tiflash: Add TiFlash security configuration (#4412) (#4570)

* cherry pick #4412 to release-4.0 Signed-off-by: ti-srebot <ti-srebot@pingcap.com> * Remove redact_info_log Co-authored-by: JaySon <tshent@qq.com> Co-authored-by: JaySon <jayson.hjs@gmail.com>
pingcap · Jan 4, 2021 · 98e3a23 · 98e3a23
1 parent edb15fd
commit 98e3a23
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 11 deletions.
diff --git a/enable-tls-between-components.md b/enable-tls-between-components.md
@@ -35,11 +35,11 @@ Currently, it is not supported to only enable encrypted transmission of some spe
 
         ```toml
         [security]
-        # Path of file that contains list of trusted SSL CAs for connection with cluster components.
+        # Path of the file that contains list of trusted SSL CAs for connection with cluster components.
         cluster-ssl-ca = "/path/to/ca.pem"
-        # Path of file that contains X509 certificate in PEM format for connection with cluster components.
+        # Path of the file that contains X509 certificate in PEM format for connection with cluster components.
         cluster-ssl-cert = "/path/to/tidb-server.pem"
-        # Path of file that contains X509 key in PEM format for connection with cluster components.
+        # Path of the file that contains X509 key in PEM format for connection with cluster components.
         cluster-ssl-key = "/path/to/tidb-server-key.pem"
         ```
 
@@ -49,9 +49,12 @@ Currently, it is not supported to only enable encrypted transmission of some spe
 
         ```toml
         [security]
-        # set the path for certificates. Empty string means disabling secure connections.
+        ## The path for certificates. An empty string means that secure connections are disabled.
+        # Path of the file that contains a list of trusted SSL CAs. If it is set, the following settings `cert_path` and `key_path` are also needed.
         ca-path = "/path/to/ca.pem"
+        # Path of the file that contains X509 certificate in PEM format.
         cert-path = "/path/to/tikv-server.pem"
+        # Path of the file that contains X509 key in PEM format.
         key-path = "/path/to/tikv-server-key.pem"
         ```
 
@@ -61,11 +64,12 @@ Currently, it is not supported to only enable encrypted transmission of some spe
 
         ```toml
         [security]
-        # Path of file that contains list of trusted SSL CAs. If set, following four settings shouldn't be empty
+        ## The path for certificates. An empty string means that secure connections are disabled.
+        # Path of the file that contains a list of trusted SSL CAs. If it is set, the following settings `cert_path` and `key_path` are also needed.
         cacert-path = "/path/to/ca.pem"
-        # Path of file that contains X509 certificate in PEM format.
+        # Path of the file that contains X509 certificate in PEM format.
         cert-path = "/path/to/pd-server.pem"
-        # Path of file that contains X509 key in PEM format.
+        # Path of the file that contains X509 key in PEM format.
         key-path = "/path/to/pd-server-key.pem"
         ```
 
@@ -75,21 +79,24 @@ Currently, it is not supported to only enable encrypted transmission of some spe
 
          ```toml
         [security]
-        # Path of file that contains list of trusted SSL CAs. if set, following four settings shouldn't be empty
+        ## The path for certificates. An empty string means that secure connections are disabled.
+        # Path of the file that contains a list of trusted SSL CAs. If it is set, the following settings `cert_path` and `key_path` are also needed.
         ca_path = "/path/to/ca.pem"
-        # Path of file that contains X509 certificate in PEM format.
+        # Path of the file that contains X509 certificate in PEM format.
         cert_path = "/path/to/tiflash-server.pem"
-        # Path of file that contains X509 key in PEM format.
+        # Path of the file that contains X509 key in PEM format.
         key_path = "/path/to/tiflash-server-key.pem"
         ```
 
         Configure in the `tiflash-learner.toml` file:
 
         ```toml
         [security]
-        # Sets the path for certificates. The empty string means that secure connections are disabled.
+        # Path of the file that contains a list of trusted SSL CAs. If it is set, the following settings `cert_path` and `key_path` are also needed.
         ca-path = "/path/to/ca.pem"
+        # Path of the file that contains X509 certificate in PEM format.
         cert-path = "/path/to/tiflash-server.pem"
+        # Path of the file that contains X509 key in PEM format.
         key-path = "/path/to/tiflash-server-key.pem"
         ```
 

diff --git a/tiflash/tiflash-configuration.md b/tiflash/tiflash-configuration.md
@@ -140,6 +140,16 @@ minmax_index_cache_size = 5368709120
     ## The memory usage limit for the generated intermediate data when all queries
     ## are executed. The default value is 0 (in bytes), which means no limit.
     max_memory_usage_for_all_queries = 0
+
+## Security settings take effect starting from v4.0.5.
+[security]
+    ## Path of the file that contains a list of trusted SSL CAs. If set, the following settings
+    ## `cert_path` and `key_path` are also needed.
+    # ca_path = "/path/to/ca.pem"
+    ## Path of the file that contains X509 certificate in PEM format.
+    # cert_path = "/path/to/tiflash-server.pem"
+    ## Path of the file that contains X509 key in PEM format.
+    # key_path = "/path/to/tiflash-server-key.pem"
 ```
 
 ### Configure the `tiflash-learner.toml` file