tidb-configuration.md @@ -48,7 +48,7 @@ When you start the TiDB cluster, you can use command-line options or environment ## `--initialize-secure` -- Bootstraps tidb-server in secure mode. This option creates a `root` account with the `auth_socket` authentication method. To connect for the first time, you must use a socket connection. +- Bootstraps tidb-server in secure mode. This option creates a `root` account using the `auth_socket` authentication method. To connect for the first time, you must use a socket connection. - Default: `false` ## `--initialize-sql-file` From 5ef37c8d170fca1b5c1e13fbb61c7f7e01fada9a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20van=20Eeden?= Date: Fri, 12 Sep 2025 06:05:54 +0200 Subject: [PATCH 7/8] Update command-line-flags-for-tidb-configuration.md Co-authored-by: Grace Cai --- command-line-flags-for-tidb-configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/command-line-flags-for-tidb-configuration.md b/command-line-flags-for-tidb-configuration.md index ac567f446a7ce..3cbb5dbd24e3d 100644 --- a/command-line-flags-for-tidb-configuration.md +++ b/command-line-flags-for-tidb-configuration.md @@ -48,7 +48,7 @@ When you start the TiDB cluster, you can use command-line options or environment ## `--initialize-secure` -- Bootstraps tidb-server in secure mode. This option creates a `root` account using the `auth_socket` authentication method. To connect for the first time, you must use a socket connection. +- Controls whether to create a `root` account using the `auth_socket` authentication method during tidb-server initialization. If it is set to `true`, when connecting to TiDB for the first time, you must use a socket connection, which provides stronger security. - Default: `false` ## `--initialize-sql-file` From c38cf2a2fd95622d87cfd3c8d75bf55e754f0d0e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20van=20Eeden?= Date: Fri, 19 Sep 2025 09:47:41 +0200 Subject: [PATCH 8/8] Update command-line-flags-for-tidb-configuration.md Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --- command-line-flags-for-tidb-configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/command-line-flags-for-tidb-configuration.md b/command-line-flags-for-tidb-configuration.md index 3cbb5dbd24e3d..ee02f9e5016ec 100644 --- a/command-line-flags-for-tidb-configuration.md +++ b/command-line-flags-for-tidb-configuration.md @@ -48,7 +48,7 @@ When you start the TiDB cluster, you can use command-line options or environment ## `--initialize-secure` -- Controls whether to create a `root` account using the `auth_socket` authentication method during tidb-server initialization. If it is set to `true`, when connecting to TiDB for the first time, you must use a socket connection, which provides stronger security. +- Controls whether to create a `root` account using the `auth_socket` authentication method during tidb-server initialization. If set to `true`, you must use a socket connection for the initial login to TiDB. This provides stronger security. - Default: `false` ## `--initialize-sql-file`