Module users 

User table + RBAC types for v4.1.

Three roles, narrow on purpose:

• Admin — full read+write + can manage other users
• ReadWrite — full read+write, no user-mgmt
• ReadOnly — SELECT / SHOW only

Passwords stored as BLAKE3(salt || password) — the salt is a random 16-byte value per user, kept inline with the record so we never need to hash twice. The hash is not designed to resist a determined offline attack on the snapshot file (that’s what file perms are for in the docker-compose deployment shape); it’s enough that the snapshot itself doesn’t leak plaintext, and that an in-memory dump can’t trivially reverse a typed password.

Structs

ScramSecrets

SCRAM-SHA-256 stored credentials per RFC 5802 §5. salt and iters are sent to the client in server-first; stored_key and server_key are kept secret and used in the final-message verification.

UserRecord

UserStore

Enums

Role

UserDeserializeError

UserError

Constants

CACHING_SHA2_HASH_LEN

v7.17.0 Phase 3.P0-72 — length of SHA256(SHA256(password)) stored per user for caching_sha2_password auth verification (the MySQL 8.0 default plugin).

MYSQL_NATIVE_HASH_LEN

v7.17.0 Phase 3.P0-71 — length of SHA1(SHA1(password)) stored per user for mysql_native_password auth verification.

SCRAM_DEFAULT_ITERS

SCRAM_SALT_LEN

Functions

compute_caching_sha2_hash

v7.17.0 Phase 3.P0-72 — compute the caching_sha2_password stored hash = SHA256(SHA256(password)). Public for the same reason as the mysql_native variant.

compute_mysql_native_hash

Compute the mysql_native_password stored hash = SHA1(SHA1(password)). Public so user-creation paths can populate the field at the same moment they have cleartext.

compute_scram_secrets

v4.8: derive SCRAM-SHA-256 stored credentials per RFC 5802 §3.