Each slave connects to the master using a MySQL user name and
password, so there must be a user account on the master that the
slave can use to connect. The user name is specified by the
MASTER_USER option on the
MASTER TO command when you set up a replication slave.
Any account can be used for this operation, providing it has
been granted the
SLAVE privilege. You can choose to create a different
account for each slave, or connect to the master using the same
account for each slave.
Although you do not have to create an account specifically for
replication, you should be aware that the replication user name
and password are stored in plain text in the master info
Section 126.96.36.199, “Slave Status Logs”). Therefore, you may want to
create a separate account that has privileges only for the
replication process, to minimize the possibility of compromise
to other accounts.
To create a new account, use
USER. To grant this account the privileges required
for replication, use the
statement. If you create an account solely for the purposes of
replication, that account needs only the
REPLICATION SLAVE privilege. For
example, to set up a new user,
repl, that can
connect for replication from any host within the
example.com domain, issue these statements on
mysql> CREATE USER 'repl'@'%.example.com' IDENTIFIED BY 'password'; mysql> GRANT REPLICATION SLAVE ON *.* TO 'repl'@'%.example.com';
See Section 13.7.1, “Account Management Statements”, for more information on statements for manipulation of user accounts.
To connect to the replication master using a user account that
authenticates with the
caching_sha2_password plugin, you must
either set up a secure connection as described in
Section 17.3.1, “Setting Up Replication to Use Encrypted Connections”,
or enable the unencrypted connection to support password
exchange using an RSA key pair. The
caching_sha2_password authentication plugin
is the default for new users created from MySQL 8.0 (for
Section 188.8.131.52, “Caching SHA-2 Pluggable Authentication”).
If the user account that you create or use for replication (as
specified by the
MASTER_USER option) uses
this authentication plugin, and you are not using a secure
connection, you must enable RSA key pair-based password
exchange for a successful connection.