[ cherry-pick 7.1 ] Improve SEM read only & Mask show plugins (pingcap#598)

* improve sem read only

Signed-off-by: AmoebaProtozoa <[email protected]>

* mask show plugins (pingcap#585)

Signed-off-by: AmoebaProtozoa <[email protected]>

* fix TestSetGlobalVars

Signed-off-by: AmoebaProtozoa <[email protected]>

* make check

Signed-off-by: AmoebaProtozoa <[email protected]>

---------

Signed-off-by: AmoebaProtozoa <[email protected]>

Author: AmoebaProtozoa

executor/set.go

@@ -142,6 +142,14 @@ func (e *SetExecutor) setSysVariable(ctx context.Context, name string, v *expres
 		sessionVars.StmtCtx.AppendWarning(exeerrors.ErrInstanceScope.GenWithStackByArgs(sysVar.Name))
 	}
 
+	// Check if the variable is read only under SEM.
+	if err := e.checkSysVarReadOnlyForSEM(ctx, v, sysVar); err != nil {
+		// If the assignment violates sem ReadOnly, we simply append warning and ignore it, instead of
+		// returning error.
+		sessionVars.StmtCtx.AppendWarning(err)
+		return nil
+	}
+
 	if v.IsGlobal {
 		valStr, err := e.getVarValue(ctx, v, sysVar)
 		if err != nil {
@@ -271,6 +279,50 @@ func (e *SetExecutor) setCharset(cs, co string, isSetName bool) error {
 	return errors.Trace(sessionVars.SetSystemVar(variable.CollationConnection, coDb))
 }
 
+// checkReadOnly checks if the variable assignment violates sem read-only rules.
+func (e *SetExecutor) checkSysVarReadOnlyForSEM(
+	ctx context.Context,
+	v *expression.VarAssignment,
+	sysVar *variable.SysVar) error {
+	if !sem.IsEnabled() || !sem.IsReadOnlySysVar(strings.ToLower(sysVar.Name)) {
+		return nil
+	}
+	// If the user has SUPER or RESTRICTED_VARIABLES_ADMIN, skip check.
+	pm := privilege.GetPrivilegeManager(e.ctx)
+	if pm == nil || pm.RequestDynamicVerification(e.ctx.GetSessionVars().ActiveRoles, "RESTRICTED_VARIABLES_ADMIN", false) {
+		return nil
+	}
+	var (
+		targetValue  string // The value to be set.
+		currentValue string // The current value of the variable.
+		err          error
+	)
+	// Obtain the target and current value of the set statement, must use getVarValue to handle the default value.
+	if v.IsGlobal {
+		targetValue, err = e.getVarValue(ctx, v, sysVar)
+		if err != nil {
+			return err
+		}
+		currentValue = sysVar.Value
+	} else {
+		targetValue, err = e.getVarValue(ctx, v, nil)
+		if err != nil {
+			return err
+		}
+		currentValue, err = e.ctx.GetSessionVars().GetGlobalSystemVar(ctx, v.Name)
+		if err != nil {
+			return err
+		}
+	}
+	// Normalize the target value without appending warnings.
+	targetValue = sysVar.ValidateWithRelaxedValidation(e.ctx.GetSessionVars(), targetValue, sysVar.Scope)
+	// Skip check sem read-only if the target value is the same as the current value.
+	if targetValue == currentValue {
+		return nil
+	}
+	return core.ErrSpecificAccessDenied.GenWithStackByArgs("SUPER or RESTRICTED_VARIABLES_ADMIN")
+}
+
 func (e *SetExecutor) getVarValue(ctx context.Context, v *expression.VarAssignment, sysVar *variable.SysVar) (value string, err error) {
 	if v.IsDefault {
 		// To set a SESSION variable to the GLOBAL value or a GLOBAL value

executor/show.go

@@ -1796,6 +1796,10 @@ func (e *ShowExec) fetchShowProcedureStatus() error {
 }
 
 func (e *ShowExec) fetchShowPlugins() error {
+	// When SEM strict mode is enabled, return an empty list for plugins.
+	if sem.IsStrictMode() {
+		return nil
+	}
 	tiPlugins := plugin.GetAll()
 	for _, ps := range tiPlugins {
 		for _, p := range ps {

planner/core/planbuilder.go

@@ -967,7 +967,7 @@ func (b *PlanBuilder) buildSet(ctx context.Context, v *ast.SetStmt) (Plan, error
 			err := ErrSpecificAccessDenied.GenWithStackByArgs("SUPER or SYSTEM_VARIABLES_ADMIN")
 			b.visitInfo = appendDynamicVisitInfo(b.visitInfo, "SYSTEM_VARIABLES_ADMIN", false, err)
 		}
-		if sem.IsEnabled() && (sem.IsInvisibleSysVar(strings.ToLower(vars.Name)) || sem.IsReadOnlySysVar(strings.ToLower(vars.Name))) {
+		if sem.IsEnabled() && sem.IsInvisibleSysVar(strings.ToLower(vars.Name)) {
 			err := errmsg.WithInvisibleSysVarErrTag(ErrSpecificAccessDenied.GenWithStackByArgs("RESTRICTED_VARIABLES_ADMIN"))
 			b.visitInfo = appendDynamicVisitInfo(b.visitInfo, "RESTRICTED_VARIABLES_ADMIN", false, err)
 		}

sessionctx/variable/sysvar.go

@@ -68,7 +68,7 @@ var defaultSysVars = []*SysVar{
 	{Scope: ScopeNone, Name: LogBin, Value: Off, Type: TypeBool},
 	{Scope: ScopeNone, Name: VersionComment, Value: "TiDB Server (Apache License 2.0) " + versioninfo.TiDBEdition + " Edition, MySQL 5.7 compatible"},
 	{Scope: ScopeNone, Name: Version, Value: mysql.ServerVersion},
-	{Scope: ScopeNone, Name: DataDir, Value: "/usr/local/mysql/data/"},
+	{Scope: ScopeNone, Name: DataDir, Value: DefDataDir},
 	{Scope: ScopeNone, Name: Socket, Value: ""},
 	{Scope: ScopeNone, Name: "license", Value: "Apache License 2.0"},
 	{Scope: ScopeNone, Name: "have_ssl", Value: "DISABLED", Type: TypeBool},

sessionctx/variable/tidb_vars.go

@@ -1061,6 +1061,7 @@ const (
 // Default TiDB system variable values.
 const (
 	DefHostname                                    = "localhost"
+	DefDataDir                                     = "/usr/local/mysql/data/"
 	DefIndexLookupConcurrency                      = ConcurrencyUnset
 	DefIndexLookupJoinConcurrency                  = ConcurrencyUnset
 	DefIndexSerialScanConcurrency                  = 1

tidb-server/BUILD.bazel

@@ -110,6 +110,7 @@ go_test(
         "//parser/mysql",
         "//sessionctx/variable",
         "//testkit/testsetup",
+        "@com_github_pingcap_failpoint//:failpoint",
         "@com_github_stretchr_testify//require",
         "@io_opencensus_go//stats/view",
         "@org_uber_go_goleak//:goleak",

tidb-server/main_test.go

@@ -18,6 +18,7 @@ import (
 	"os"
 	"testing"
 
+	"github.com/pingcap/failpoint"
 	"github.com/pingcap/tidb/config"
 	"github.com/pingcap/tidb/parser/mysql"
 	"github.com/pingcap/tidb/sessionctx/variable"
@@ -50,6 +51,12 @@ func TestRunMain(t *testing.T) {
 
 func TestSetGlobalVars(t *testing.T) {
 	defer view.Stop()
+
+	require.NoError(t, failpoint.Enable("github.com/pingcap/tidb/util/sem/skipSEM", "return"))
+	defer func() {
+		require.NoError(t, failpoint.Disable("github.com/pingcap/tidb/util/sem/skipSEM"))
+	}()
+
 	require.Equal(t, "tikv,tiflash,tidb", variable.GetSysVar(variable.TiDBIsolationReadEngines).Value)
 	require.Equal(t, "1073741824", variable.GetSysVar(variable.TiDBMemQuotaQuery).Value)
 	require.NotEqual(t, "test", variable.GetSysVar(variable.Version).Value)

util/sem/restricted_statement.go

@@ -256,14 +256,15 @@ func verifyShow(stmt *ast.ShowStmt) error {
 		ast.ShowSessionStates,
 		// "SHOW CONFIG" command is necessary for lightning to function,
 		// therefore, it's access is restricted via privileges.
-		ast.ShowConfig:
+		ast.ShowConfig,
+		// "SHOW PLUGINS" command is necessary for mysql workbench,
+		// hence we return an empty result in fetchShowPlugins instead of returning an error here.
+		ast.ShowPlugins:
 		return nil
 	case ast.ShowCreateResourceGroup:
 		return dbterror.ErrNotSupportedOnServerless.GenWithStackByCause("SHOW CREATE RESOURCE GROUP")
 	case ast.ShowCreatePlacementPolicy:
 		return dbterror.ErrNotSupportedOnServerless.GenWithStackByCause("SHOW CREATE PLACEMENT POLICY")
-	case ast.ShowPlugins:
-		return dbterror.ErrNotSupportedOnServerless.GenWithStackByCause("SHOW PLUGINS")
 	case ast.ShowDrainerStatus:
 		return dbterror.ErrNotSupportedOnServerless.GenWithStackByCause("SHOW DRAINER STATUS")
 	case ast.ShowPumpStatus:

util/sem/sem.go

@@ -137,14 +137,16 @@ func Enable(level string) error {
 // Disable disables SEM. This is intended to be used by the test-suite.
 // Dynamic configuration by users may be a security risk.
 func Disable() {
-	if IsStrictMode() {
+	switch atomic.LoadInt32(&semEnabled) {
+	case levelBasicVal:
+		variable.SetSysVar(variable.TiDBEnableEnhancedSecurity, variable.Off)
+		if hostname, err := os.Hostname(); err == nil {
+			variable.SetSysVar(variable.Hostname, hostname)
+		}
+	case levelStrictVal:
 		disableStrictMode()
 	}
 	atomic.StoreInt32(&semEnabled, 0)
-	variable.SetSysVar(variable.TiDBEnableEnhancedSecurity, variable.Off)
-	if hostname, err := os.Hostname(); err == nil {
-		variable.SetSysVar(variable.Hostname, hostname)
-	}
 }
 
 // IsEnabled checks if Security Enhanced Mode (SEM) is enabled.
@@ -235,8 +237,7 @@ func IsInvisibleSysVar(varNameInLower string) bool {
 		variable.TiDBStmtSummaryFilename,
 		tidbAuditRetractLog,
 		variable.TiDBEnableAsyncCommit,
-		variable.TiDBEnableResourceControl,
-		variable.DataDir:
+		variable.TiDBEnableResourceControl:
 		return true
 	}
 	return IsStrictMode() && strictModeInvisibleSysVar(varNameInLower)

util/sem/strict_sem.go

@@ -15,14 +15,23 @@
 package sem
 
 import (
+	"os"
 	"sync/atomic"
 
+	"github.com/pingcap/tidb/config"
 	"github.com/pingcap/tidb/parser/mysql"
 	"github.com/pingcap/tidb/sessionctx/variable"
 )
 
 // enableStrictMode changes some variable's default value and restrictions.
 func enableStrictMode() {
+	// Mark sem as enabled.
+	variable.SetSysVar(variable.TiDBEnableEnhancedSecurity, variable.On)
+	// Mask @@hostname to localhost.
+	variable.SetSysVar(variable.Hostname, variable.DefHostname)
+	// Mask @@datadir to it's default value.
+	variable.SetSysVar(variable.DataDir, variable.DefDataDir)
+	// Set password validation rules.
 	variable.SetSysVarMin(variable.ValidatePasswordLength, 8)
 	variable.SetSysVarMin(variable.ValidatePasswordMixedCaseCount, 1)
 	variable.SetSysVarMin(variable.ValidatePasswordNumberCount, 1)
@@ -31,6 +40,15 @@ func enableStrictMode() {
 
 // disableStrictMode changes variable's default value and restrictions back to normal.
 func disableStrictMode() {
+	// Mark sem as disabled.
+	variable.SetSysVar(variable.TiDBEnableEnhancedSecurity, variable.Off)
+	// Restore @@hostname.
+	if hostname, err := os.Hostname(); err == nil {
+		variable.SetSysVar(variable.Hostname, hostname)
+	}
+	// Restore @@datadir.
+	variable.SetSysVar(variable.DataDir, config.GetGlobalConfig().Path)
+	// Set password validation rules.
 	variable.SetSysVarMin(variable.ValidatePasswordLength, 0)
 	variable.SetSysVarMin(variable.ValidatePasswordMixedCaseCount, 0)
 	variable.SetSysVarMin(variable.ValidatePasswordNumberCount, 0)
@@ -138,7 +156,6 @@ func strictModeInvisibleTable(dbLowerName, tblLowerName string) bool {
 func strictModeInvisibleSysVar(varNameInLower string) bool {
 	switch varNameInLower {
 	case
-		variable.DataDir,
 		variable.PluginDir,
 		variable.PluginLoad,
 		variable.TiDBCheckMb4ValueInUTF8,
@@ -236,7 +253,10 @@ func strictModeReadOnlySysVar(varNameInLower string) bool {
 		variable.TiDBTxnScope,
 		variable.ValidatePasswordEnable,
 		// TODO: remove this after the next cse upgrade to 7.1
-		variable.TiDBPessimisticTransactionFairLocking:
+		variable.TiDBPessimisticTransactionFairLocking,
+		// The following variables contain sensitive information, so we mask them when enabling sem and
+		// mark them as read-only.
+		variable.DataDir:
 		return true
 
 	}