session/variable: forbid changing @@global.require_secure_transport to 'on' with SEM enabled

[tiancaiamao]

What problem does this PR solve?

Issue Number: close #47665

Problem Summary:

The configuration for TiDB Cloud dedicated cluster is:

require_secure_transport: OFF
ssl_ca : /var/lib/tidb-server-tls/ca.crt
ssl_cert : /var/lib/tidb-server-tls/tls.crt
ssl_key: /var/lib/tidb-server-tls/tls.key

We just provide the ca.crt file for the the users to connect the TiDB cluster. When require_secure_transport = OFF, there is no problem.

But if the user set the value of require_secure_transport to 'ON', the users can not connect to the cluster anymore!

This is because the new configuration require the mysql client to pass all ca.crt tls.crt tls.key correctly, while the user only have the ca.crt file.

What is changed and how it works?

To prevent the user from losing access of the cluster, we can forbid changing require_secure_transport system variable to 'on' as a workaround, then the user can not modify it and trigger the issue.

Check List

Tests

• Unit test
• Integration test
• Manual test (add detailed scripts or steps below)

Modify the config.toml.example:

# Security Enhanced Mode (SEM) restricts the "SUPER" privilege and requires fine-grained privileges instead.
enable-sem = true

./bin/tidb-server -config ./pkg/config/config.toml.example
mysql -h 127.0.0.1 -u root -P 4000

mysql> set @@global.require_secure_transport = on;
ERROR 1105 (HY000): require_secure_transport can not be set to ON with SEM(security enhanced mode) enabled

• No need to test

  • I checked and no code files have been changed.

Side effects

• Performance regression: Consumes more CPU
• Performance regression: Consumes more Memory
• Breaking backward compatibility

Documentation

• Affects user behaviors
• Contains syntax changes
• Contains variable changes
• Contains experimental features
• Changes MySQL compatibility

Release note

Please refer to Release Notes Language Style Guide to write a quality release note.

Forbid changing @@global.require_secure_transport variable to 'on' when SEM(security enhanced mode) is enabled

[tiprow]

Hi @tiancaiamao. Thanks for your PR.

PRs from untrusted users cannot be marked as trusted with /ok-to-test in this repo meaning untrusted PR authors can never trigger tests themselves. Collaborators can still trigger tests on the PR using /test all.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[codecov]

Codecov Report

Merging #47677 (b309706) into master (eafb78a) will decrease coverage by 2.8119%.
Report is 1084 commits behind head on master.
The diff coverage is 100.0000%.

Additional details and impacted files

@@               Coverage Diff                @@
##             master     #47677        +/-   ##
================================================
- Coverage   71.9282%   69.1164%   -2.8119%     
================================================
  Files          1396       2771      +1375     
  Lines        404781     945914    +541133     
================================================
+ Hits         291152     653782    +362630     
- Misses        94027     268296    +174269     
- Partials      19602      23836      +4234     

Flag	Coverage Δ
integration	39.5980% <87.5000%> (?)
unit	82.5441% <100.0000%> (+10.6158%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
dumpling	74.1669% <ø> (+20.1755%)	⬆️
parser	∅ <ø> (∅)
br	72.0007% <ø> (+19.0706%)	⬆️

[tiancaiamao]

The current PR is a workaround.
Maybe in a real fix we can make this check stronger? vars.TLSConnectionState can be non-nil even when tls.crt and tls.key are not provided.
If the check become tls.ca && tls.crt && tls.key, maybe things become better?

[bb7133]

LGTM

[bb7133]

LGTM

[bb7133]

I plan to collect 2 LGTMs to ensure this code change is ready.

[bb7133]

However, whether it should be merged into master branch is a question to me(after all it is just a workaround).

[bb7133]

/hold

[ti-chi-bot]

[LGTM Timeline notifier]

Timeline:

• 2023-10-17 02:02:00.93861647 +0000 UTC m=+1708918.525726599: ☑️ agreed by bb7133.
• 2023-10-17 07:37:24.786753757 +0000 UTC m=+1729042.373863902: ☑️ agreed by CbcWestwolf.

[tiancaiamao]

/unhold

[easonn7]

/approve

[ti-chi-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bb7133, CbcWestwolf, easonn7

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [CbcWestwolf,bb7133]
• pkg/sessionctx/variable/OWNERS [easonn7]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ti-chi-bot]

In response to a cherrypick label: new pull request created to branch release-7.1: #51206.

[ti-chi-bot]

In response to a cherrypick label: new pull request created to branch release-7.5: #51207.

[ti-chi-bot]

In response to a cherrypick label: new pull request created to branch release-6.5: #51209.