Skip to content

Commit

Permalink
Add documentation for SEM (#5647)
Browse files Browse the repository at this point in the history
  • Loading branch information
@morgo
morgo committed May 26, 2021
1 parent 1c93500 commit 0d696a3
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 0 deletions.
12 changes: 12 additions & 0 deletions system-variables.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ TiDB system variables behave similar to MySQL with some differences, in that set

- Changes to `GLOBAL` scoped variables **only apply to new connection sessions with TiDB**. Currently active connection sessions are not affected. These changes are persisted and valid after restarts.
- Changes to `INSTANCE` scoped variables apply to all active or new connection sessions with the current TiDB instance immediately after the changes are made. Other TiDB instances are not affected. These changes are not persisted and become invalid after TiDB restarts.
- Variables can also have `NONE` scope. These variables are read-only, and are typically used to convey static information that will not change after a TiDB server has started.

Variables can be set with the [`SET` statement](/sql-statements/sql-statement-set-variable.md) on a per-session, instance or global basis:

Expand Down Expand Up @@ -429,6 +430,17 @@ Constraint checking is always performed in place for pessimistic transactions (d
- Default value: ON
- This variable controls whether to record the execution information of each operator in the slow query log.

### tidb_enable_enhanced_security

- Scope: NONE
- Default value: OFF
- This variable indicates if the TiDB server you are connected to has Security Enhanced Mode (SEM) enabled, and can not be changed without restarting the TiDB server.
- SEM is inspired by the design of systems such as [Security-Enhanced Linux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux). It reduces the capabilities of users with the MySQL `SUPER` privilege, and instead requires `RESTRICTED` fine grained privileges to be granted as a replacement. These include:
- `RESTRICTED_TABLES_ADMIN`: The ability to write to system tables in the `mysql` schema, and see sensitive columns on `information_schema` tables.
- `RESTRICTED_STATUS_ADMIN`: The ability to see sensitive variables in the command `SHOW STATUS`.
- `RESTRICTED_VARIABLES_ADMIN`: The ability to see and set sensitive variables in `SHOW [GLOBAL] VARIABLES` and `SET`.
- `RESTRICTED_USER_ADMIN`: The ability to prevent other users from making changes or dropping a user account.

### tidb_enable_fast_analyze

- Scope: SESSION | GLOBAL
Expand Down
6 changes: 6 additions & 0 deletions tidb-configuration-file.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -268,6 +268,12 @@ Configuration items related to log files.

Configuration items related to security.

### `enable-sem`

- Enable the Security Enhanced Mode (SEM).
- Default value: `false`
- The status of security enhanced mode is available via the system variable [`tidb_enable_enhanced_security`](/system-variables.md#tidb_enable_enhanced_security).

### `ssl-ca`

- The file path of the trusted CA certificate in the PEM format.
Expand Down

0 comments on commit 0d696a3

Please sign in to comment.