Each replica connects to the source using a MySQL user name and
password, so there must be a user account on the source that the
replica can use to connect. The user name is specified by the
SOURCE_USER
option of the
CHANGE REPLICATION SOURCE TO
statement when you set up a replica. Any account can be used for
this operation, providing it has been granted the
REPLICATION SLAVE
privilege. You
can choose to create a different account for each replica, or
connect to the source using the same account for each replica.
Although you do not have to create an account specifically for
replication, you should be aware that the replication user name
and password are stored in plain text in the replica's
connection metadata repository
mysql.slave_master_info
(see
Section 19.2.4.2, “Replication Metadata Repositories”). Therefore, you may want
to create a separate account that has privileges only for the
replication process, to minimize the possibility of compromise
to other accounts.
To create a new account, use CREATE
USER
. To grant this account the privileges required
for replication, use the GRANT
statement. If you create an account solely for the purposes of
replication, that account needs only the
REPLICATION SLAVE
privilege. For
example, to set up a new user, repl
, that can
connect for replication from any host within the
example.com
domain, issue these statements on
the source:
mysql> CREATE USER 'repl'@'%.example.com' IDENTIFIED BY 'password';
mysql> GRANT REPLICATION SLAVE ON *.* TO 'repl'@'%.example.com';
See Section 15.7.1, “Account Management Statements”, for more information on statements for manipulation of user accounts.
To connect to the source using a user account that
authenticates with the
caching_sha2_password
plugin, you must
either set up a secure connection as described in
Section 19.3.1, “Setting Up Replication to Use Encrypted Connections”, or enable
the unencrypted connection to support password exchange using
an RSA key pair. The caching_sha2_password
authentication plugin is the default for new users (see
Section 8.4.1.2, “Caching SHA-2 Pluggable Authentication”). If
the user account that you create or use for replication (as
specified by the SOURCE_USER
option) uses
this authentication plugin, and you are not using a secure
connection, you must enable RSA key pair-based password
exchange for a successful connection.