MySQL 8.0 Reference Manual Including MySQL NDB Cluster 8.0
        Each replica connects to the source using a MySQL user name and
        password, so there must be a user account on the source that the
        replica can use to connect. The user name is specified by the
        SOURCE_USER | MASTER_USER
        option of the CHANGE REPLICATION SOURCE
        TO statement (from MySQL 8.0.23) or
        CHANGE MASTER TO statement
        (before MySQL 8.0.23) when you set up a replica. Any account can
        be used for this operation, providing it has been granted the
        REPLICATION SLAVE privilege. You
        can choose to create a different account for each replica, or
        connect to the source using the same account for each replica.
      
        Although you do not have to create an account specifically for
        replication, you should be aware that the replication user name
        and password are stored in plain text in the replica's
        connection metadata repository
        mysql.slave_master_info (see
        Section 19.2.4.2, “Replication Metadata Repositories”). Therefore, you may want
        to create a separate account that has privileges only for the
        replication process, to minimize the possibility of compromise
        to other accounts.
      
        To create a new account, use CREATE
        USER. To grant this account the privileges required
        for replication, use the GRANT
        statement. If you create an account solely for the purposes of
        replication, that account needs only the
        REPLICATION SLAVE privilege. For
        example, to set up a new user, repl, that can
        connect for replication from any host within the
        example.com domain, issue these statements on
        the source:
      
mysql>CREATE USER 'repl'@'%.example.com' IDENTIFIED BY 'mysql>password';GRANT REPLICATION SLAVE ON *.* TO 'repl'@'%.example.com';
See Section 15.7.1, “Account Management Statements”, for more information on statements for manipulation of user accounts.
          To connect to the source using a user account that
          authenticates with the
          caching_sha2_password plugin, you must
          either set up a secure connection as described in
          Section 19.3.1, “Setting Up Replication to Use Encrypted Connections”, or enable
          the unencrypted connection to support password exchange using
          an RSA key pair. The caching_sha2_password
          authentication plugin is the default for new users created
          from MySQL 8.0 (for details, see
          Section 8.4.1.2, “Caching SHA-2 Pluggable Authentication”). If
          the user account that you create or use for replication (as
          specified by the MASTER_USER option) uses
          this authentication plugin, and you are not using a secure
          connection, you must enable RSA key pair-based password
          exchange for a successful connection.