Starting from MySQL 8.0.14+ it is possible to configure user accounts to have two passwords. This allows for easy password rotation without downtime by allowing you to set a new password for the user whilst retaining the previous password, either indefinitly or for a period of time. For more information on this feature, view the MySQL documentation here

From version 7.1.0 of Tungsten Connector it is now possible to make use of this feature when using Proxy based authentication (If you are using Bridge mode, then this feature can be used with any Tungsten release)

To make use of this feature, first of all you need to configure the account with the new password, using syntax along the lines of:

mysql> ALTER USER app_user@'%' IDENTIFIED BY 'second_pass' RETAIN CURRENT PASSWORD;
mysql> flush privileges;

Next, in the connector user.map file, you add the additional password for the given user, adding an entry with the following syntax format:

@dual <user>[@<host>] <second_pass>

Where <user> is the exact username that must have been defined earlier in the user.map as a regular entry. (See Section 7.6.1, “user.map File Format”

Note that an optional host can be specified next to the user, separated with a @ sign. In this case, the dual password must be defined (and can be different) for each user@host tuple

No connector restart will be needed, the user.map will be reloaded automatically after being updated

If/when you then choose to discard the old password, first of all edit the user.map and update the original entry swapping out the oldPassword for the newPassword:

<user> <second_pass> <service> <affinity>

Then issue the syntax in MySQL to discard the old pasword:

mysql> ALTER USER app_user@'%' DISCARD OLD PASSWORD;

You can then remove the @dual entry from the user.map when convenient.