Skip to content

Commit ecd86a5

Browse files
authored
Add details to the --initialize-secure option (#21738)
1 parent 055fa21 commit ecd86a5

2 files changed

Lines changed: 3 additions & 1 deletion

File tree

best-practices-for-security-configuration.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,8 @@ To avoid this risk, it is recommended to set a root password during deployment:
2020
- For deployments using TiUP, refer to [Deploy TiDB Cluster Using TiUP](/production-deployment-using-tiup.md#step-7-start-a-tidb-cluster) to generate a random password for the root user.
2121
- For deployments using TiDB Operator, refer to [Set initial account and password](https://docs.pingcap.com/tidb-in-kubernetes/stable/initialize-a-cluster#set-initial-account-and-password) to set the root password.
2222

23+
You can also use the [`--initialize-secure`](/command-line-flags-for-tidb-configuration.md#--initialize-secure) option to restrict network access for the initial root user.
24+
2325
## Enable password complexity checks
2426

2527
By default, TiDB does not enforce password complexity policies, which might lead to the use of weak or empty passwords, increasing security risks.

command-line-flags-for-tidb-configuration.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -49,7 +49,7 @@ When you start the TiDB cluster, you can use command-line options or environment
4949

5050
## `--initialize-secure`
5151

52-
- Bootstraps tidb-server in secure mode
52+
- Controls whether to create a `root` account using the `auth_socket` authentication method during tidb-server initialization. If it is set to `true`, when connecting to TiDB for the first time, you must use a socket connection, which provides stronger security.
5353
- Default: `false`
5454

5555
## `--initialize-sql-file`

0 commit comments

Comments
 (0)