docs: add proposal for Security Enhanced Mode

[morgo]

What problem does this PR solve?

Issue Number: Adds markdown doc for #22373

Problem Summary:

This is the design doc for security enhanced mode.

The original PR was closed because the feature was removed from Sprint 2. I have since been advised that we can add features as long as they are disabled by default, so I am reopening this. SEM is always disabled by default.

What is changed and how it works?

What's Changed:

Add a new proposal. Since it was last opened, a section for status variables has been added.

Related changes

• PR to update pingcap/docs/pingcap/docs-cn:
• Need to cherry-pick to the release branch

Check List

Tests

• No code

Side effects

• N/A

Release note

• No release note

[zz-jason]

@pengfeiwang-cn PTAL as well.

[SunRunAway]

I wish to talk about wait_timeout and interactive_timeout on the cloud.

1. The TiDB's default wait_timeout is unlimited, but MySQL and Aurora MySQL's default are 8 hours.

2. Aurora does not follow a too low wait_timeout and interactive_timeout, to avoid users' misconfiguration.

Aurora evaluates the minimum value of interactive_timeout and wait_timeout, then uses that minimum as the timeout to end all idle sessions, both interactive and noninteractive.

[morgo]

.. but in Aurora's case I'm sure they let users modify these values? They just don't permit very low values (but use the semantic of ignore instead of error, which I assume is for compatibility reasons).

I think we can lower the defaults, but I don't think it needs to be grouped in with security.

[SunRunAway]

Sorry, I can't get it. Cloud you explain why not ignore the very low value?

[morgo]

I think ignoring in this context is because some connector or connection pool might set a low value, and Aurora still wants to work with it out of the box.

Unless there is a known compatibility reason (or likely reason), ignore is a risky semantic because users may think they've made a change, but it does not take effect. For example see my comment on temporary tables and read-only transactions.

So ignoring should be the exception and not the rule. In TiDB it has historically been the rule, which is problematic. My comment was about evaluating their decision here, which I think is that it looks like it might have been because of a compatibility issue.

[bb7133]

/lgtm

[SunRunAway]

/lgtm

[SunRunAway]

/lgtm

[ti-chi-bot]

[REVIEW NOTIFICATION]

This pull request has been approved by:

• SunRunAway
• bb7133

To complete the pull request process, please ask the reviewers in the list to review by filling /cc @reviewer in the comment.
After your PR has acquired the required number of LGTMs, you can assign this pull request to the committer in the list by filling /assign @committer in the comment to help you merge this pull request.

The full list of commands accepted by this bot can be found here.

Reviewer can indicate their review by writing /lgtm in a comment.
Reviewer can cancel approval by writing /lgtm cancel in a comment.

[bb7133]

/merge

[ti-chi-bot]

This pull request has been accepted and is ready to merge.

Commit hash: 0d89b0b

[SunRunAway]

/lgtm

[bb7133]

/merge

[ti-chi-bot]

This pull request has been accepted and is ready to merge.

Commit hash: d6dbc27

[bb7133]

/merge

[ti-chi-bot]

@morgo: Your PR was out of date, I have automatically updated it for you.

At the same time I will also trigger all tests for you:

/run-all-tests

If the CI test fails, you just re-trigger the test that failed and the bot will merge the PR for you after the CI passes.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the ti-community-infra/tichi repository.