From f9e708657a9ada6d07b297e362c3062cb2e1a603 Mon Sep 17 00:00:00 2001 From: JaySon Date: Mon, 4 Jan 2021 01:05:30 -0600 Subject: [PATCH] tiflash: Add TiFlash security configuration (#4412) * Add configuration Signed-off-by: JaySon-Huang * Update tiflash/tiflash-configuration.md * Apply suggestions from code review Co-authored-by: Flowyi * Apply suggestions from code review Co-authored-by: Flowyi * Fix another doc Signed-off-by: JaySon-Huang * Apply suggestions from code review * Apply suggestions from code review * Apply suggestions from code review Co-authored-by: Flowyi Co-authored-by: TomShawn <41534398+TomShawn@users.noreply.github.com> --- enable-tls-between-components.md | 29 ++++++++++++++++++----------- tiflash/tiflash-configuration.md | 18 +++++++++++++++++- 2 files changed, 35 insertions(+), 12 deletions(-) diff --git a/enable-tls-between-components.md b/enable-tls-between-components.md index da29f4014559c..23ff50ea4b922 100644 --- a/enable-tls-between-components.md +++ b/enable-tls-between-components.md @@ -35,11 +35,11 @@ Currently, it is not supported to only enable encrypted transmission of some spe ```toml [security] - # Path of file that contains list of trusted SSL CAs for connection with cluster components. + # Path of the file that contains list of trusted SSL CAs for connection with cluster components. cluster-ssl-ca = "/path/to/ca.pem" - # Path of file that contains X509 certificate in PEM format for connection with cluster components. + # Path of the file that contains X509 certificate in PEM format for connection with cluster components. cluster-ssl-cert = "/path/to/tidb-server.pem" - # Path of file that contains X509 key in PEM format for connection with cluster components. + # Path of the file that contains X509 key in PEM format for connection with cluster components. cluster-ssl-key = "/path/to/tidb-server-key.pem" ``` @@ -49,9 +49,12 @@ Currently, it is not supported to only enable encrypted transmission of some spe ```toml [security] - # set the path for certificates. Empty string means disabling secure connections. + ## The path for certificates. An empty string means that secure connections are disabled. + # Path of the file that contains a list of trusted SSL CAs. If it is set, the following settings `cert_path` and `key_path` are also needed. ca-path = "/path/to/ca.pem" + # Path of the file that contains X509 certificate in PEM format. cert-path = "/path/to/tikv-server.pem" + # Path of the file that contains X509 key in PEM format. key-path = "/path/to/tikv-server-key.pem" ``` @@ -61,11 +64,12 @@ Currently, it is not supported to only enable encrypted transmission of some spe ```toml [security] - # Path of file that contains list of trusted SSL CAs. If set, following four settings shouldn't be empty + ## The path for certificates. An empty string means that secure connections are disabled. + # Path of the file that contains a list of trusted SSL CAs. If it is set, the following settings `cert_path` and `key_path` are also needed. cacert-path = "/path/to/ca.pem" - # Path of file that contains X509 certificate in PEM format. + # Path of the file that contains X509 certificate in PEM format. cert-path = "/path/to/pd-server.pem" - # Path of file that contains X509 key in PEM format. + # Path of the file that contains X509 key in PEM format. key-path = "/path/to/pd-server-key.pem" ``` @@ -75,11 +79,12 @@ Currently, it is not supported to only enable encrypted transmission of some spe ```toml [security] - # Path of file that contains list of trusted SSL CAs. if set, following four settings shouldn't be empty + ## The path for certificates. An empty string means that secure connections are disabled. + # Path of the file that contains a list of trusted SSL CAs. If it is set, the following settings `cert_path` and `key_path` are also needed. ca_path = "/path/to/ca.pem" - # Path of file that contains X509 certificate in PEM format. + # Path of the file that contains X509 certificate in PEM format. cert_path = "/path/to/tiflash-server.pem" - # Path of file that contains X509 key in PEM format. + # Path of the file that contains X509 key in PEM format. key_path = "/path/to/tiflash-server-key.pem" ``` @@ -87,9 +92,11 @@ Currently, it is not supported to only enable encrypted transmission of some spe ```toml [security] - # Sets the path for certificates. The empty string means that secure connections are disabled. + # Path of the file that contains a list of trusted SSL CAs. If it is set, the following settings `cert_path` and `key_path` are also needed. ca-path = "/path/to/ca.pem" + # Path of the file that contains X509 certificate in PEM format. cert-path = "/path/to/tiflash-server.pem" + # Path of the file that contains X509 key in PEM format. key-path = "/path/to/tiflash-server-key.pem" ``` diff --git a/tiflash/tiflash-configuration.md b/tiflash/tiflash-configuration.md index fecfcf6b1ac22..572eee429ba73 100644 --- a/tiflash/tiflash-configuration.md +++ b/tiflash/tiflash-configuration.md @@ -144,7 +144,23 @@ delta_index_cache_size = 0 ## The memory usage limit for the generated intermediate data when all queries ## are executed. The default value is 0 (in bytes), which means no limit. - max_memory_usage_for_all_queries = 0 + max_memory_usage_for_all_queries = 0 + +## Security settings take effect starting from v4.0.5. +[security] + ## This configuration item enables or disables log redaction. If the configuration value + ## is set to `true`, all user data in the log will be replaced by `?`. + ## Note that you also need to set `security.redact-info-log` for tiflash-learner's logging + ## in tiflash-learner.toml + # redact_info_log = false + + ## Path of the file that contains a list of trusted SSL CAs. If set, the following settings + ## `cert_path` and `key_path` are also needed. + # ca_path = "/path/to/ca.pem" + ## Path of the file that contains X509 certificate in PEM format. + # cert_path = "/path/to/tiflash-server.pem" + ## Path of the file that contains X509 key in PEM format. + # key_path = "/path/to/tiflash-server-key.pem" ``` ### Configure the `tiflash-learner.toml` file