Tener
commented
9 months ago Looks like I've misunderstood the meaning for this flag; in practice it seems like without choosing clientcert auth method using --mysql_auth_server_impl=clientcert the certificate subject is ignored. I think this is worth documenting, but nonetheless this issue is invalid.
vitess-operatordoes not pass--mysql_clientcert_auth_methodflag to Vitess. As a result, no client certificate subject verification is performed for MySQL and any user can connect as any other user, independently of the certificate subject, so long as the certificate used for connection is valid.