OceanBase (MySQL Mode) User Authentication, Naming, Password Policies, and Login Failure Handling

1 User Authentication

OceanBase Authentication Mechanism

OceanBase currently supports only password verification using the MySQL Authentication Protocol (MAPI). The protocol authenticates the client based on a correct username and password through a six‑step handshake:

Client initiates a connection request to the OceanBase server.

Server sends a random string (Nonce) to the client.

Client hashes the nonce together with the username and password.

Client returns the encrypted token to the server.

Server validates the token.

If validation succeeds, the server allows the connection; otherwise it rejects the request.

Note: OceanBase supports MySQL client versions 5.5, 5.6, and 5.7. When using a MySQL 8.0 client, add --default_auth=mysql_native_password because MySQL 8.0 defaults to caching_sha2_password , while OceanBase expects mysql_native_password .

2 User Naming

User Naming Rules

A user consists of user_name and host , identical to MySQL. MySQL limits usernames to 32 characters, whereas OceanBase allows up to 64 characters.

Examples

create user 'u1'@'%' identified by '123456';
create user 'u1'@'localhost' identified by '123456';
create user 'u1'@'127.0.0.1' identified by '123456';

Use current_user() to view the current user_name@host identifier.

Length Limits

When a username exceeds the limit, both MySQL and OceanBase return the error too long for user name (the exact message may differ in future releases).

3 Password Strength Evaluation

Both OceanBase and MySQL provide variables to enforce password complexity. The following tables show the relevant variables and their default values.

# OceanBase 4.1
obclient [oceanbase]> SHOW VARIABLES LIKE "validate_password%";
+--------------------------------------+-------+
| Variable_name                        | Value |
+--------------------------------------+-------+
| validate_password_check_user_name    | on    |
| validate_password_length            | 0     |
| validate_password_mixed_case_count  | 0     |
| validate_password_number_count      | 0     |
| validate_password_policy             | low   |
| validate_password_special_char_count| 0     |
+--------------------------------------+-------+

# MySQL 8.x
mysql> SHOW VARIABLES LIKE "validate_password%";
+--------------------------------------+--------+
| Variable_name                        | Value  |
+--------------------------------------+--------+
| validate_password.check_user_name     | ON     |
| validate_password.dictionary_file     |        |
| validate_password.length              | 8      |
| validate_password.mixed_case_count   | 1      |
| validate_password.number_count       | 1      |
| validate_password.policy              | MEDIUM |
| validate_password.special_char_count | 1      |
+--------------------------------------+--------+

Differences

Comparison Item

OceanBase

MySQL

Installation

Built‑in system variables, ready to configure.

Requires installing the

validate_password

component first.

Number of Variables

6 variables (no

validate_password.dictionary_file

).

7 variables;

validate_password.dictionary_file

works only with

validate_password.policy=STRONG

(OceanBase does not support STRONG).

Policy Values

Supports

LOW

and

MEDIUM

.

Supports

LOW

,

MEDIUM

, and

STRONG

.

Most default values differ between the two databases, so users should verify settings before deployment.

4 Password Expiration Policy

Both databases allow manual password expiration and global lifetime settings.

MySQL

# Manual expiration
ALTER USER 'jeffrey'@'%' PASSWORD EXPIRE;

# After expiration, only password reset is allowed
SHOW DATABASES; -- returns ERROR 1820 (HY000)

Global expiration can be configured via the default_password_lifetime system variable.

OceanBase

Currently does not support password expiration.

5 Login Failure Handling

Repeated failed login attempts cause the account to be locked, protecting the database from brute‑force attacks.

OceanBase

Three tenant‑level parameters control this behavior (query with SHOW PARAMETERS LIKE "connection_control_%" ):

connection_control_failed_connections_threshold : maximum consecutive failures.

connection_control_min_connection_delay : minimum lock duration.

connection_control_max_connection_delay : maximum lock duration.

[root@31aa8013555f log]# grep "denied" observer.log
[2023-05-04 09:32:18.689329] WDIAG [SERVER] load_privilege_info ... User access denied(...)

MySQL

Can install connection_control.so plugin or use built‑in options (MySQL 8.0.19+):

CREATE USER 'u1'@'localhost' IDENTIFIED BY 'password' 
  FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LOCK_TIME 3;

ALTER USER 'u2'@'localhost' 
  FAILED_LOGIN_ATTEMPTS 4 PASSWORD_LOCK_TIME UNBOUNDED;

6 Summary

OceanBase (MySQL mode) provides authentication, user naming, password policy, and login‑failure controls that are largely consistent with MySQL, with a few differences in default values and supported policy levels.

Next Issue Preview

Security auditing – Access control.