Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add documentation for SEM #5647

Merged
merged 2 commits into from
May 26, 2021
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions system-variables.md
Original file line number Diff line number Diff line change
Expand Up @@ -427,6 +427,17 @@ Constraint checking is always performed in place for pessimistic transactions (d
- Default value: ON
- This variable controls whether to record the execution information of each operator in the slow query log.

### tidb_enable_enhanced_security
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this variable readonly?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@morgo PTAL

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes it is. Or more specifically it is Scope: None, which is the same as read-only.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TiDB system variables behave similar to MySQL with some differences, in that settings might apply on a SESSION, INSTANCE, or GLOBAL scope, or on a scope that combines SESSION, INSTANCE, or GLOBAL.

  • Changes to GLOBAL scoped variables only apply to new connection sessions with TiDB. Currently active connection sessions are not affected. These changes are persisted and valid after restarts.
  • Changes to INSTANCE scoped variables apply to all active or new connection sessions with the current TiDB instance immediately after the changes are made. Other TiDB instances are not affected. These changes are not persisted and become invalid after TiDB restarts.

The document does not mention any about what Scope: None means. Cloud you add some explanations?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with you. I will change it tomorrow to say Read Only instead.

(There are some minor differences, but they don't matter to users.)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is improved in c8758d7 , PTAL again thx :-)


- Scope: NONE
- Default value: OFF
- This variable indicates if the TiDB server you are connected to was started with Security Enhanced Mode (SEM) enabled.
- SEM is inspired by the design of systems such as [Security-Enhanced Linux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux). It reduces the capabilities of users with the MySQL `SUPER` privilege, and instead requires `RESTRICTED` fine grained privileges to be granted as a replacement. These include:
- `RESTRICTED_TABLES_ADMIN`: The ability to write to system tables in the `mysql` schema, and see sensitive columns on `information_schema` tables.
- `RESTRICTED_STATUS_ADMIN`: The ability to see sensitive variables in the command `SHOW STATUS`.
- `RESTRICTED_VARIABLES_ADMIN`: The ability to see and set sensitive variables in `SHOW [GLOBAL] VARIABLES` and `SET`.
- `RESTRICTED_USER_ADMIN`: The ability to prevent other users from making changes or dropping a user account.

### tidb_enable_fast_analyze

- Scope: SESSION | GLOBAL
Expand Down
6 changes: 6 additions & 0 deletions tidb-configuration-file.md
Original file line number Diff line number Diff line change
Expand Up @@ -268,6 +268,12 @@ Configuration items related to log files.

Configuration items related to security.

### `enable-sem`

- Enable the Security Enhanced Mode (SEM).
- Default value: `false`
- The status of security enhanced mode is available via the system variable [`tidb_enable_enhanced_security`](/system-variables.md#tidb_enable_enhanced_security).

### `ssl-ca`

- The file path of the trusted CA certificate in the PEM format.
Expand Down