Skip to content

[Feat]: MySQL: expose option to enable mysql_clear_password (cleartext) auth plugin #336

Description

@pokertour

Prerequisites

  • I have written a descriptive issue title
  • I have searched existing issues to ensure the feature has not already been requested

🚀 Feature Proposal

Summary
Allow enabling the MySQL cleartext authentication plugin per connection. The underlying mysql_async driver supports this via enable_cleartext_plugin, but it isn't exposed in the connection settings.
Problem
Connecting to a MySQL account whose server-side auth requires a cleartext password (PAM, LDAP, or cloud IAM auth) fails with:

encountered unexpected or invalid data: mysql_cleartext_plugin disabled

The driver disables the cleartext plugin by default, and there's currently no UI option to turn it on, so these accounts can't be used at all.
Proposed solution
Add a per-connection toggle in the MySQL connection settings, e.g. "Enable cleartext password plugin", mapping to the driver's enable_cleartext_plugin option. It should only be allowed together with an SSL/TLS mode, since cleartext must travel over an encrypted connection.

Motivation

Managed and enterprise MySQL deployments increasingly rely on authentication methods that require the client to send the password in cleartext over a TLS connection — notably PAM, LDAP, and cloud IAM auth (Azure Database for MySQL, AWS RDS IAM, etc.). These are mainstream, security-conscious setups, not edge cases.

A very common real-world trigger is connecting through Warpgate, a popular open-source bastion/proxy. Its MySQL protocol server only accepts TLS connections and authenticates clients exclusively via the mysql_clear_password plugin — this is mandatory, not configurable. Clients that can't enable cleartext auth (like Tabularis today) simply cannot connect to any database behind Warpgate, while clients that expose the option (DBeaver, mysql CLI with --enable-cleartext-plugin) work fine. Supporting this would let Tabularis work in bastion-protected environments, which are standard in security-conscious infrastructures.

Example

No response

Metadata

Metadata

Assignees

No one assigned

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions