From 0d696a3f4208a70380b70e1b6fd73ec348fdaed2 Mon Sep 17 00:00:00 2001 From: Morgan Tocker Date: Wed, 26 May 2021 01:13:34 -0600 Subject: [PATCH] Add documentation for SEM (#5647) --- system-variables.md | 12 ++++++++++++ tidb-configuration-file.md | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/system-variables.md b/system-variables.md index 5c782fa6ae07..16c7b83e4b81 100644 --- a/system-variables.md +++ b/system-variables.md @@ -10,6 +10,7 @@ TiDB system variables behave similar to MySQL with some differences, in that set - Changes to `GLOBAL` scoped variables **only apply to new connection sessions with TiDB**. Currently active connection sessions are not affected. These changes are persisted and valid after restarts. - Changes to `INSTANCE` scoped variables apply to all active or new connection sessions with the current TiDB instance immediately after the changes are made. Other TiDB instances are not affected. These changes are not persisted and become invalid after TiDB restarts. +- Variables can also have `NONE` scope. These variables are read-only, and are typically used to convey static information that will not change after a TiDB server has started. Variables can be set with the [`SET` statement](/sql-statements/sql-statement-set-variable.md) on a per-session, instance or global basis: @@ -429,6 +430,17 @@ Constraint checking is always performed in place for pessimistic transactions (d - Default value: ON - This variable controls whether to record the execution information of each operator in the slow query log. +### tidb_enable_enhanced_security + +- Scope: NONE +- Default value: OFF +- This variable indicates if the TiDB server you are connected to has Security Enhanced Mode (SEM) enabled, and can not be changed without restarting the TiDB server. +- SEM is inspired by the design of systems such as [Security-Enhanced Linux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux). It reduces the capabilities of users with the MySQL `SUPER` privilege, and instead requires `RESTRICTED` fine grained privileges to be granted as a replacement. These include: + - `RESTRICTED_TABLES_ADMIN`: The ability to write to system tables in the `mysql` schema, and see sensitive columns on `information_schema` tables. + - `RESTRICTED_STATUS_ADMIN`: The ability to see sensitive variables in the command `SHOW STATUS`. + - `RESTRICTED_VARIABLES_ADMIN`: The ability to see and set sensitive variables in `SHOW [GLOBAL] VARIABLES` and `SET`. + - `RESTRICTED_USER_ADMIN`: The ability to prevent other users from making changes or dropping a user account. + ### tidb_enable_fast_analyze - Scope: SESSION | GLOBAL diff --git a/tidb-configuration-file.md b/tidb-configuration-file.md index d874ffa82793..a03e137705d7 100644 --- a/tidb-configuration-file.md +++ b/tidb-configuration-file.md @@ -268,6 +268,12 @@ Configuration items related to log files. Configuration items related to security. +### `enable-sem` + +- Enable the Security Enhanced Mode (SEM). +- Default value: `false` +- The status of security enhanced mode is available via the system variable [`tidb_enable_enhanced_security`](/system-variables.md#tidb_enable_enhanced_security). + ### `ssl-ca` - The file path of the trusted CA certificate in the PEM format.