From b7efc1808233b09acfcee2dfa4a1dc43c470bff0 Mon Sep 17 00:00:00 2001 From: toutdesuite Date: Fri, 8 May 2020 14:24:25 +0800 Subject: [PATCH 01/19] update security --- .../secure/enable-tls-between-components.md | 198 +++++++++++++----- how-to/secure/enable-tls-clients.md | 40 +++- media/sqlgram-dev/AlterInstanceStmt.png | Bin 0 -> 29557 bytes reference/sql/statements/alter-instance.md | 37 ++++ reference/tools/tidb-control.md | 3 + 5 files changed, 221 insertions(+), 57 deletions(-) create mode 100644 media/sqlgram-dev/AlterInstanceStmt.png create mode 100644 reference/sql/statements/alter-instance.md diff --git a/how-to/secure/enable-tls-between-components.md b/how-to/secure/enable-tls-between-components.md index 38ee06ea70329..1e168442f6441 100644 --- a/how-to/secure/enable-tls-between-components.md +++ b/how-to/secure/enable-tls-between-components.md @@ -1,86 +1,180 @@ --- -title: Enable TLS Authentication -summary: Learn how to enable TLS authentication in a TiDB cluster. +title: Enable TLS Authentication and encrypt the stored data +summary: Learn how to enable TLS authentication and encrypt the stored data in a TiDB cluster. category: how-to --- -# Enable TLS Authentication +# Enable TLS Authentication and encrypt the stored data -## Overview +This document introduces how to enable TLS authentication and encrypt the stored data in a TiDB cluster. -This document describes how to enable TLS authentication in the TiDB cluster. The TLS authentication includes the following two conditions: +## Enable TLS Authentication -- The mutual authentication between TiDB components, including the authentication among TiDB, TiKV and PD, between TiKV Control and TiKV, between PD Control and PD, between TiKV peers, and between PD peers. Once enabled, the mutual authentication applies to all components, and it does not support applying to only part of the components. -- The one-way and mutual authentication between the TiDB server and the MySQL Client. +This section describes how to enable TLS authentication in a TiDB cluster. TLS authentication can be applied to the following scenarios: + +- The **mutual authentication** between TiDB components, including the authentication among TiDB, TiKV and PD, between TiDB Control and TiDB, between TiKV Control and TiKV, between PD Control and PD, between TiKV peers, and between PD peers. Once enabled, the mutual authentication applies to all components, rather than only part of the components. +- The **one-way** and **mutual authentication** between the TiDB server and the MySQL Client. > **Note:** > -> The authentication between the MySQL Client and the TiDB server uses one set of certificates, while the authentication among TiDB components uses another set of certificates. +> The authentication between the MySQL Client and the TiDB server involves one set of certificates, while the authentication among TiDB components uses another set of certificates. ## Enable mutual TLS authentication among TiDB components -### Prepare certificates +1. Prepare certificates + + It is recommended to prepare a server certificate for TiDB, TiKV and PD separately. Make sure that these components can authenticate each other. The clients of TiDB, TiKV and PD share one client certificate. + + You can use tools like `openssl`, `easy-rsa` and `cfssl` to generate self-signed certificates. + + If you choose `cfssl`, you can refer to [generating self-signed certificates](/how-to/secure/generate-self-signed-certificates.md). + +2. Configure certificates + + To enable mutual authentication among TiDB components, configure the certificates of TiDB, TiKV and PD as follows. + + - TiDB + + Configure in the configuration file or command line arguments: + + ```toml + [security] + # Path of file that contains list of trusted SSL CAs for connection with cluster components. + cluster-ssl-ca = "/path/to/ca.pem" + # Path of file that contains X509 certificate in PEM format for connection with cluster components. + cluster-ssl-cert = "/path/to/tidb-server.pem" + # Path of file that contains X509 key in PEM format for connection with cluster components. + cluster-ssl-key = "/path/to/tidb-server-key.pem" + ``` + + - TiKV + + Configure in the configuration file or command line arguments, and set the corresponding URL to https: + + ```toml + [security] + # set the path for certificates. Empty string means disabling secure connections. + ca-path = "/path/to/ca.pem" + cert-path = "/path/to/tikv-server.pem" + key-path = "/path/to/tikv-server-key.pem" + ``` + + - PD + + Configure in the configuration file or command line arguments, and set the corresponding URL to https: + + ```toml + [security] + # Path of file that contains list of trusted SSL CAs. If set, following four settings shouldn't be empty + cacert-path = "/path/to/ca.pem" + # Path of file that contains X509 certificate in PEM format. + cert-path = "/path/to/pd-server.pem" + # Path of file that contains X509 key in PEM format. + key-path = "/path/to/pd-server-key.pem" + ``` + + Now mutual authentication among TiDB components is enabled. + + > **Note: + > + > If you have enabled TLS in a TiDB cluster, when you connect to the cluster using tidb-ctl, tikv-ctl, or pd-ctl, you need to specify the client certificate. For example: -It is recommended to prepare a separate server certificate for TiDB, TiKV and PD, and make sure that they can authenticate each other. The clients of TiDB, TiKV and PD share one client certificate. + {{< copyable "shell-regular" >}} -You can use multiple tools to generate self-signed certificates, such as `openssl`, `easy-rsa` and `cfssl`. + ```bash + ./tidb-ctl -u https://127.0.0.1:10080 --ca /path/to/ca.pem --ssl-cert /path/to/client.pem --ssl-key /path/to/client-key.pem + ``` -See an example of [generating self-signed certificates](/how-to/secure/generate-self-signed-certificates.md) using `cfssl`. + {{< copyable "shell-regular" >}} -### Configure certificates + ```bash + ./pd-ctl -u https://127.0.0.1:2379 --cacert /path/to/ca.pem --cert /path/to/client.pem --key /path/to/client-key.pem + ``` -To enable mutual authentication among TiDB components, configure the certificates of TiDB, TiKV and PD as follows. + {{< copyable "shell-regular" >}} -#### TiDB + ```bash + ./tikv-ctl --host="127.0.0.1:20160" --ca-path="/path/to/ca.pem" --cert-path="/path/to/client.pem" --key-path="/path/to/clinet-key.pem" + ``` -Configure in the configuration file or command line arguments: +3. Configure Common Name -```toml -[security] -# Path of file that contains list of trusted SSL CAs for connection with cluster components. -cluster-ssl-ca = "/path/to/ca.pem" -# Path of file that contains X509 certificate in PEM format for connection with cluster components. -cluster-ssl-cert = "/path/to/tidb-server.pem" -# Path of file that contains X509 key in PEM format for connection with cluster components. -cluster-ssl-key = "/path/to/tidb-server-key.pem" -``` + The Common Name is used for caller verification. In general, the callee needs to verify the caller's identity, apart from the key, the certificates, and the CA provided by the caller. For example, TiKV can only be accessed by TiDB, and other visitors are blocked even though they have legitimate certificates. It is recommended to identify the certificate user using `Common Name` when generating the certificate, and to check the caller's identity by configuring the `Common Name` list for the callee. -#### TiKV + - TiDB -Configure in the configuration file or command line arguments, and set the corresponding URL to https: + Configure in the configuration file or command line arguments: -```toml -[security] -# set the path for certificates. Empty string means disabling secure connections. -ca-path = "/path/to/ca.pem" -cert-path = "/path/to/tikv-server.pem" -key-path = "/path/to/tikv-server-key.pem" -``` + ```toml + [security] + cluster-verify-cn = [ + "TiDB-Server", + "TiKV-Control", + ] + ``` -#### PD + - TiKV -Configure in the configuration file or command line arguments, and set the corresponding URL to https: + Configure in the configuration file or command line arguments: -```toml -[security] -# Path of file that contains list of trusted SSL CAs. If set, following four settings shouldn't be empty -cacert-path = "/path/to/ca.pem" -# Path of file that contains X509 certificate in PEM format. -cert-path = "/path/to/pd-server.pem" -# Path of file that contains X509 key in PEM format. -key-path = "/path/to/pd-server-key.pem" -``` + ```toml + [security] + cert-allowed-cn = [ + "TiDB-Server", "PD-Server", "TiKV-Control", "RawKvClient1", + ] + ``` -Now mutual authentication among TiDB components is enabled. + - PD -When you connect the server using the client, it is required to specify the client certificate. For example: + Configure in the configuration file or command line arguments: -```bash -./pd-ctl -u https://127.0.0.1:2379 --cacert /path/to/ca.pem --cert /path/to/client.pem --key /path/to/client-key.pem + ```toml + [security] + cert-allowed-cn = ["TiKV-Server", "TiDB-Server", "PD-Control"] + ``` -./tikv-ctl --host="127.0.0.1:20160" --ca-path="/path/to/ca.pem" --cert-path="/path/to/client.pem" --key-path="/path/to/clinet-key.pem" -``` +4. Reload certificates + + To reload the certificates and the keys, TiDB, PD, and TiKV reread the current certificates and the key files each time a new connection is created. Currently, you cannot reload CA. ## Enable TLS authentication between the MySQL client and TiDB server -See [Use Encrypted Connections](/how-to/secure/enable-tls-clients.md). +You can refer to [Use Encrypted Connections](/how-to/secure/enable-tls-clients.md). + +## Encrypt stored data + +For a TiDB cluster, users' data are stored in TiKV. The TiDB cluster encrypts these data once you configure the encrypted storage feature in TiKV. This section introduces how to configure the encrypted feature in TiKV. + +1. Generate the token file. + + The token file stores the keys used to encrypt users' data and to decrypt the encrypted data. + + {{< copyable "shell-regular" >}} + + ```bash + ./tikv-ctl random-hex --len 256 > cipher-file-256 + ``` + + > **Note:** + > + > You can only use hex-formatted token file. The file length must be 2^n, and is less than or equal to 1024. + +2. Configure TiKV as follows. + + ```toml + [security] + # Cipher file 的存储路径 + cipher-file = "/path/to/cipher-file-256" + ``` + +> **Note:** +> +> When you import data into a cluster using [Lightning](/reference/tools/tidb-lightning/overview.md), if the target cluster has enabled the encrypted storage feature, the sst files generated by Lightning must be encrypted. + +### Limitations + +The following are some limitations of the encrypted storage feature: + +- If a cluster has not enabled the feature before, you cannot enable this feature. +- If a cluster has enabled the feature, you cannot disable this feature. +- You cannot enable the feature for some TiKV instances while disabling it for other instances in one cluster. You can only enable or disable this feature for all TiKV instances. This is because if you enable the encrypted storage feature, data are encrypted during data migration. diff --git a/how-to/secure/enable-tls-clients.md b/how-to/secure/enable-tls-clients.md index 1ec60ada502a5..635996a64e73d 100644 --- a/how-to/secure/enable-tls-clients.md +++ b/how-to/secure/enable-tls-clients.md @@ -8,7 +8,7 @@ category: how-to It is recommended to use the encrypted connection to ensure data security because non-encrypted connection might lead to information leak. -The TiDB server supports the encrypted connection based on the TLS (Transport Layer Security). The protocol is consistent with MySQL encrypted connections and is directly supported by existing MySQL clients such as MySQL operation tools and MySQL drivers. TLS is sometimes referred to as SSL (Secure Sockets Layer). Because the SSL protocol has [known security vulnerabilities](https://en.wikipedia.org/wiki/Transport_Layer_Security), TiDB does not support it. TiDB supports the following versions: TLS 1.0, TLS 1.1, and TLS 1.2. +The TiDB server supports the encrypted connection based on the TLS (Transport Layer Security). The protocol is consistent with MySQL encrypted connections and is directly supported by existing MySQL clients such as MySQL operation tools and MySQL drivers. TLS is sometimes referred to as SSL (Secure Sockets Layer). Because the SSL protocol has [known security vulnerabilities](https://en.wikipedia.org/wiki/Transport_Layer_Security), TiDB does not support it. TiDB supports the following versions: TLS 1.0, TLS 1.1, and TLS 1.2, TLS 1.3. After using an encrypted connection, the connection has the following security properties: @@ -16,13 +16,25 @@ After using an encrypted connection, the connection has the following security p - Integrity: the traffic plaintext cannot be tampered - Authentication: (optional) the client and the server can verify the identity of both parties to avoid man-in-the-middle attacks -The encrypted connections in TiDB are disabled by default. To use encrypted connections in the client, you must first configure the TiDB server and enable encrypted connections. In addition, similar to MySQL, the encrypted connections in TiDB consist of single optional connection. For a TiDB server with encrypted connections enabled, you can choose to securely connect to the TiDB server through an encrypted connection, or to use a generally unencrypted connection. Most MySQL clients do not use encrypted connections by default, so generally the client is explicitly required to use an encrypted connection. - -In short, to use encrypted connections, both of the following conditions must be met: +The encrypted connections in TiDB are disabled by default. To use encrypted connections in the client, you must first configure the TiDB server and enable encrypted connections. In short, to use encrypted connections, both of the following conditions must be met: 1. Enable encrypted connections in the TiDB server. 2. The client specifies to use an encrypted connection. +Similar to MySQL, the encrypted connections in TiDB consist of single connection. The connection is optional by default. For a TiDB server with encrypted connections enabled, you can choose to securely connect to the TiDB server through an encrypted connection, or to use a generally unencrypted connection. If the encrypted connections are enforced as required, both of the following two ways are available: + ++ Configure the launch parameter `--require-secure-transport` to enable encrypted connections to the TiDB server for all users. ++ Specify `require ssl` when you creat a user (`create user`), grant permissions (`grant`) or modify an existing user (`alter user`), so that the encrypted connection to the TiDB server is enabled for the specified user. The following is an example of creating a user: + + {{< copyable "sql" >}} + + ```sql + create user 'u1'@'%' require ssl; + ``` +> **Note:** +> +> If the logged-in user has been configured to verify the user certificate using the [TiDB Certificate-Based Authentication for Login] (/reference/security/cert-based-authentication.md#configure-the-user-certificate-information-for-login-verification), the user is implicitly required to enable the encrypted connection to TiDB. + ## Configure TiDB to use encrypted connections See the following desrciptions about the related parameters to enable encrypted connections: @@ -65,6 +77,12 @@ ssl-key = "certs/server-key.pem" If the certificate parameters are correct, TiDB outputs `secure connection is enabled` when started, otherwise it outputs `secure connection is NOT ENABLED`. +## Reload certificate, key, and CA + +When you need to replace the certificate, the key or CA, you can execute the [`ALTER INSTANCE RELOAD TLS`](/reference/sql/statements/alter-instance.md) statement on the running TiDB instance to reload the certificate ([`ssl-cert`](/reference/configuration/tidb-server/configuration-file.md#ssl-cert)), the key ([`ssl-key`](/reference/configuration/tidb-server/configuration-file.md#ssl-key)), and the CA ([`ssl-ca`](/reference/configuration/tidb-server/configuration-file.md#ssl-ca)) from the original configuration path, after replacing the corresponding file. In this case, you do not need to restart the TiDB instance. + +The newly loaded certificate, key, and CA take effect on the connection established after the statement is successfully executed. They have no affect on the connection established before the statement is executed. + ## Configure the MySQL client to use encrypted connections The client of MySQL 5.7 or later versions attempts to establish an encrypted connection by default. If the server does not support encrypted connections, it automatically returns to unencrypted connections. The client of MySQL earlier than version 5.7 uses the unencrypted connection by default. @@ -94,9 +112,17 @@ If the `ssl-ca` parameter is not specified in the TiDB server or MySQL client, t - To perform mutual authentication, meet both of the above requirements. +By default, you can choose to authenticate the client from the server. Even if the client does not present its certificate of identification during the TLS handshake, the TLS connection can be established. You can also require the client to be authenticated through `require 509` when creating a user (`create user`), granting permissions (`grant`), or modifying an existing user (`alter user`). The following is an example of creating an user: + +{{< copyable "sql" >}} + +```sql +create user 'u1'@'%' require x509; +``` + > **Note:** > -> Currently, it is optional that TiDB server authenticates the client. If the client does not present its identity certificate in the TLS handshake, the TLS connection can also be successfully established. +> If the logged-in user has been configured to verify the user certificate using the [TiDB Certificate-Based Authentication for Login] (/reference/security/cert-based-authentication.md#configure-the-user-certificate-information-for-login-verification), the user is implicitly required to enable the encrypted connection to TiDB. ## Check whether the current connection uses encryption @@ -131,6 +157,7 @@ The TLS versions, key exchange protocols and encryption algorithms supported by - TLS 1.0 - TLS 1.1 - TLS 1.2 +- TLS 1.3 ### Supported key exchange protocols and encryption algorithms @@ -156,3 +183,6 @@ The TLS versions, key exchange protocols and encryption algorithms supported by - TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_GCM\_SHA384 - TLS\_ECDHE\_RSA\_WITH\_CHACHA20\_POLY1305 - TLS\_ECDHE\_ECDSA\_WITH\_CHACHA20\_POLY1305 +- TLS\_AES\_128\_GCM\_SHA256 +- TLS\_AES\_256\_GCM\_SHA384 +- TLS\_CHACHA20\_POLY1305\_SHA256 diff --git a/media/sqlgram-dev/AlterInstanceStmt.png b/media/sqlgram-dev/AlterInstanceStmt.png new file mode 100644 index 0000000000000000000000000000000000000000..99ce13d7d7504b7c768bffe40fabc171f8f4eb6d GIT binary patch literal 29557 zcmd?RRa~3f6E@o2?v_#t6ev)FkcYAc=YHIrj#T|>CvO7JHYe$^T)tX z^J0G{;O&XiCn=TZ&!59q#1@1%kw^Dq&eTG*(jNg z&D&!HlUu`j+Ikvk10B3Q`n3rTFzo+c1&l0^C;xr;Hjv@{--nC|h1S3R{eyx9J^a5m z1zd4<|2?Y^5Ago?%!r8~`R_UY*D>b5&)=j!qn`cy{2@2<|LWeEcvY$#UazR3@K&4j z{nrnl_n!XSE`xnpGNg(TP9@B8dmKMF#NF7~Xw(x{xK0@%CznJ-RMlNl!swdmO~|G< zG&EG=O(H5PN=;3T=z0<_DJ$FJdA5@+5s8b7D@GNamPQ`gTU}k}$(Ka{R-zYGG%(AlW=g*%>)u#Ofiwg@pm)Fo$kDaYR3N;ZA zTs0Jru-Cb9u{Wp7&Q#5*^W17%Z{+Uwb|o%)Q&x7Cx_8^^P*Qbww-~;Sk&%(0<9Z)r zu#J<8E3Qnl&Gxo-_j?tluf|bJVx9WuK*nq;BCLPrk({%0JpBDL+F<#D-|~n30bY*= zkGdZ}qzO-sEsto3k$1PtU0r|A8A?f^hqhNB4p%zU{Y3IJ-nJbNDk>@rK0VIBAY>g%<}MzX z|97807%7PDf^X5V>2=bh(|lJt#Ps1Sn6F|uZmLW|`RKqwSY$%=Zb-ektC`Y8KfR0U zQ%G(utzbL1CoL`Q$)?}1&SXyTG;b*3#r9$$;nA{x0i|Bj9hV9ra;9-JH;9GpzbGBSf53t2Wzkk4q?M+fV=zHD@IDMO=d`(?*%_qXz% zYlzUqNODo!&}xZGR8kVS-_v)o#U~JDZ-lp|C+wwmVnK0taX5QqG@2f`xq+CUpT#2P zvLE`*K0iPILf_Zb^}IWj(BI!bJKN|d6=h&2J3EhqtE(jpVl$d1Y-4Sm15Oq4U}R(C z<>d`T%>w$iz0)eJgvCPI=)C_4)ZN`JpDu!dfe{)O78D*XBO^Q9KR7);&d$MARc*CY zq`Ld@2^z%NLQ^CLR%hGW-P=!aeZFsHVuDXW;kSMm9W@peHuS}bv)XpCQ9ezmzpD$h zVnvw+yo%M!ms;G|sDy-M-Y&n=)X=DLu;Vn|8iUvfEqbY!>H3@=Dtd~08hrd- z7+k1btmbodO3q;%v;cO!U%GV{{|R#5nd+Y@)t0eyYS3}QaB_3IAfgxv3Xaf3twr`m zQp7H~Y@Vmi*3UvK%abBo9M;6In!f)G3#<3_Z3WT1dOnga$_DEh7$~xXw*o8u>o2pB zR6#-t3Nvf#iGG;ZKpX=>0zuXAr_Z0TDfn@5a6W<#4od0d)0jg;EYnsTrMTV4zAAGn z2iTGQa{{;=iZ`PqwgGP61dOGwuHgDZ~w)+nOobqDgAlHM5 zhGTOcyCn{no!4`#M{B)_EY}CaVD|u$i(RPS^*J2OWub&BLoPKmS)<(AFOV`&ohHw4 ze#_Cubm(o(4&9t#Vwo=6`?4J-&-uQ-zVf!atEoa|N3e&77X`nw#(^*c1H)Vug3!;; zFIrNgeRsqAay;;E7m61h8fs-}Dg6|TgX449J}Y`R`w`@33nvn=HmB9b9Usf=^hKG3 z>TqT;DCfPW7WKVxA1l>vyE`t{k*8%U&I`mQvxH~1EI1{^#qBLLoNT5;b8~ZJs7keJ z?@mTjZRTsDOFeG*tPh$Sus?mqw?(e+-E2|_CZRo?`06*=_qgN!V`y?Ca`-Jnf^|se z)189ya#5eFFu!|Yy>U~Jv60dB4T_V>^L$V9;$YEa*Xwi-)fs}^^gimYHj__+X=`X5 zz?;ftpseNky{uX_TQ?}DA+Oq+nmX$_4vPuUwxKMi4r`(9LcOLU0^^^ZA#NDxY2|mX z7|Q6z>ydxMWBuE@vZ7*nwn+^ebLE=C_cyzdxL7R-Rio$GKvd@EfQ}GLDiG*y_cjod zg0*;YD$#baDY1Odn#aTulMursJ@}=QQPV0u1Hr$gu2Jft}+M6EhPrNNpNj)Bzmke!dTDbLf0F$3sq@MsmYT%I|1A znKxXj74NDZ?1?(gPghf|nv54MV`g9|^NpGYCZRU23n;wrSy9c&i0J*Eh{th`wW7Sd z-{s+ozAp-~3D|nesjYXiCF|s6+1bh{ZIxE1gu=q@Z+|_>|B}REyKs4Ti)P;-w9x|C zC1K|+`+Yr`PaWX3-g}cW&5Ezzb?`sS%eQ^*jUa1j9vZ^0>GZt2K?PFy((F=A0T#O| zcMywQsNSeIg7UL87z=?w_+D-2S9QDE!1{&d-7ilfMXvh#=NhsTp@465y=@3Zy&E*Q zlEDk>)ahR_?_UxoBkOK?`tiQ-O9?!=B8!_ZMC6cQ*}@;Xf>#s$+MQR5)o~WD~^-3 z2n?usdU)wKcx&1Y?(Oa2GpY3v2zq+x^7-khtE)F&-d!U-JUr;==%fhUkV`Fw-HvlP z;{z+p%kPbP0&QTm2zx%jGhA9hS$k4rn%t0ld^J(5q#{ar&c~yoe%NGMT97D78fcj= zti~bMI=se8es|_zD7X_3cj?WWH+|h-4Gh@5&U>jP!nWp1nX2id($hu#?z}hLhoI&9 z=|Ub#V&&blv&Qo^g^P_YoSfWE6r|0T(?!kA69l|&2McL@4nI!Mfs=cGQw>JVqT{_Q z0Z`l26zEE;Ouwzwusb9Wn__@Rqt!dWnv?<$FP2H26$XRJ5CS_UXuII9$-dPeTcQ22 z&hvEdBPc>HLd3`WaXDH7h8ivzK0X<~%X*&ym7~?P<@{9PWWIc23%{V-U8U0|1*h4F zK!-all9XTQ>z{8SdaYm5mwfWRq#8mOSQ!O&u91F{($dCDuv{x>Fy6by#(ElBy4xB{ zd?x{jpc_)!PDS*;eY4Ez002rAi&ak;`DYM-#adfihbI02kVTzYU$2clRnRSh|8B6i z+H4RwSY2yJ-nZWO3k}MRzrkQUV&Zw_araKp>52r!+4f?-SSUeWUYlXRveMjFfu@VS^X*9q&nBz7GR+?)n0I$oUU)?1CdfM< z5bm7e1-UT9c5z_E-nhKGw|DaxF=*v?H`mjX5ClLeHofMzFyHmQ=&Jefsd|TdBM72_ z$XQvdl`=~f%!^IL0V?}NMMouc1GZ~L8EuaEcwKM=zA6hSTWm}fI)g;3Y_g`-*48HZ zBl-9RIVC_Gbro+`HtDp#$VrzCmi>1Ka_YVD$jL{nKd&rr(UWMNw_Ge4B|O8T5V%>a zGC70MuJ?qK40YdLW2XqJoAMcKPl<8>_F7G$g>u{d5684My$Wpu`4=)lXX6ArN1{n| zetrQljx6B2gAkjxS}XX-WM{Td(>ZY5g@lFqNF!2Hb@!>FC20Ux)!=h|9-A+}2Jgzx z%b}sme-9pgrKp&@*gMchuwh8PR;$zE8Seq5qwu3DUhLc2+G0kXYj5v^dF?omo`=hA z+mmMRp~lVNSJFFYyBc#gXn_RZze5RFbqegmDD$=o3Zkhc78`uP{9-Dy{VnK24vE2% ztSzt_S2I=)cowk-YBd0)q=i*nU_|(jf&I41B#z4CHR|cJ1zZ+vqAJ*Weg5Z9US8XU z!=t0Z-rt5sgIr?hFPqg+=T##**6i%1_CNNeV&C;+5-6*vydlQLCB~)Ft*NWiulQ;} zn+j%hxVbz6Ohi{tk6MdGt?IEBF5W;*z;@qnCh5%js@@~uEYZn#FwXxTAd|4N+FfjN zllUn?D&TmzGhG}>AzWtuCL3@&Hf{G1>+OkwwL%f{Nd37MZ#~)zHGMIsp?`y;KE*N1 zyqui%!xicwZnSfX!-FZQE5Ngs&CSi390=P-?WnrSxlWU?zb1s$bLb zir#ExOOun3kO-QMZ0`E%sZXX}m0zR-UKBMSURfFZnM@$afytfa>C>ku6L3;r<2O~1 z4n^;HX*|qrFyX0Q69E~S&)#e$Eu3{5R+kQec+auFe_tVfU6c|bXA*!Pr~9wx>VI9+ zivIGYaRgWffCwd-fItBP#PZVxB1SF zWx^o0u4_Hv9iO_L+{?Awd{=XVArQ#)g3%Y}A^BqI{DoEf8q<*!)SVZyq0V9R$Q@8l zh!qrab;PN9s&#sLTCbz$3ekYP6J}ZL%IU}xP&wd}OB3?wxI~Y)wllST*Ag8YYxMQ& zTc}C@)Krci-~g^K=(75P`f#WvI3#+cWJ>L+oc>wGBbWRPZ{^7uE`I(wz)2>*&#YoP z38A;PAFs+i$(6|sHH@y;zOb!zcbujy6w`c{P&S%a^p@2~{j96miHXnPtvAUrT z0ZE84c|(E@gB;d+I0KtixwFM1UZDF54uyaJ{xN?fHE;BHtHmS$A}I!j6KDxSjqA<^ zT4mVT*&XGXpyWjXslwdN?Vo?WC%omgmXw!Cgl(t}6$8P8ezSXY(ADX7c78rv)9%hR z6Cg*m%ORp|q7wl4b_K^)abF-8cbBqzQ}~_IfVjx_x@4#%BjfExa+z*ppRGFTfV*JF zxPA(XLEwEpmtW=QaC9V%{_39%nu_$^1;^6KBQ`er2o@J%3#~rIH=Un;e17(l^sRO? z(d*ZQgzBl=vCJ$i{G=?wIiSYh@kyv#Y|)`){@9=ccpGx8Bhx4FTtq}n69?*xPq5RQIT$AmUKD%iyX?=Xs!Q;)iX3zVV0fMH;fIO=;qZeCG#ySx?UuI)4u#Z%mrWj{+d#bgObxfovx!rqz_WbziCSJ{*I=HVDysQNbhV9PIqGe`siZF9ttF{!&{o*zM z_vB=FtPk>{VI^2doRAxhFuX&`EwO0Te2sfU6Np8A<=GBZJs2Gu8ykc%(ePn)2)?Y=u`^M__e_2~w zlQeoOr@pis`&TRzAI2$iqp(t=jD>}TLBP7Vz9YE&^)=R??KpE7_ZpNFG^N*3=;)=nr7`sHF=jbf@2J7~GfNI_x zW=GcRpytLddv12xCbWu8|BqboB$VR1XIf)pW3%8QSR&OGFe3ng&6vrly9cr>BQ&V*&v!5%oDfmHqSsI5d(pLgaNG)f={@3t{2mOdfrM ziEMbdxLt-0A3uJN#({P$0E4#(+|C0NqoSgkn3xC&33-W$xxcrkU8B(RW|U)k)czl( z{U%+Z`F}F8-xv*k{+l;^^yvRpn)UzVEbjkryU*)%eKhcj3?B#AoAau>I;ZQh>t}sV z&gGsp4(wy)uR(;iHg8>JZ8gN=V10F|(8*4MP95T3#LG9c^PC^uC36mihePgqJ3lve z%^NI9g9{S>SxFZCxXd=qyA>VB!{uN)ANjscEzMfuZ$J++zVpRoF++^Z=_xPl?z~Qs z%h$Y|6Uws@V!4_cJo{4(&@JpdFOQ3_f(cq3l{4@AqzW)(`_h*)zQtZYDNn-*{oA@% z$w;U*SiWtgm731oZKvOr`9Z&uKXVT99yzdsXV@^CJ;fW%C%equ;TyVwJS!*8;U0}W zLc%^RJuoZgwhRzG>#GoqfUFL$``ok!g7n|X)GdSgZO8=_6Bx!{MPd-XtYP(Non|WF z7efBir@ddb@V?{T`GK+g&{}zQ5~@`vm&KGY&2YKOAoEQ6rl_FD$al|{WTd70W##}GAd&U-F$Bf&8kLPK&rhC6~R>=d+$VD#%mbFrx z9d=F|oLaToEkV-(Mx}*Ou?mDcV9`6PHvWnWUaD21?FfpME#5yPGXp{U8J5hHw40}h z`X~8@UHkzcF5d~d6T(tcLHY+d)aEN9NGdfhr#C5tp0`MVS_HUn4U?O)$s+eNro_Lb zxSy1nea!3!ts@p~)@G>1#fz>Fg1fWIMZE6YpO9L~_6$kcArD9(#Vf7>U^rnwnS)ER=x?_u=C62{hau!`Q808`cszk0M;M zf290uR0zEZevW;86&f5ITsfom>kjU!HcYNmi-*IK(zfHPBwZFBetX4o{l19(LBORJ zlBjngchfZvw^e@=?Jo{PS&t#_C(Q(@xD%42>+D@5H9&clmD_2ZP%yVuyDP{9n3f#T zuD{V@L4mtmPj6c?PpiHffuoXGq5B=^XW(!eyACsMBi|dO#jD^94`3jN1wR{aGxD&)#jQm2D=6cX=E6Y(ER- zBK@12n=SCJTD*^5_BP@u4X1RWBy$B*U}e<7-l&RHxpVDt~e z1#X)RnQsT(6u>Dddp=;#CjLxz*ISH8+%L&){+*N}=?He}38mOTY-?p5ofkM!(NTS-UK;Tm zF(4%cM*Oy;jGW=suDgkfjTJWhMrO&2nG;{#f7m)qi;Mfbs`bX%T278fJ9_V`v#q|~ zyz5a@k5lTC7qyO_iLo7DT%BSZ?mo&DVNUm_V_LOQQo&opnfw+~!hEjhaTIMM-0ukS z#zG$os2NvNK=OnP-*@kj)kk=rUs=1FEcD&Ax3rayFbh_oo|pu43U5PB4hY2#q&LV# zuM)qvo~INZ48R2ol1K9)JY$m^_FJm2t@w$^@E!KvJ1Vin52rJftjkN zx<-HcH@xd0^PA@q!{B$#(%xwYKcnS9UC|20pjlwE=OUg1!+sDha6oO$Pd}m}799G% z|A7lWyMhJkT6u+I1FKS^SJ-iv0urFT5jSEWB&LJHhVRFCDJLaq6u%VcyZY#>@mYfi z=_R%)jPsMtc}=QglCSyew?)slF%s>Ag0K#*g()c$5Z@lwH}$MJ-1agk$}c6b%UZ>wjg~Zv%x^sCQdE zPpNh$TG3(Oxd?RUwQ-}J4cD^+UBx8=m~5bcZ~AG3iKzG;%Xe@7tqOHw=B)B_!j;UO z_FIs5qXv^rBx4Zj81QlE=vapAZypv>n^A@UA8tkl_f1#g$j-L25~3MV#oTFVDJeOc z-(%(O3y9p|uV{ScXWpP05hc#BzI#nE-==HPgoTMkMU`I0BMr-baeVHrEfUM~CmQS7 zg9CmPuK+!k^%Q@Bqxsul%#gP7J?C4h{w5szGJV0~8eJJ}__BsSDS;F2CIzNKvM2~Q zSm^{UD5%#*(6svWge2&K0_Y=yaYw7QUs8sW3PV{(gaQ4eG(nP{gWSRt_?sfU$i(<&6tF`1lVVan^ht5|8s5>o>%xr&D`y{g ztKT7H0{?y}ihm0!utMe47X$@4J5O=@)>7MSvDzS5Z(F#ibfnr;%*;Zc_Yw~nu+xQx zyg=tK+|U@Ji0X`f)k1>%pr?-*e+*(5@T21>ii;D&93D0M15W9~U4?Xqf#Cm2?k*YB zb>3H9zHN$lMfaD&`aI964jcPkQAH-riL#DlpoekiHVC_-ijD> zqQ8*xI@M7aZ((I|_xI$DUlQ?Mku{V~+hc|0JxVMh7*Z8xz9zWBo5AV%n~ z1dO8B(vM?CxV>YZl(Z!<=K!n!?Y#eWsY@rFQN$8|8@^Z+-~vb;D2c&MuG4W3`r zXtRvo?%swY{e!_n+}Y3Od8%0_FE&T~PtoM7bLxb3!mphbg_zD;0*Rmpc|wu6xn}t0 z4t>ANVH0V9kC`dg#@oa=gDgCo9wObq zF($`|An*|wZ%D=o=@v`0r9%tI>7_#$zrYB8Sp)vP>vsB{WOlJA_euFcAe2@#SW-RE z$T-Ky#$tJ+tGb%K$aKghlNF_W(Z)P2?;nHPUpjW05mnRort*W1B*?og;xi{TubFS6 z>&D2rYW~Ms$sj%&0*vA%Twq^6XvQh*7HqSwv!%4^pKnLNXNK;aE0KMc!ZNaT>Y8nP z5dyDX_3Esx7%oi0s%{dxyJPUR)A|VrM_r2xyqyqo13kKIMMNK*NIq{T?pccL+-45v zKwBJ-=%+en%u$2~zPGz(X<8O!^qjgjzJ(%g!WO;lze5hlxX0AgT2Uu`#n+J>#%>OL z#%4xcLahN}v_o#%uCH@KLZl%F;q#{#G7heaVokdfOG3+$Olg6}>t;~a;LLYs(Z8(?tdUWaove?TVx=q8sfq_oqBqaD$AL4U&Hlu^6*p&~$KOf4 zpJYOnQ+Hj1LC3Jxt#H4VK3sxE*p^Wcr3y5)V%&HYt+Kg%M9?MRGhoHvaR#!W@i ze?~wqeYS0_jyo8=lA94uza{-f!erkTf_BkUxUES7{Dhlq4offQI zUn$_38pUbk&|a<2WM? zOw{+L-8MfqE|{pw**c)O%KGAA485amg?9&cLZl~mn{I8ErQwt4*texvJ+*wFW%?#`#2(a z<$xOE zog^n!BYtvP+!drLq_EQV{y+^hRrsSvS!qQvi{-vKut|dyBLN6Ju>J z)-==_*y=f08;+cLSybub;RJR@3%&yE4C-laEp~&~+1WZ%Y2Zj#V&uwLQvH#ytLiVt zTI0^x*2QEMIttdMFM7=f=uVhW$$SY3jNNxvg-K6&{U;gAH57*@>nqt;b{qMRWTa_4 zP~GDWbNmh6RZVg_(r-4c=!U0{Ut-o^o+1P_aBxN?+XpPQs#dle{?N>2MPQlPm*?3= z+CRZ^m1>wc>$gC~wl?~?*ddRV`4ktACoB1(V+w+888i&skshWIGJRxs8=OPi4Bvw#-WcD4F-KT zO+w+`6FX~1a`B@6(V4F6h<5Jz?LefUFAvJ5`0~rg_ERy+x=)k2p}^vScc1HNc|u0+ zoH)DkB&2Rs(3L;uD)xZ58%`PJIdeep@$NGvD<@R>#F3 zkCAz{v-lpHZ7-=NW;XiB=4kKajfI;pg;ED1y=?W4`kBxXQ1}bkNSUF+jSrL-Nl)Q6 zp67$d=ka!G3JM&4E=fclJ=gQMd~M++B%vBQr_dwy-MgTnVJ5ZHziXw|dh(nEt8Yo* z=O#>yjGCz36Ps&kwE6~b!Q8Cl;Vezts!^|&OQZz>XRHmFn0$UgY{miE>tVA|?(2Q1 zD>~T~*Q^Tb;AOU;yP$Cy8f5{JhV$(|fQ%6J-iyUvUNBe!zh(4zmi|TG1>XY;Z%pV+X*Y^#A?l|kFNY04sd3=5 zdlIiw-md^`3|Vl01Md%bghv0$*kS8TRnt_~Is#)0SIWD=p*+^Uh^!)7n`2E^f)+T|;@o_D_!SDw0w@ORB z=TKp`q)=F^-6*NEl)SuEXPwPriZm4HO`Zknlh=BztPP%Q$?h)PUzB*?v+s$LzJZQI zr~PmX0tm~yt6&6qo~}H<97*a0j_R20{7lWT^EY%5zaB)9VeL}r^1ex0Du@PmRe{Bd zR|V0v5}q04bg9$4*U_wvhOzN2;v=O+RoY`~oS+wj_k)A#3qzSgrke~@mZr4#EToJa z1!l@~`!MW@i?oswt1Nc;K>pUf@89a}W<(oq-|8MnI`F07+~Ui(DpL=2tp08v7H5BV z%I^&c8C(Of!w|+Xs+e3oO^(p+9VcPps70wgrRncZ#lmb{T-@y}PpSRS z<>nj10HjUnh1b5`_MQxRS&wk@dY~P2dODeZMiHW+q2hSb>ix8W6{VR51dwYJuHwIP z$$ns^svU`533i^I`?k`G zinlL!!70gZsSfQzo*DZEA9E9X0b|x4$wWe?DG^%j>!3Yn2)KwwQ7Wc6k#(trJxJ)2 zasuV2Q1)<=Ow~4t_k`E3stZmbL4dnaxLlfHoy*b-6~&a$Ug^)JJE@uU>+Flt>Wq=lOC5KL`#ex9_=mxmO~jApHF)t}p9r~C!$Gg>zI zsq^+Px^(Z0jFaER*l7uRn#1WU^B*P;EQ`_!y#{(-5`?^H)4k7$2`8i{UaBvUJf_#F zu+cxA<-eFm=`Fdet0Gb>iq`rX+%@F41;eTPEjh38vqiaOEKc<-V5hNa(Xy@5z-8tzYDzd}PYQLE|;cYI z&}@F`XszDUG!?NAK4ew6l*DQyelaabPP?BDUrae)DHq%aQ|^Qv z^YLtsq#jhAFTP~XFQbVd)i8kOx3`o+nGY{*C#!$Fct<=X^0(8fV@FXr?7dk!1G0&~bW~S9CIYIg!<=+6xkesh`FB77uIatt zXR%n)!q?ox{ZMrNp~?`GXJ^(|y+xLo6}oK4F9w{=IO%!ebFi~3lbJ!6AH|6`%<{Il ze?mk|TypYI%E)9McD{xOAhbf(R1A{qzmsjys>D$f3Pd!15kmS zGh+13#pSLu;XzxnR+nk#qT+ek@ad=*7&3P)8Un%tTW;#a`&wWDp3R;vGZ{kc)Nr$6 z@9gsY+BLeTgmx@ev)>VYY`UIqwn}HN3L}KdTI9m_?{*eHq`^yyOa2-OG$KR0uxvaz zEUx}8Rdo|xja1p2T^Y7oOj}iSCvX~AQbZ0&0Y{P*e)Gjso1Rg~k2+~Cs6>bpuLWPf zaTIlz>3pC zZW1-SYP!XoR9=8#w+++!445cUq^R|{y1Az62@RMSYARw~&}vJ@azM6Ux2dvMd16N% zh_T*d6ytgRsouqI>PM0-0{K7AJIJ^e3kygA#QZAq2J$)7`zXp%PEFW6o$B->3ES(r zbmnssRcyQv=%Af5p??hL)7-@Dds06Z5;Qu&y3?z5c&MFk3RJxO2SpZ19E8X0xBT!1 z3h*9QYlfuYD7?NmKThjz$6Ew69d|0{2yk!$ewwJZD5h3kdzGZ6&0KY-Ws5dY>wb|^ zztOJw;zW`S2&DXSLYSTZVrgv%O`gO5(?sWhtE_;ZaN!IB{5dRwu2DeC$Aw76w*v~nCu3oYb$s(JR{ z!;EbezdgJGAfC=WqBu`eK~0EzB*b z4a97moD=sLE%@HZp4f_4b1kjZJ$`&%-&1{b^A#VE+3+hul9rQ;^wAU%dhNB9?ZrYF zB$l4=&=8BekP&O5ovq^hR^|ZG8ev5Ss=2M>o}db@p_RKOaI{otRn!P7T&Lw$Sji*r z54Xa@O(?XlW;R#}0QdXe#yj6?O8DMdi-7lZR8&?4Ph7WR>&mx|OXJQ2sgFo3_D@eC z-hSrQ*_%r$RkE(G(R_6Ug(llCKk~?8N?>xuK}7gmMef#2?)wjl&ML?P0%&{L;(jS= zs3?usz}1mCc{!WfnkudcdC)F_$9a-{cEyB&t(UuI-vIAp#g#&);B3aNkLQP)3He~D z{dpfQ#{(AB9UMYSg@Grm$yW4peIZGPoD`K?Jh7xC!|9_gk!Hr4!{1HS_uG!wKT8F_D=wy|8C_TlLm-Js;G8{Mx)pz!di+A z2>XgU&(6t-xgzwU{MKhLzJth59NRK4Tlp%wmaF_gwK#>TPB|xgTBWdF!*TDE$=N#w zLW#Rg<)Sw@7N>tqhq?hgtk>4h&?X3kW&ZhS2!sLap@8O<<}Q|vwACsQkf`00mkmAY z!Lnj)VtIvM#vq7BfFtZhd9!(GHJA07Gh5CEo?y2lESmeNlf#V7=dJeC%!ao}VOrqP zV}235GPWbXEPKzw8J2M2MQOAw2$y=Pp0&96!pF}&d!n8vb*cHy&0e_UDz91(xI8>)H6-vph zWWQYVV>JRyU7jtWD>1~t7(?&vNJY#&HZzt{RVlh}9R^{x;TVOUm= zUvQ-YdRJT8hXEI1+KjBY{qSX{>AR^fj3PBv`=)y;fhCy;u}+ZMkWgd2ro2(nj$zu^ zPmDIL?kn<=a2=8O`gH4BrlYp7w%dLf*#E~$;D2UEEh-&@-3&h-hL*E)JBu5N3Q zF==`%GMf(`HxD4tn2jEWhdrMhpT0gWrs$Ess-KZpozx117oeXl;pTT7hd(2<&B0(eudy7Y`_H2q6q?=Mb%%4VP_htY+vcHp*4|YC53>F5^ri;9Ls(*=qD5vQgK&r zvz0AsJ|J6yZgf^+`H}n5>JH%&jA*>Zt*8$CJ}^q5(xzsI4R?4iZi|?d%{Aps7kS6@XYXVG-K9F!DYqf3bdbD{V+E0T6^*W6SD+D-s%)A9{U{7RN7|}Z6Mg`J zl79RM<&}ZS%leJ3WZ&}-*ch3X&=s=_hrbpHe(heLtdRTiwAN2=57owYpjtINgTId^ z*TO(TD)E-_<}Ps)et+DY9Q}Zg!34u$JZv_iMh@Gr$kWR%k;ey1av`QRq7DozUAaGx zcONodA5p&;1qeF5OU_PfE`=6Ti<_6OZz4*T>#yO^rhA{#^8D@+U+HkNCGWk%I__l8 zp-~f(G{&%~pdQq`4|}bN*u^Jq)ud+=usMD)0OCvLS8ft-Z<#w8`{d;SX%Jt2*<9@2 zODPI3$Zn1M-Bi$F?_i>LmFFTWg!%ypNjJ-)9gbkg5yJMquCBnteeC~6-w8cMPNUZ$m7FFkQ z!&Uj&xl*FP0LfC6d|ieg^a9}dcV25jJ;}HH*xvO$D;%F#4O8GcF18aTG5r}hs={P( z?NUvwxIHEZk;Rm^K`sp>>7!1zw(R+sUmlizzqx{a@q>Sa(Bl%yYQIT|Ep{g_@PsZ7 zt{x@;F%S>jypz1I~ z>uiyQy`@Thw7?sM`O{xkIh+-Nt0T-qlv)%L&)0$6F~*hWykE)rDsend^}HLS>u4}E zUg&SeiJocqbNB8=;bx&>R^-7Mq9%cb?DdylrN!CY8G+NSn5p-74a%tRUyFn1ICBFN z13C=!hh@(^-KyeP0H`Uxq9KGRO-8n_sS*5k!dOBqw#=}cJG&{4+2zJ_`i)!H1?E4S zx|;r;5`VIggjm~T6N|rCEY=55*AoBg31Av#WM8fyOh6}zXD4@tM#ziX&d0_XZZVXQ zsKV?{fLfqK>JDfgl;!*eIrU8w-}@?KX_0^aBGAL8v4&TjZ&;^k=A9LxryjtC&-7rC zxK`${0-FxD-UkFhY&DYPCgMX-YW1}3dE$2tf(oGMWPjYmbmm0I#}X_*Py5UAjkMorG$@_l2=B>yr6u#O9u|5IE*~? zsr-sm6cljD5>peB(qolNvIp5YXPjJ?9hg|o)Y4<%_mO6o0e{22@BJuP^>*O)UJt<( zex)Zuy%!6)GhYfX7mR=&5E0kRQ0~g9W+O$9^*a*E7u2$sEgOZu^{gE^&)4#ldJ5K> z805jjb3HNX)2oF?=kz{;Im}-I)>(`HB)DjcuaH0_rR6Qnt=O z9B;ftp0JusQdk*!9R8g$F~~8V8y`c`tfg@Aa@M754g4yCJFe4EZuKVnFQA0QYn61k3vyKHdYcKbOwIwJsnjL2qRb$HC;VpBk&5iJOz`6a{_au z2RPsgRF<$-4A}Q6Q5P2YZ*2`6*7P`fVa~|e%OY72WLWF}n>a{@g5{;wMK|5z+-uI>W%WiLFnRSph=JK4(m%K$JfHC2E+zeLNB$sUt8z@L&edQ%b|3#K zzXhK}KKsh<_bsSvE}&$uE?h!_D#VLycwp%P)}R~ei{V5Enn^&O6#4;mLI;-0>A-u19~;A@|JLCg?#3TkZ^$#rQ@v;g7o;o}=0#O-8D^g;SDUf~ zNzxA}U8OzrEcLVF3zg-}L-BYg9T24FDKQ8HMZT*flQhC{XA9n1{D6Z?MI|G{gxJ%X zzk1e7y#7zQ^%22IuiX@gs?nEMlfOw>b|{gJ?8AKb^k?*I?$zU9$=~sXKYbolnd$Ez zU#K`%k7u!R?tqGJ&tkTJVUn0i$(F2RHubZUK`G26BF6?JwbwOeD%dSS(8J9 zH>uUv5cwffcDhAjf#1oRRCLqopQJ~2c@1MKVnuCBg#fkano1ED^mOuUcSE2u~Aw-g9SNF zrgSN|?n!;EWpT}$cXB8l3H6JyB=t8ouY>6MS&&-|>Y&_75hhVOc&cAi?2ZKfajzR7 zWC42taT-&zzx4@#I1f#(`&BgP{0=DdHVd4obS#~no(9v4wkgVA1Gl6zwrM~)xw$>H z5g`RfGLCkWnRb3{0FpVs#j)W3gB=~)vb2W|!CvoGG}c8^WX&p_?G6%~O7E7CBA zf|C8~&d?BA+~B>PYZjA@^`;YSN2S|>Pj>(>Y!0BEIk;xtQ^?0dl<`;YdzBsJC~?+q z6JG(MxiDd(0YnZ|*n1EpR9Ab0$eNlOIlYij`2kaaEO7dcfAch+&ycGndWnaf+iqIR zqfG^GJZIY}h>wn~yPJ-CVw~#3j;!OzHq%kgV}8`!!b1nqu{*h0H|*TC3XXR}`pv(B z9+!2CfiU75^j(3sCuRL^L~Hgzy_~LAh<<6whw*nlwG8rNMX*wf%d;{>d!IO&>-n<7 zR?L%|Z&m|}KhwlieFjMe0mOH*y!Ef7q&gy3?gmo9>)={|Vxz9-dz3Xzi5mX>H2ZAd7?X&aqk>E>q9G_cdd+O~^w77)6x61GPZ>6GnTDEypQhz@TJ{9Ph z2=IoNeo&-pLwxU)D%@>?evpeOXw%Zh1Xz8d%6bY?$&36eFvz@PT|S;-Vo#p%Vvl>v zLuF>QHj{5ETtO<>csx1k(EKkcX^G*thMaVpESJC?J8poFLO(=--ZGfZkj@~QQ%+d! z;BY4SWjJ>31;8u%=l=pEwX8#qFUq{D6Bp#Z3`fW9^U&Hnqa}O!PX#{n96`dG*tQ=T zJHzApk&?m67sCi39vw~2^wxb=mQ*rzq}bm7%U`0-*+Jb`63AapU$v2@F8ufu1HC!d zK>hWo$#?$hGJ%VZDA8|kgC=nh206*8EhTeQI%^rGppt4(RDbr89Jp*`rIs~+1SPT} zY3h5k5+aMOiT=St&D!$~5p^7WvRRQl++azXsP3U)`JvQ-MlAWgkEylw)YQ?fSVxI1 zS*aS^DL~GvAd4o(+kDNUMdpZ9WQ<-2z`}`6NSFz(#!pTf9^@0*h)GnDFJs%8KYv)&quDKV~eB{L{q9z)HcsLR>po~=T&MnQBncqPQg2V zvo3^K&vQC&kI$Xr91%eTa+k;A#$izdGq%QS@Gw9bn~khA`W>ynTknA+R$JMD6SJxL`kFGD2Qs12dd zF3_0hT3D_wEWLKCX6G6+6=aQ10IPc=h9lS*wu+s<{XDr%G* z-SOKiXTClVSGk8Nq7~kIM@h&*f`Z(|8}Y;iQ0I2GRwiApI@}3SF?ja0K!j@!*d>M{ zuvC+*CTy0BkGPAMN72!p_$K}VQcGsv&sb@pe&wtwe0f7ZG_Y*$kmIE2VrezEI5;pl z95y=1y|K;1&ihqRoCkp*46VWlSp5`Tf9T-8k&4F99yu8l)VU%lP2&i!G7(KmPS(7s zy@*L|!4v$b{-{@r^DSK_D;I+wz_}Ai7NFs!(}wiq1xL&CTCrhch{z|JC?HHrm{_YlotITvDdRdmxi8yw<@tG-&&!6}aH@;l%49xfg@ok;nlR@BS za@_0txgka1hEN=9f>k-DNu1nMrFKEY`hw*kQlhjJ%*0->18{sLcT!`6?L@%bz|}Rv z2`1I`oMYABqPQ{kL7&&xr+~J-B{s>GuXI#_S+-sodMg=vBPjlge@B^BXXlbM4LE$P zz~p%@cm?7SQ!R;7Y`HVeiUG7d6|==JHV8!Z(fDsLo>gO`$1&<1XnndtJ-xMaR=^&U zQhu)J!V)C>Y&AO6q8Cjtb)cgLv5yH8V48W4#ZIE7(x)wzB{m?~mWl*uflm zGVuN6gG<4pnJmlQ3^c+t!7hlNPNLcU?iBVhF~=$N6;7bCfLfN8FJ&1Ua_Q$Wyfg`H zzjO<4+5D5vdt>yqpb_)Zp=3Jk*@p4?|5M#pKSb4j`x>tzp-4+BB@GhNA&gSe-2&3x zIfO`;NJ)b<3=EA3%n;IDLw7dh+e;4CHR^k99lR+(#5Xbv}@a5Aa>t6KPFMJ$oj^MCGjA-(}GH zBaGUw$>VWDOX0fa&(EJH0X!t;A5^xj>E>wrbV12uyx;Y#?kN!fT~%U-F&^3(FE-`o z#_Mf)0h5R8RO>V`Jc)>jn5y5%@?-jJaJUL4j@-uZ7l5(Sk;H6>2-`@z(QEC`WvAQXRl8_m|VyBPKIE4Jr z+S5SYTMbdB=uV{Xksj7OLP5pdjIQ-HL@jx&kKPR<9#q0!fGD zQ;BWGT|{V9QL5G0=+wC!>>K9QNj<5i=IxpX*m&+s*1X7*L1Ev0R{;OJwLG@vyx~*x zX*{$Td*kj}vu75p@Z4Pf0U9xp^iCP}f+pZO_u^Q9b&{f(k3-0wmYNO*bRUHgO|gC@ zWIQ|4d4l}_$xRLw@E9sy4+ZKJ61@qPRRF#tiEsalxr42U1+jD zoJMBH;ths&)j{X3ldZUo8UaxWSWH_a?wWP4XWY|GDh}aY6p*V!*=i5Nb3n$Ph(=)g3(K#xG<^@Tg9a zBm@KmCZ(k~DEJ;EWi(u!okoY>ZyW`X8aeqDQunlIaf#tOK%pFF@U!i4Y*pBNagag! zjCLg@9%J|a1yt8nPusuq_l>+MS~Qn;1*Aa3JI&i;E&lK1-oi%S{vY^peP0_6MLPC0 zvS0;>FkPDQkbFdg761IS zM)ws|BqDY!iHMx~pl_oRry$cJLHcZB5pwjN*Pn!J^)lbBCx_tuL^HC+;dN#BC@LL zZQ#|%Cq0sM`-^jfbA(vu2;p0k*o-*I=PC|6|rTec~SZfAluI`UCfE!S*CvCvG#SOI0p zPhDM7V#3wO)T?-SR2^>oE)EN)7}<5ZHuXD6E+Zo<-Ja9p+SS$kz^}@>weYvvCO%DH z@s|PYF))&+H&yx4<%)0?p^gp(nm&Ekww@;TLnO40*$2Uc`?vU0&zCPxy&V<~K&xn5 zb0p=4#0ycy3G~bWC_awu(qdc54LbYz6J)^;6&s3RJ$VgS1F!Iv@Puj8)v=pG8M$dq zTd$gcbBF!LoVV|5%kx8QQg*Q~Qad?SO5qIkosn7$d|AwDE-?oTk7M&%Bca4#EEW~oxzvt4&%KE;D?JWlVEr3DK`-4Hh9cEa035f6jaj*>T z8eW#WJWiR4mbZb`rJ<6|(4b?6sw3@DwLjyEn`9T5i-RsMJbM;go5R4s`IOH&!LCUk zmXBRtM!L|@M1Q8CZACz}A=l4N59Vd*lK&fFj`%Nx`A_ewo?%HpX0e9=#h9S?Z9zQN zpGuN3^D)ie5MT$AQvbk@1xdKu8>%0f%U`}UxZE%}{!2VjK@}BDcwwJe-!qVT?6Klq zJT6zgDNB&Kyhl$#^F8p&S5Z1t-RaK%fRq;oRkTrltgExtW+G&~Qu9CdchYMh69<`u z2rzoWpVOisj{G25G(-mdOAbA2P4%a4SXRYi>Not@Bj^-hmi(d#s7c5!O^E&KUiuLL zi33n^3YxIbn{%Ahvd7n3Z4ihH05gx&!om9O`E#E=pW;b^v@|R64a_xx>ns`=PuTBL z=}W@WmRT@fgf<-tf>&{<9d{F!bW=Ye{O_*5KnW-mo*?)FH1CCW0Vk2Zp7mm__u@2q zG0^c#1CZ~Zjsc-RtL?v6i+q~i8kzqZnj0rgEpqY~WgZ2L0lY?<9$&;CIJ!ApqWaHS zydfY8!Gzb|`If~Kp55{Wv^qNeuKUU~sBU8hx;sKWpBD&blsZ4|1flH@23Eco&x`qs zaqn{Oc0FMa&AJz!m8W87nWAH*k+QCmcvI=rUo*n0%FW3jU` zGcJDGy~1hZ>P4YmaXOnz<}S?}oi`f7yc|P>oS(D_yd2=(5Dxk2Qr&zX+^i-c^g~JV zN{yMQq1JvKVi9?NwweC}L-kdP)5NL$4<=0{++!TQ&xYH2TeWRSqx#^f1jw=|>AWnI zo#Ug5I}5j_5-6s^nYv@1(#Op404K>R8F* z6XJ!c9>=f z^>qNeafaQu+5qL0^%u`+nAv+Y*$|6&I_}zqcL0-}gx?EZDud=Ryu?=?+=NlYw~Ktf ztv8od8oEE86v|ar&}GWS4vf$w2{KBb{$=coqE<~f3cMfmpdRp91_Dx-vv`k2bmJW_ zGXrM{qa6KHzhh(V<8|ESZk98Q>-|_PZscMEPh^iEd9(oZE3Uh=zEApWR)#$(ebuTJ z(SiBwdvH88#g|@F&_~-SxP1%bcs|v*-IMX@FDE+`r7+7Xeku$?Cjlc0&ijogH7lK` zuOchKAxfH>XSbbNAa1ud7>8UmI@Im@gm;0+lHl3h1>QRr|44$=baeXMMOZ01?k+;0 zd*_w}c#kPX%kr?7BY^vW=k6>HI1?CN{BC%h#KE8k&!C{9YIk>~YCiB==w*Q@8(v;b z#!wPB!`@_ncx^jDQOpbW@s`54@3%GA3l(+BUtD0xd(d99%v@j6)v*Ae<~Rnk9p^8t z=g=&{(&G3sd0~dN^jnRC%=hk2X<_Sw5PSD2avB<@rgV6Zuw?0-k9>xUj@wD==Dt*?l{us6S2c_#Uq9F|amjqt z#%YMk^&U$R7r&R?Jn(LF-->`}oovKlOxh9TLaXb;4^skLnzDTp$j%XWK+9afljIcB zSQ-D zt?geUEZ2&mv_F5~cytkV+Uxf4XSK}%(2?PmVkmM!mnb`-xkX`f&yoa~^yWsP-~EPz zD(#s^6nmxjd?>tJ-JP8)Y#SMHr}5vbSa4Un7|OvjzB;Wn)1mK24ZKP*J=&A@b!Eex=d<2$e`B;tZ4Z(A}8JzLmf*gkB1iHZTMx8=8U5tMZ3{n}3 zIjz25>agWgH&i5@nWtMKkD$N^Wz21ori2aq*&{_L_A1vu{K%nhP%bJ{wwZN1F48vdW!ZVJDUVH;*fn9N zkcm8fi?X)`u3UI-AWitJlAwuVyxc}fZj7JZHOtf^!MrV6HF@JlO`WbuM7zR6lQD;L z98)WXLIpslC106+&-dJH_fWbAGvp(a6{!NFf?|BK?(EY(_h`Ns7bB{fKZh!$bCA6j znO}_5r-zoWN2w=~l*yPqYXj={Oir~f;LcfJQ*kCZC&@}R68f!qUECLuEBfe*Vln?E zXU7iNo3?UV9;=_b(Vd({3;Fx^~trpnh>Rj>Xj)xz(EpVO3-+y^jlIxU?aYj8j z>Zi1Jxb=yiII;~E%A?r>20*L z^J}k%K4b=+Y67}kuIY;r(ZpFD~(DJ_M>WS zO95ECx>MSu*ccQ7+J*-(>GidBzfss0!!5BC4r9i_1HjyQs-lQokGnB zhGO7z20vy85q*uG$FYMt6^`;n(S9vzAX?`rfkSq)caNG^RuFoZz zG{?ewx96uETvx&~*fci~c0+A@V=LkWwp#N!=6rnP6QtV96;KAk#Ia&_j{Jlq^)b@f z_|*^gu8T7_+r6mH<9rSUHA5;9-NS(${qdxHD@-{9c~ z+tsX)Kknu0&Yqs_l|kQABsQdw5$w4gItRB|Yk1eM_EL2Ky(o&kk|4Wots!dyQ2oI~ z$B#-;zSG~83ztTa(x~;p)+ltZP1tm;6#~)v7W%n@T3InF)MDc%?WgC_I=IGH& z(TA#zbxd2@%Q@ye*09S?kFvDUsPsT4KxfW)p92=n0ot9eSc0CVdq5w14spr~>Q;L#&mwd1L25*@l;$Tg4XV&lB6`os0>6 zeRb^f0|~|Kl#~$Po9Y;7UBIS_ZqBHgnZj>3=E${AxL?Ox zxQ1RNaT6IQ--y*W78P|8VwGmMLA#^0TV&PEY?`yt2taZc)(e1-4oF_&UU~G>1W8cg zjbC-{b?WO!tsB-o`)ezbukEdzp%g<36f)&NK;$L$c>6p|v6E8ZBt%W8-Fl-M#w2%wlva(WENMqR+KL2t9=a!N0`H%oe zy@>G`fY``{`*auPP3m{A7Xqmekrxa$nDQKB@1^t9L!RtraF(GPCo<$vwq-YGN^Thq^ zkT6UyEiJ8o@A(LB5=iuDR;TR| z>|0bJ*MK}yz7Iy)!{RkEV)ZkhcJ|0}dX;C2Klj*vg@*bTFX+}Cix13hrLbn>v=Js* z`4&dMQRpu;vU*4FO*<$z=;mRZWyo#NNmFrES=E)hqS=-m!-)J|^^qTb$mby4&I zIo-tJ*Fzx$7-X+4g8PN48bx-uSKr&cL54ZM-F~n58qsQsHs?XPrN6H?mL$WIu_olR z*KB`jCHM&*)7Cp^i8x6vr{`%>+8;+CG-Q}dihtqDm}*;gw*%EiuzweIlZ^4

R}h zK;FK1Vau2!@Yk_J1i5X&)^iTb;lEE2Y?*2NFnHy6R{9GG*`uJ+1>aWp@yP9Gn>_Ab zn?L)JJ8w>@dcCa*mx_SuXpg*g+ajQpyERnMBFk-EZVV)kObvEgfcofk8IpA|E_d8>u1*d)Pg(2J zUhyw}t|qZXSI4AAn8{~i>Pn1a^J2zT-{s>Qd?Wcz(c9BNT>J`sV^xa%XQ%FfKml(k z7Yu5C@2QhlagD~s4H_!QcGbtxmq7}P6QxV&5{OKFG?gaERRs@3T{w>2P?w>3)Olo$ z@*6HQvSCYV@q$x4bNW#kVKW{5ey?1LPB%7cYb7weS&$gJQM*coAHcnHW5?g~pAm12 zLX!$4x)}-I8(HqbRy>Qx#jze#9UYgX&j^X!SfIEllHXr+F6ki&I-g)GfroQSbUVch zcGE5&2RGdGD2LeF*ak&E(HPmjJj;fR{L`tN6hG0gNpyn?e*@L)v|23c%$Zei-D6%z0TM!$E0s!%F2!nc^rsc0h>qO4^NSACQj(#`7_z4 z^FO4#y!U1gzm&QuO|G(KGX)*BwvW#Z%dDU?9KK$=h&+*C9E*%&nGrFU3=Ym$U_j8K`V?|FlveNh`<$O`r(wh>_J)e7P&sMnbN zJnvlcJ{a67%UFMK&Od8$P72j4QDROuqlku`_J>lVf0WvN*?`6a=Bn*@<38@Cp!|f+ z^vecK#27Q6l>{G>O=fr41)RER7*M%go)yYJBdT^r>${SXn6!n;R41Nkhtw6!1@14B z3v^A4_V4>R6?t`<%6QI|-4_5X-`TDz2;`r*3>=2L3%RQs*Au z5Y-Ph^Py&ou5MXoh)WS-b3s)WQf8hynzH%op~jINxE6I)L}iA=HNM(oBrIOV)BsnL z_I`EwI-2@N%yD9D7T)ef>11*JoPIjFF8;zmTQu0K3lNtf3hO(wReNVMmZS;Wy?|Ta zZ#30-;bHAIvALh(f!M-sw|=c}zHqop5TJAB_fxWxMCEcmO8rv}bzAodp z`!*SW4#>1mdrmeT>r6bb{z_iI(Vx_CeQb|6dYE(_X)4oe?w-!iJk;M_TUdP>vS0_k z-g}JfcdKo!A0^jaT6j1$`KS&OP0DkT3$PF1^h8EEP>W{ymMGigUI9Uo&H>_L_BfT^ z4tQeuGSaSzX7*VyK6^qVs(buBVmc9%_Wol#x92p$MsB+e)`z-^VpLhw8bXOm-_mo0 zoN2#H8H?OUx;3v6YZ$_G6hK%H;#}*jj-w$eh$lsN!P{*Xy*$0h%VAg$Ni2~{N< z?tTz>U3%#_5Nh~o&vjZ(Yz*juD0`iFhnt9OIQ36=p$T!xPqVFLf%+qFKZ-aFfnTdf zJzKmwa;B`??a|OrjGt)wL1%fe?t2y$13%WO^Ml6g+wniYo~18k`^+|mPsTymclWQ( zD4oGJ33T6uTRXHx%N{Vsn4(EwmnD}EXlq=1+(qTRH%589g;-EPmhD;v zAkZe}U9u4&hd&;B(KHRJIODR!U1B;7AHKd~OvK z@GIwR)p~;?X%G2n1H22IlkrTX?WEV}V!xO#VF@+t!p!`XPpIng{K1x4i9$qGgzNg) z(2b~b{uTpPe);3dX-aVTZf}A}h=NGz{0H?HiA@c^ryIzj!-2XDjLXa8 zM<%k|{E^2dA7a zEq8Tfnp(5WR{oq=BvB}m>@c(+3=ebh+pf4Ic&PiGezs0&kutIUmJO=y?gcEa&?{?b zM6HFU3yGY})z7&cb#4E$v$6eb2-y^HbWw^Jt3;BE{Ib71f3huC0TQ(xeqbp{wctkO z<_De;lepp}t4|van>&d*ovbQ?#^rc|gMoPD$wt2Kp73rcqlg?N!wP?Rvh#7@ti*K0 zq}Ub*WNhF@^ocj$88)sX!jCw$rbgTW9u}Gth;+9$o(!QzS8oiIp@NebYVaho7ejEp zW61MszJ4;2Ht*Qqu!Xxj!^_gC7cFvIz)hJHM;|b~vY7zAt&8{-n#QB=yR#2`5FlZ+ zOI1zqA3^X>Jr*s2jiz4G$HRTZR+v#FSdEf@LWo)8JM-

%SDD7LK=bzl;h!jHJeE z&X6tyf))y-u z{C@72)9*PmR2LR9AM2Fv$8{V&-Du}-V?O}*4KLlif|M%^>=0X)s(LuLitceTu0 z9d8>ni25y$`1U^$wJW1=OwMacfou8d>hHyQT& zs>Pg8PvC*h9rO_X^rOGx{B{kT)_?rR+vc5bynpf;cbf4hh4}H5U3pb(J}DQ+wLV*i z@kv+*IX1t~g4X==_a2=@sNYk(HDcL|vPUE%Rm@?bN$^P#kr_N?8BaFqAjusi6%9EM zgWM?UIp-6H`z!v*ixp69&i_0NH{=8!Ry)?mV-GF)2%=jwnO|SplK)owCP%i%Dzu>d z9*}kUK*32Me9DXcH;Z%UTV$?mhvsmx;+)(o+xsiwy+gu3{2lKMP3YYFEB@F@8)n;YZ7RcBGplU=&a>iqBhi}#X=nBn84 z3u`vJzx~mC^GaQYMX~|ppz4B_3dS4mcD|S;#3&sWL$4F?(ye{~(65b+^-N?dclh3# z{BIK#@5RE70sO_I@Lb}|8lF0(6iqt%;D3t6rXGMm0|RBV@$+mn)BSTS$I<5o0YUJ= zA>sO2x#^+#u9{!u@Rvx| z?GFQBq{QBY)H=frh>``-YkN4mCMQmtRVD~Dh8{Lb8@~%|I$6hEv*S~j0jvi#{WGIP zSi!@(uI;9VRce2C$ib-PYYnIx{cG+7A`9Cw_S(`;xKiA-!^C?eP3MG(9kW`=P_+T0 zCDhpyaN>JOoy?In-*j&aW+L!Q=SkM(bbmj0BTE6xJ%D&kPSf0h@Bd`bx;r10{9q;7 zCz3v+Y>@K;_mB4nuE5M|aE`Eah9e$Rn3bk0;#wM#6V z(g^OWCk_Sq8Wk4uG;Lpe4aqq-F*BG=mH!>HtCijwAktML8FO~AUU&WXmg`4Vo^Ms& zc{hCC&e2q_#EtIvc6ODPp0G|{lS9yNaV&Bm2vk^(0w7#=COELv*GDqClD-}k?EYmZEKFk9=TFhoWC45dttV7 z*ASi+x!aRK&VH;70 z|3V98dX$_iL1TPUSs{FSJ~@!yaHPT#d7r|;$?3+bmkQ|g{8wv@VS$5TK&=@vsoOjb zD{NTMAzb;aX2{M*z3=OzXPyEJuD5c_LUIIJ(8%QqN>Cfg%jsPoN2R@e?K4rB{0o1o zZ_S*$lH~zNHrTaGx^2Q6t#EpVyI$huzW-4nl|Q$#veBO7fH%Sz6pip1|HtD+Y!3-k z=K4$)FIM9)_ytWc1OmAc_6X}d4RiD-zkMj39~9}BMNhh8%`B09I0$FI!Z<`cWX06D zP1)XYU}hCQN~OjX6b$34WXa5QE>1Axlpiei@f|3N+?5^4s47yWdjE|lqEmnz?*T@L z%>uY%YKnKsc&Yk9fire&_m9W*sk*$L^F@A8LQJ(xbd@pRz2JZDk)8GN_|Cipgw{V8 zA-m^n2CKVY9V#5QKaJKuc!u$Q*UoNy)$`?!312QbP@u?h@V(S-hg$jNt^4MWvD_2h zi4ihBj(9p;*zyM3%*CFK8V=MGLN4U*iTNgxF|=L!K||caCV%S+<0gy(l@~efK1QlB zJC@gFyoMdGzIx$SdwxCg6`e{gKwG8gpm0)f`#LOs|rxMI$H6cJcCs z7_{pg78op$78iHSCw5IlOx3MTpSnDd-e)<8Tgu8o^yon`w}qFKC*Vs&<2bt$PyGnB z0eq%oeJKx4-Wn{&1c(X^AY8jAdhywb4W!u_XadBW8A;PaKY4kErZ#LKGNb=_;J#ci z@(z%v4?6Ay*`<^lkwaJ=yCTV|4~pK-+e!+*G2pW?l`cb~eJAXZ#l)Hfj0 z2i7*bZo_=xd1eOZS_kSv7n9}-!25@UQ%qu9$SuG*dt*%3$MW!t%Lj)_^;a$Y%~99a zX;U0A^{zYl+aqZUX3l2SP~J^K{F{sXIT$Q}LZet-{Ey}5Zw`==W`0a#Y^>}y(^EXs zl;@7`QG8w~>g~%Kqfko^;cB^Ge7d;b1`RO5Dwg9TL8Aj{qTdC*L)CaSGaVz6^>#)M zBdl{%3lX0RZ)VW3**ggPDtCv)VqaVwfOc|Ky1zac9qcfnu&Bh?wMH!m`<{2loIY7^ zxLc0=o4;;m^=WkL9?0a2UD7Ktlhq%`j5A}?t4!RO=IL)i!F^A=XWHLhfbIo93uMyF z9xpL;q&8)sPqF6I5VQ@z#od2P5`cQ=7w5&IMd6@kg7 zr2UguyNa6H38b8xVGraGN8Ya;xUUaFq898f%Zp{-@3uei;c)g}AFh_)TgZv)GDYl~ z61*H-u5rWdJLJ!rKzal?W<^z%!w}og|KvA67~pgKIzR(oql>2gBF%hJ7NJZN+uPhi zD;1SYI3pB&@RLXN?c1rFCLsliIrj_Wdke022_mAm_&#o`Dn@z@w2wytw-EfXS}} + +```sql +ALTER INSTANCE RELOAD TLS; +``` + +## MySQL compatibility + +The `ALTER INSTANCE RELOAD TLS` statement only supports reloading from the original configuration path. It dose not support the dynamic modification of the loading path, nor does it support dynamic enablement of the TLS encrypted connection feature when TiDB is started. This feature is disabled by default when you restart TiDB. + +## See also + +[Enable Client TLS](/how-to/secure/enable-tls-clients.md). diff --git a/reference/tools/tidb-control.md b/reference/tools/tidb-control.md index 84bada6180a1e..6effcb7e55c20 100644 --- a/reference/tools/tidb-control.md +++ b/reference/tools/tidb-control.md @@ -45,6 +45,9 @@ TiDB Controller consists of multiple layers of commands. You can use `-h/--help` - `--port`: TiDB Service port (default 10080) - `--pdhost`: PD Service address (default 127.0.0.1) - `--pdport`: PD Service port (default 2379) +- `--ca`: The CA file path used on the TLS connection +- `--ssl-key`: The key file path used on the TLS connection +- `--ssl-cert`: The certificate file path used on the TLS connection `--pdhost` and `--pdport` are mainly used in the `etcd` subcommand. For example, `tidb-ctl etcd ddlinfo`. If you do not specify the address and the port, the following default value is used: From 3cc95d74cbca298d9d65d9ddc9c5e0881f85958f Mon Sep 17 00:00:00 2001 From: toutdesuite Date: Fri, 8 May 2020 19:15:09 +0800 Subject: [PATCH 02/19] minor changes --- how-to/secure/enable-tls-between-components.md | 12 ++++++------ how-to/secure/enable-tls-clients.md | 10 +++++----- reference/sql/statements/alter-instance.md | 4 ++-- 3 files changed, 13 insertions(+), 13 deletions(-) diff --git a/how-to/secure/enable-tls-between-components.md b/how-to/secure/enable-tls-between-components.md index 1e168442f6441..962383362d7d8 100644 --- a/how-to/secure/enable-tls-between-components.md +++ b/how-to/secure/enable-tls-between-components.md @@ -12,7 +12,7 @@ This document introduces how to enable TLS authentication and encrypt the stored This section describes how to enable TLS authentication in a TiDB cluster. TLS authentication can be applied to the following scenarios: -- The **mutual authentication** between TiDB components, including the authentication among TiDB, TiKV and PD, between TiDB Control and TiDB, between TiKV Control and TiKV, between PD Control and PD, between TiKV peers, and between PD peers. Once enabled, the mutual authentication applies to all components, rather than only part of the components. +- The **mutual authentication** between TiDB components, including the authentication among TiDB, TiKV, and PD, between TiDB Control and TiDB, between TiKV Control and TiKV, between PD Control and PD, between TiKV peers, and between PD peers. Once enabled, the mutual authentication applies to all components, rather than only part of the components. - The **one-way** and **mutual authentication** between the TiDB server and the MySQL Client. > **Note:** @@ -23,7 +23,7 @@ This section describes how to enable TLS authentication in a TiDB cluster. TLS a 1. Prepare certificates - It is recommended to prepare a server certificate for TiDB, TiKV and PD separately. Make sure that these components can authenticate each other. The clients of TiDB, TiKV and PD share one client certificate. + It is recommended to prepare a server certificate for TiDB, TiKV, and PD separately. Make sure that these components can authenticate each other. The clients of TiDB, TiKV, and PD share one client certificate. You can use tools like `openssl`, `easy-rsa` and `cfssl` to generate self-signed certificates. @@ -31,7 +31,7 @@ This section describes how to enable TLS authentication in a TiDB cluster. TLS a 2. Configure certificates - To enable mutual authentication among TiDB components, configure the certificates of TiDB, TiKV and PD as follows. + To enable mutual authentication among TiDB components, configure the certificates of TiDB, TiKV, and PD as follows. - TiDB @@ -77,7 +77,7 @@ This section describes how to enable TLS authentication in a TiDB cluster. TLS a > **Note: > - > If you have enabled TLS in a TiDB cluster, when you connect to the cluster using tidb-ctl, tikv-ctl, or pd-ctl, you need to specify the client certificate. For example: + > If you have enabled TLS in a TiDB cluster when you connect to the cluster using tidb-ctl, tikv-ctl, or pd-ctl, you need to specify the client certificate. For example: {{< copyable "shell-regular" >}} @@ -157,7 +157,7 @@ For a TiDB cluster, users' data are stored in TiKV. The TiDB cluster encrypts th > **Note:** > - > You can only use hex-formatted token file. The file length must be 2^n, and is less than or equal to 1024. + > You can only use the hex-formatted token file. The file length must be 2 to the power of N, and is less than or equal to 1024. 2. Configure TiKV as follows. @@ -169,7 +169,7 @@ For a TiDB cluster, users' data are stored in TiKV. The TiDB cluster encrypts th > **Note:** > -> When you import data into a cluster using [Lightning](/reference/tools/tidb-lightning/overview.md), if the target cluster has enabled the encrypted storage feature, the sst files generated by Lightning must be encrypted. +> When you import data into a cluster using [Lightning](/reference/tools/tidb-lightning/overview.md), if the target cluster has enabled the encrypted storage feature, the SST files generated by Lightning must be encrypted. ### Limitations diff --git a/how-to/secure/enable-tls-clients.md b/how-to/secure/enable-tls-clients.md index 635996a64e73d..3b846882d9cff 100644 --- a/how-to/secure/enable-tls-clients.md +++ b/how-to/secure/enable-tls-clients.md @@ -6,7 +6,7 @@ category: how-to # Enable TLS for MySQL Clients -It is recommended to use the encrypted connection to ensure data security because non-encrypted connection might lead to information leak. +It is recommended to use the encrypted connection to ensure data security because non-encrypted connection might lead to an information leak. The TiDB server supports the encrypted connection based on the TLS (Transport Layer Security). The protocol is consistent with MySQL encrypted connections and is directly supported by existing MySQL clients such as MySQL operation tools and MySQL drivers. TLS is sometimes referred to as SSL (Secure Sockets Layer). Because the SSL protocol has [known security vulnerabilities](https://en.wikipedia.org/wiki/Transport_Layer_Security), TiDB does not support it. TiDB supports the following versions: TLS 1.0, TLS 1.1, and TLS 1.2, TLS 1.3. @@ -24,7 +24,7 @@ The encrypted connections in TiDB are disabled by default. To use encrypted conn Similar to MySQL, the encrypted connections in TiDB consist of single connection. The connection is optional by default. For a TiDB server with encrypted connections enabled, you can choose to securely connect to the TiDB server through an encrypted connection, or to use a generally unencrypted connection. If the encrypted connections are enforced as required, both of the following two ways are available: + Configure the launch parameter `--require-secure-transport` to enable encrypted connections to the TiDB server for all users. -+ Specify `require ssl` when you creat a user (`create user`), grant permissions (`grant`) or modify an existing user (`alter user`), so that the encrypted connection to the TiDB server is enabled for the specified user. The following is an example of creating a user: ++ Specify `require ssl` when you create a user (`create user`), grant permissions (`grant`) or modify an existing user (`alter user`), so that the encrypted connection to the TiDB server is enabled for the specified user. The following is an example of creating a user: {{< copyable "sql" >}} @@ -75,7 +75,7 @@ ssl-cert = "certs/server-cert.pem" ssl-key = "certs/server-key.pem" ``` -If the certificate parameters are correct, TiDB outputs `secure connection is enabled` when started, otherwise it outputs `secure connection is NOT ENABLED`. +If the certificate parameters are correct, TiDB outputs `secure connection is enabled` when started; otherwise, it outputs `secure connection is NOT ENABLED`. ## Reload certificate, key, and CA @@ -103,7 +103,7 @@ If the `ssl-ca` parameter is not specified in the TiDB server or MySQL client, t 1. Specify the `ssl-cert` and `ssl-key` parameters in the TiDB server. 2. Specify the `--ssl-ca` parameter in the MySQL client. 3. Specify the `--ssl-mode` to `VERIFY_CA` at least in the MySQL client. - 4. Make sure that the certificate (`ssl-cert`) configured by the TiDB server is signed by the CA specified by the client `--ssl-ca` parameter, otherwise the authentication fails. + 4. Make sure that the certificate (`ssl-cert`) configured by the TiDB server is signed by the CA specified by the client `--ssl-ca` parameter; otherwise, the authentication fails. + To authenticate the MySQL client from the TiDB server: 1. Specify the `ssl-cert`, `ssl-key`, and `ssl-ca` parameters in the TiDB server. @@ -112,7 +112,7 @@ If the `ssl-ca` parameter is not specified in the TiDB server or MySQL client, t - To perform mutual authentication, meet both of the above requirements. -By default, you can choose to authenticate the client from the server. Even if the client does not present its certificate of identification during the TLS handshake, the TLS connection can be established. You can also require the client to be authenticated through `require 509` when creating a user (`create user`), granting permissions (`grant`), or modifying an existing user (`alter user`). The following is an example of creating an user: +By default, you can choose to authenticate the client from the server. Even if the client does not present its certificate of identification during the TLS handshake, the TLS connection can be established. You can also require the client to be authenticated through `require 509` when creating a user (`create user`), granting permissions (`grant`), or modifying an existing user (`alter user`). The following is an example of creating a user: {{< copyable "sql" >}} diff --git a/reference/sql/statements/alter-instance.md b/reference/sql/statements/alter-instance.md index d5a9856692aba..061190a27c33f 100644 --- a/reference/sql/statements/alter-instance.md +++ b/reference/sql/statements/alter-instance.md @@ -1,6 +1,6 @@ --- title: ALTER INSTANCE -summary: Learn the overview of the ALTER INSTANCE usage in TiDB +summary: Learn the overview of the ALTER INSTANCE usage in TiDB. category: reference --- @@ -12,7 +12,7 @@ The `ALTER INSTANCE` statement is used to make changes to a single TiDB instance You can execute the `ALTER INSTANCE RELOAD TLS` statement to reload the certificate ([`ssl-cert`](/reference/configuration/tidb-server/configuration-file.md#ssl-cert)), the key ([`ssl-key`](/reference/configuration/tidb-server/configuration-file.md#ssl-key)), and the CA ([`ssl-ca`](/reference/configuration/tidb-server/configuration-file.md#ssl-ca)) from the original configuration path. -The newly loaded certificate, key, and CA take effect on the connection established after the statement is successfully executed. They have no affect on the connection established before the statement is executed. +The newly loaded certificate, key, and CA take effect on the connection established after the statement is successfully executed. They have no effect on the connection established before the statement is executed. When an error occurs during reloading, you receive an error message and continue to use the previous key and certificate by default. However, if you have added the optional `NO ROLLBACK ON ERROR`, when an error occurs during reloading, the error is not returned, and the subsequent requests are handled on condition that the TLS secure connection is disabled. From 7169fe96fe73e305c35e2bd4b19d36262777c67c Mon Sep 17 00:00:00 2001 From: toutdesuite Date: Fri, 8 May 2020 20:18:14 +0800 Subject: [PATCH 03/19] Update enable-tls-between-components.md --- .../secure/enable-tls-between-components.md | 34 +++++++++---------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/how-to/secure/enable-tls-between-components.md b/how-to/secure/enable-tls-between-components.md index 962383362d7d8..21222e3a419af 100644 --- a/how-to/secure/enable-tls-between-components.md +++ b/how-to/secure/enable-tls-between-components.md @@ -35,7 +35,7 @@ This section describes how to enable TLS authentication in a TiDB cluster. TLS a - TiDB - Configure in the configuration file or command line arguments: + Configure in the configuration file or command line arguments: ```toml [security] @@ -73,29 +73,29 @@ This section describes how to enable TLS authentication in a TiDB cluster. TLS a key-path = "/path/to/pd-server-key.pem" ``` - Now mutual authentication among TiDB components is enabled. + Now mutual authentication among TiDB components is enabled. - > **Note: - > - > If you have enabled TLS in a TiDB cluster when you connect to the cluster using tidb-ctl, tikv-ctl, or pd-ctl, you need to specify the client certificate. For example: + > **Note: + > + > If you have enabled TLS in a TiDB cluster when you connect to the cluster using tidb-ctl, tikv-ctl, or pd-ctl, you need to specify the client certificate. For example: - {{< copyable "shell-regular" >}} + {{< copyable "shell-regular" >}} - ```bash - ./tidb-ctl -u https://127.0.0.1:10080 --ca /path/to/ca.pem --ssl-cert /path/to/client.pem --ssl-key /path/to/client-key.pem - ``` + ```bash + ./tidb-ctl -u https://127.0.0.1:10080 --ca /path/to/ca.pem --ssl-cert /path/to/client.pem --ssl-key /path/to/client-key.pem + ``` - {{< copyable "shell-regular" >}} + {{< copyable "shell-regular" >}} - ```bash - ./pd-ctl -u https://127.0.0.1:2379 --cacert /path/to/ca.pem --cert /path/to/client.pem --key /path/to/client-key.pem - ``` + ```bash + ./pd-ctl -u https://127.0.0.1:2379 --cacert /path/to/ca.pem --cert /path/to/client.pem --key /path/to/client-key.pem + ``` - {{< copyable "shell-regular" >}} + {{< copyable "shell-regular" >}} - ```bash - ./tikv-ctl --host="127.0.0.1:20160" --ca-path="/path/to/ca.pem" --cert-path="/path/to/client.pem" --key-path="/path/to/clinet-key.pem" - ``` + ```bash + ./tikv-ctl --host="127.0.0.1:20160" --ca-path="/path/to/ca.pem" --cert-path="/path/to/client.pem" --key-path="/path/to/clinet-key.pem" + ``` 3. Configure Common Name From dabd6a213e05141d81fa79a6d34c01f652dd0fa9 Mon Sep 17 00:00:00 2001 From: toutdesuite Date: Fri, 8 May 2020 20:40:37 +0800 Subject: [PATCH 04/19] Update enable-tls-clients.md --- how-to/secure/enable-tls-clients.md | 1 + 1 file changed, 1 insertion(+) diff --git a/how-to/secure/enable-tls-clients.md b/how-to/secure/enable-tls-clients.md index 3b846882d9cff..37ff6ebbee560 100644 --- a/how-to/secure/enable-tls-clients.md +++ b/how-to/secure/enable-tls-clients.md @@ -31,6 +31,7 @@ Similar to MySQL, the encrypted connections in TiDB consist of single connection ```sql create user 'u1'@'%' require ssl; ``` + > **Note:** > > If the logged-in user has been configured to verify the user certificate using the [TiDB Certificate-Based Authentication for Login] (/reference/security/cert-based-authentication.md#configure-the-user-certificate-information-for-login-verification), the user is implicitly required to enable the encrypted connection to TiDB. From 35067aa4f4e255a2476e9cae01d6ae411ee9dc4c Mon Sep 17 00:00:00 2001 From: toutdesuite Date: Fri, 8 May 2020 21:24:44 +0800 Subject: [PATCH 05/19] fix dead link --- .../{sqlgram-dev => sqlgram}/AlterInstanceStmt.png | Bin 1 file changed, 0 insertions(+), 0 deletions(-) rename media/{sqlgram-dev => sqlgram}/AlterInstanceStmt.png (100%) diff --git a/media/sqlgram-dev/AlterInstanceStmt.png b/media/sqlgram/AlterInstanceStmt.png similarity index 100% rename from media/sqlgram-dev/AlterInstanceStmt.png rename to media/sqlgram/AlterInstanceStmt.png From 1c6291915014ed25ff6ed28e0921c616a3eec42d Mon Sep 17 00:00:00 2001 From: TomShawn <41534398+TomShawn@users.noreply.github.com> Date: Sat, 9 May 2020 15:31:28 +0800 Subject: [PATCH 06/19] Update how-to/secure/enable-tls-between-components.md --- how-to/secure/enable-tls-between-components.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/how-to/secure/enable-tls-between-components.md b/how-to/secure/enable-tls-between-components.md index 21222e3a419af..d408cafb8b972 100644 --- a/how-to/secure/enable-tls-between-components.md +++ b/how-to/secure/enable-tls-between-components.md @@ -75,7 +75,7 @@ This section describes how to enable TLS authentication in a TiDB cluster. TLS a Now mutual authentication among TiDB components is enabled. - > **Note: + > **Note:** > > If you have enabled TLS in a TiDB cluster when you connect to the cluster using tidb-ctl, tikv-ctl, or pd-ctl, you need to specify the client certificate. For example: From a5c2fad134530ee64835fc8b674d07dbecc0fe88 Mon Sep 17 00:00:00 2001 From: toutdesuite Date: Mon, 11 May 2020 10:24:27 +0800 Subject: [PATCH 07/19] Update enable-tls-clients.md --- how-to/secure/enable-tls-clients.md | 7 ------- 1 file changed, 7 deletions(-) diff --git a/how-to/secure/enable-tls-clients.md b/how-to/secure/enable-tls-clients.md index 37ff6ebbee560..664b968b3ab0c 100644 --- a/how-to/secure/enable-tls-clients.md +++ b/how-to/secure/enable-tls-clients.md @@ -162,18 +162,13 @@ The TLS versions, key exchange protocols and encryption algorithms supported by ### Supported key exchange protocols and encryption algorithms -- TLS\_RSA\_WITH\_RC4\_128\_SHA -- TLS\_RSA\_WITH\_3DES\_EDE\_CBC\_SHA - TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA - TLS\_RSA\_WITH\_AES\_256\_CBC\_SHA - TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA256 - TLS\_RSA\_WITH\_AES\_128\_GCM\_SHA256 - TLS\_RSA\_WITH\_AES\_256\_GCM\_SHA384 -- TLS\_ECDHE\_ECDSA\_WITH\_RC4\_128\_SHA - TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_CBC\_SHA - TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA -- TLS\_ECDHE\_RSA\_WITH\_RC4\_128\_SHA -- TLS\_ECDHE\_RSA\_WITH\_3DES\_EDE\_CBC\_SHA - TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA - TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA - TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_CBC\_SHA256 @@ -182,8 +177,6 @@ The TLS versions, key exchange protocols and encryption algorithms supported by - TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_GCM\_SHA256 - TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384 - TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_GCM\_SHA384 -- TLS\_ECDHE\_RSA\_WITH\_CHACHA20\_POLY1305 -- TLS\_ECDHE\_ECDSA\_WITH\_CHACHA20\_POLY1305 - TLS\_AES\_128\_GCM\_SHA256 - TLS\_AES\_256\_GCM\_SHA384 - TLS\_CHACHA20\_POLY1305\_SHA256 From 75ed09de9d2a58f0bf5ee6d632b7ac0e9915a3a8 Mon Sep 17 00:00:00 2001 From: toutdesuite Date: Wed, 13 May 2020 16:56:50 +0800 Subject: [PATCH 08/19] Update how-to/secure/enable-tls-between-components.md Co-authored-by: TomShawn <41534398+TomShawn@users.noreply.github.com> --- how-to/secure/enable-tls-between-components.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/how-to/secure/enable-tls-between-components.md b/how-to/secure/enable-tls-between-components.md index d408cafb8b972..a7dd83a724cd6 100644 --- a/how-to/secure/enable-tls-between-components.md +++ b/how-to/secure/enable-tls-between-components.md @@ -1,5 +1,5 @@ --- -title: Enable TLS Authentication and encrypt the stored data +title: Enable TLS Authentication and Encrypt the Stored Data summary: Learn how to enable TLS authentication and encrypt the stored data in a TiDB cluster. category: how-to --- From aa2d976ac7449c668741440cd61f0e081cad8169 Mon Sep 17 00:00:00 2001 From: toutdesuite Date: Wed, 13 May 2020 16:57:06 +0800 Subject: [PATCH 09/19] Update how-to/secure/enable-tls-between-components.md Co-authored-by: TomShawn <41534398+TomShawn@users.noreply.github.com> --- how-to/secure/enable-tls-between-components.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/how-to/secure/enable-tls-between-components.md b/how-to/secure/enable-tls-between-components.md index a7dd83a724cd6..37fbb34796af8 100644 --- a/how-to/secure/enable-tls-between-components.md +++ b/how-to/secure/enable-tls-between-components.md @@ -4,7 +4,7 @@ summary: Learn how to enable TLS authentication and encrypt the stored data in a category: how-to --- -# Enable TLS Authentication and encrypt the stored data +# Enable TLS Authentication and Encrypt the Stored Data This document introduces how to enable TLS authentication and encrypt the stored data in a TiDB cluster. From b3abcea76117ad26f732f53c7bf79cb7dc04c7e0 Mon Sep 17 00:00:00 2001 From: toutdesuite Date: Wed, 13 May 2020 17:24:24 +0800 Subject: [PATCH 10/19] address comments --- .../secure/enable-tls-between-components.md | 34 +++++++++---------- how-to/secure/enable-tls-clients.md | 16 ++++----- 2 files changed, 25 insertions(+), 25 deletions(-) diff --git a/how-to/secure/enable-tls-between-components.md b/how-to/secure/enable-tls-between-components.md index 37fbb34796af8..3b7dbfdc068af 100644 --- a/how-to/secure/enable-tls-between-components.md +++ b/how-to/secure/enable-tls-between-components.md @@ -12,16 +12,16 @@ This document introduces how to enable TLS authentication and encrypt the stored This section describes how to enable TLS authentication in a TiDB cluster. TLS authentication can be applied to the following scenarios: -- The **mutual authentication** between TiDB components, including the authentication among TiDB, TiKV, and PD, between TiDB Control and TiDB, between TiKV Control and TiKV, between PD Control and PD, between TiKV peers, and between PD peers. Once enabled, the mutual authentication applies to all components, rather than only part of the components. +- The **mutual authentication** between TiDB components, including the authentication among TiDB, TiKV, and PD; the authentication between TiDB Control and TiDB, between TiKV Control and TiKV, between PD Control and PD; the authentication between TiKV peers, and between PD peers. Once enabled, the mutual authentication applies to all components, rather than to part of the components. - The **one-way** and **mutual authentication** between the TiDB server and the MySQL Client. > **Note:** > -> The authentication between the MySQL Client and the TiDB server involves one set of certificates, while the authentication among TiDB components uses another set of certificates. +> The authentication between the MySQL Client and the TiDB server uses one set of certificates, while the authentication among TiDB components uses another set of certificates. ## Enable mutual TLS authentication among TiDB components -1. Prepare certificates +1. Prepare certificates. It is recommended to prepare a server certificate for TiDB, TiKV, and PD separately. Make sure that these components can authenticate each other. The clients of TiDB, TiKV, and PD share one client certificate. @@ -29,7 +29,7 @@ This section describes how to enable TLS authentication in a TiDB cluster. TLS a If you choose `cfssl`, you can refer to [generating self-signed certificates](/how-to/secure/generate-self-signed-certificates.md). -2. Configure certificates +2. Configure certificates. To enable mutual authentication among TiDB components, configure the certificates of TiDB, TiKV, and PD as follows. @@ -73,7 +73,7 @@ This section describes how to enable TLS authentication in a TiDB cluster. TLS a key-path = "/path/to/pd-server-key.pem" ``` - Now mutual authentication among TiDB components is enabled. + After certificates are configured as above, mutual authentication among TiDB components is enabled. > **Note:** > @@ -97,9 +97,9 @@ This section describes how to enable TLS authentication in a TiDB cluster. TLS a ./tikv-ctl --host="127.0.0.1:20160" --ca-path="/path/to/ca.pem" --cert-path="/path/to/client.pem" --key-path="/path/to/clinet-key.pem" ``` -3. Configure Common Name +3. Configure Common Name. - The Common Name is used for caller verification. In general, the callee needs to verify the caller's identity, apart from the key, the certificates, and the CA provided by the caller. For example, TiKV can only be accessed by TiDB, and other visitors are blocked even though they have legitimate certificates. It is recommended to identify the certificate user using `Common Name` when generating the certificate, and to check the caller's identity by configuring the `Common Name` list for the callee. + The Common Name is used for caller verification. In general, the callee needs to verify the caller's identity, in addition to verifying the key, the certificates, and the CA provided by the caller. For example, TiKV can only be accessed by TiDB, and other visitors are blocked even though they have legitimate certificates. It is recommended to mark the certificate user identity using `Common Name` when generating the certificate, and to check the caller's identity by configuring the `Common Name` list for the callee. - TiDB @@ -133,21 +133,21 @@ This section describes how to enable TLS authentication in a TiDB cluster. TLS a cert-allowed-cn = ["TiKV-Server", "TiDB-Server", "PD-Control"] ``` -4. Reload certificates +4. Reload certificates. - To reload the certificates and the keys, TiDB, PD, and TiKV reread the current certificates and the key files each time a new connection is created. Currently, you cannot reload CA. + To reload the certificates and the keys, TiDB, PD, and TiKV reread the current certificates and the key files each time a new connection is created. Currently, you cannot reload the CA certificate. ## Enable TLS authentication between the MySQL client and TiDB server -You can refer to [Use Encrypted Connections](/how-to/secure/enable-tls-clients.md). +Refer to [Use Encrypted Connections](/how-to/secure/enable-tls-clients.md). ## Encrypt stored data -For a TiDB cluster, users' data are stored in TiKV. The TiDB cluster encrypts these data once you configure the encrypted storage feature in TiKV. This section introduces how to configure the encrypted feature in TiKV. +In a TiDB cluster, user data is stored in TiKV. Once you configure the encrypted storage feature in TiKV, the TiDB cluster encrypts this data. This section introduces how to configure the data encryption feature in TiKV. 1. Generate the token file. - The token file stores the keys used to encrypt users' data and to decrypt the encrypted data. + The token file stores the keys used to encrypt the user data and to decrypt the encrypted data. {{< copyable "shell-regular" >}} @@ -163,18 +163,18 @@ For a TiDB cluster, users' data are stored in TiKV. The TiDB cluster encrypts th ```toml [security] - # Cipher file 的存储路径 + # Storage path of the Cipher file. cipher-file = "/path/to/cipher-file-256" ``` > **Note:** > -> When you import data into a cluster using [Lightning](/reference/tools/tidb-lightning/overview.md), if the target cluster has enabled the encrypted storage feature, the SST files generated by Lightning must be encrypted. +> When you import data into a cluster using [TiDB Lightning](/reference/tools/tidb-lightning/overview.md), if the storage encryption feature is enabled in the target cluster, the SST files generated by TiDB Lightning must be encrypted. ### Limitations -The following are some limitations of the encrypted storage feature: +The limitations of the storage encryption feature are as follows: -- If a cluster has not enabled the feature before, you cannot enable this feature. -- If a cluster has enabled the feature, you cannot disable this feature. +- If the feature has not been enabled in the cluster before, you cannot enable this feature. +- If the feature is enabled in the cluster, you cannot disable this feature. - You cannot enable the feature for some TiKV instances while disabling it for other instances in one cluster. You can only enable or disable this feature for all TiKV instances. This is because if you enable the encrypted storage feature, data are encrypted during data migration. diff --git a/how-to/secure/enable-tls-clients.md b/how-to/secure/enable-tls-clients.md index 664b968b3ab0c..76eab56b3c9a1 100644 --- a/how-to/secure/enable-tls-clients.md +++ b/how-to/secure/enable-tls-clients.md @@ -18,13 +18,13 @@ After using an encrypted connection, the connection has the following security p The encrypted connections in TiDB are disabled by default. To use encrypted connections in the client, you must first configure the TiDB server and enable encrypted connections. In short, to use encrypted connections, both of the following conditions must be met: -1. Enable encrypted connections in the TiDB server. -2. The client specifies to use an encrypted connection. ++ Enable encrypted connections in the TiDB server. ++ The client specifies to use an encrypted connection. -Similar to MySQL, the encrypted connections in TiDB consist of single connection. The connection is optional by default. For a TiDB server with encrypted connections enabled, you can choose to securely connect to the TiDB server through an encrypted connection, or to use a generally unencrypted connection. If the encrypted connections are enforced as required, both of the following two ways are available: +Similar to MySQL, the encrypted connections in TiDB consist of single connections. The encrypted connection is optional by default. For a TiDB server with encrypted connections enabled, you can choose to securely connect to the TiDB server through an encrypted connection, or to use a generally unencrypted connection. If the encrypted connections are enforced as required, both of the following two ways are available: + Configure the launch parameter `--require-secure-transport` to enable encrypted connections to the TiDB server for all users. -+ Specify `require ssl` when you create a user (`create user`), grant permissions (`grant`) or modify an existing user (`alter user`), so that the encrypted connection to the TiDB server is enabled for the specified user. The following is an example of creating a user: ++ Specify `require ssl` when you create a user (`create user`), grant permissions (`grant`) or modify an existing user (`alter user`), which is to specify that specified users must use the encrypted connection to access TiDB. The following is an example of creating a user: {{< copyable "sql" >}} @@ -80,9 +80,9 @@ If the certificate parameters are correct, TiDB outputs `secure connection is en ## Reload certificate, key, and CA -When you need to replace the certificate, the key or CA, you can execute the [`ALTER INSTANCE RELOAD TLS`](/reference/sql/statements/alter-instance.md) statement on the running TiDB instance to reload the certificate ([`ssl-cert`](/reference/configuration/tidb-server/configuration-file.md#ssl-cert)), the key ([`ssl-key`](/reference/configuration/tidb-server/configuration-file.md#ssl-key)), and the CA ([`ssl-ca`](/reference/configuration/tidb-server/configuration-file.md#ssl-ca)) from the original configuration path, after replacing the corresponding file. In this case, you do not need to restart the TiDB instance. +To replace the certificate, the key or CA, first replace the corresponding files, then execute the [`ALTER INSTANCE RELOAD TLS`](/reference/sql/statements/alter-instance.md) statement on the running TiDB instance to reload the certificate ([`ssl-cert`](/reference/configuration/tidb-server/configuration-file.md#ssl-cert)), the key ([`ssl-key`](/reference/configuration/tidb-server/configuration-file.md#ssl-key)), and the CA ([`ssl-ca`](/reference/configuration/tidb-server/configuration-file.md#ssl-ca)) from the original configuration path. In this way, you do not need to restart the TiDB instance. -The newly loaded certificate, key, and CA take effect on the connection established after the statement is successfully executed. They have no affect on the connection established before the statement is executed. +The newly loaded certificate, key, and CA take effect on the connection that is established after the statement is successfully executed. The connection established before the statement execution is not affected. ## Configure the MySQL client to use encrypted connections @@ -104,7 +104,7 @@ If the `ssl-ca` parameter is not specified in the TiDB server or MySQL client, t 1. Specify the `ssl-cert` and `ssl-key` parameters in the TiDB server. 2. Specify the `--ssl-ca` parameter in the MySQL client. 3. Specify the `--ssl-mode` to `VERIFY_CA` at least in the MySQL client. - 4. Make sure that the certificate (`ssl-cert`) configured by the TiDB server is signed by the CA specified by the client `--ssl-ca` parameter; otherwise, the authentication fails. + 4. Make sure that the certificate (`ssl-cert`) configured in the TiDB server is signed by the CA specified by the client `--ssl-ca` parameter; otherwise, the authentication fails. + To authenticate the MySQL client from the TiDB server: 1. Specify the `ssl-cert`, `ssl-key`, and `ssl-ca` parameters in the TiDB server. @@ -113,7 +113,7 @@ If the `ssl-ca` parameter is not specified in the TiDB server or MySQL client, t - To perform mutual authentication, meet both of the above requirements. -By default, you can choose to authenticate the client from the server. Even if the client does not present its certificate of identification during the TLS handshake, the TLS connection can be established. You can also require the client to be authenticated through `require 509` when creating a user (`create user`), granting permissions (`grant`), or modifying an existing user (`alter user`). The following is an example of creating a user: +By default, the server-to-client authentication is optional. Even if the client does not present its certificate of identification during the TLS handshake, the TLS connection can be still established. You can also require the client to be authenticated by specifying `require 509` when creating a user (`create user`), granting permissions (`grant`), or modifying an existing user (`alter user`). The following is an example of creating a user: {{< copyable "sql" >}} From a35d9fb81cc657bccc04a7f745dea17c1bdc5173 Mon Sep 17 00:00:00 2001 From: toutdesuite Date: Wed, 13 May 2020 17:30:54 +0800 Subject: [PATCH 11/19] add ALTER INSTANCE to TOC --- TOC.md | 1 + 1 file changed, 1 insertion(+) diff --git a/TOC.md b/TOC.md index 36c3891ae65a6..d5a679e209b4a 100644 --- a/TOC.md +++ b/TOC.md @@ -170,6 +170,7 @@ - [`ADD INDEX`](/reference/sql/statements/add-index.md) - [`ADMIN`](/reference/sql/statements/admin.md) - [`ALTER DATABASE`](/reference/sql/statements/alter-database.md) + - [`ALTER INSTANCE`](/reference/sql/statements/alter-instance.md) - [`ALTER TABLE`](/reference/sql/statements/alter-table.md) - [`ALTER USER`](/reference/sql/statements/alter-user.md) - [`ANALYZE TABLE`](/reference/sql/statements/analyze-table.md) From 49db34f1c1803509b1de5b0631e5d6cf95c50ed5 Mon Sep 17 00:00:00 2001 From: toutdesuite Date: Wed, 13 May 2020 18:12:36 +0800 Subject: [PATCH 12/19] resolve comments --- how-to/secure/enable-tls-clients.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/how-to/secure/enable-tls-clients.md b/how-to/secure/enable-tls-clients.md index 76eab56b3c9a1..32d884c9e35f5 100644 --- a/how-to/secure/enable-tls-clients.md +++ b/how-to/secure/enable-tls-clients.md @@ -34,7 +34,7 @@ Similar to MySQL, the encrypted connections in TiDB consist of single connection > **Note:** > -> If the logged-in user has been configured to verify the user certificate using the [TiDB Certificate-Based Authentication for Login] (/reference/security/cert-based-authentication.md#configure-the-user-certificate-information-for-login-verification), the user is implicitly required to enable the encrypted connection to TiDB. +> If the login user has configured using the [TiDB Certificate-Based Authentication for Login] (/reference/security/cert-based-authentication.md#configure-the-user-certificate-information-for-login-verification), the user is implicitly required to enable the encrypted connection to TiDB. ## Configure TiDB to use encrypted connections @@ -123,7 +123,7 @@ create user 'u1'@'%' require x509; > **Note:** > -> If the logged-in user has been configured to verify the user certificate using the [TiDB Certificate-Based Authentication for Login] (/reference/security/cert-based-authentication.md#configure-the-user-certificate-information-for-login-verification), the user is implicitly required to enable the encrypted connection to TiDB. +> If the login user has configured using the [TiDB Certificate-Based Authentication for Login] (/reference/security/cert-based-authentication.md#configure-the-user-certificate-information-for-login-verification), the user is implicitly required to enable the encrypted connection to TiDB. ## Check whether the current connection uses encryption From 535927dddde599506aa14c4663231769c6927379 Mon Sep 17 00:00:00 2001 From: toutdesuite Date: Wed, 13 May 2020 18:18:18 +0800 Subject: [PATCH 13/19] Update reference/sql/statements/alter-instance.md Co-authored-by: TomShawn <41534398+TomShawn@users.noreply.github.com> --- reference/sql/statements/alter-instance.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reference/sql/statements/alter-instance.md b/reference/sql/statements/alter-instance.md index 061190a27c33f..ba7e5f7fd08a4 100644 --- a/reference/sql/statements/alter-instance.md +++ b/reference/sql/statements/alter-instance.md @@ -1,6 +1,6 @@ --- title: ALTER INSTANCE -summary: Learn the overview of the ALTER INSTANCE usage in TiDB. +summary: Learn the overview of the `ALTER INSTANCE` usage in TiDB. category: reference --- From b86aa43c5c09614e88f861d00fa130b5968edd9c Mon Sep 17 00:00:00 2001 From: toutdesuite Date: Wed, 13 May 2020 18:18:38 +0800 Subject: [PATCH 14/19] Update reference/tools/tidb-control.md Co-authored-by: TomShawn <41534398+TomShawn@users.noreply.github.com> --- reference/tools/tidb-control.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reference/tools/tidb-control.md b/reference/tools/tidb-control.md index 6b12b9ddabfac..68b5568f3602a 100644 --- a/reference/tools/tidb-control.md +++ b/reference/tools/tidb-control.md @@ -47,7 +47,7 @@ TiDB Control consists of multiple layers of commands. You can use `-h/--help` af - `--pdport`: PD Service port (default 2379) - `--ca`: The CA file path used on the TLS connection - `--ssl-key`: The key file path used on the TLS connection -- `--ssl-cert`: The certificate file path used on the TLS connection +- `--ssl-cert`: The certificate file path used for the TLS connection `--pdhost` and `--pdport` are mainly used in the `etcd` subcommand. For example, `tidb-ctl etcd ddlinfo`. If you do not specify the address and the port, the following default value is used: From 31b509a2f1c562004b42e4b9237e6f136dc5dca7 Mon Sep 17 00:00:00 2001 From: toutdesuite Date: Wed, 13 May 2020 18:18:49 +0800 Subject: [PATCH 15/19] Update reference/tools/tidb-control.md Co-authored-by: TomShawn <41534398+TomShawn@users.noreply.github.com> --- reference/tools/tidb-control.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reference/tools/tidb-control.md b/reference/tools/tidb-control.md index 68b5568f3602a..3a93aa016d293 100644 --- a/reference/tools/tidb-control.md +++ b/reference/tools/tidb-control.md @@ -46,7 +46,7 @@ TiDB Control consists of multiple layers of commands. You can use `-h/--help` af - `--pdhost`: PD Service address (default 127.0.0.1) - `--pdport`: PD Service port (default 2379) - `--ca`: The CA file path used on the TLS connection -- `--ssl-key`: The key file path used on the TLS connection +- `--ssl-key`: The key file path used for the TLS connection - `--ssl-cert`: The certificate file path used for the TLS connection `--pdhost` and `--pdport` are mainly used in the `etcd` subcommand. For example, `tidb-ctl etcd ddlinfo`. If you do not specify the address and the port, the following default value is used: From c347cc4194c8354b98a2ff726d73a2cfb704d8b6 Mon Sep 17 00:00:00 2001 From: toutdesuite Date: Wed, 13 May 2020 18:19:01 +0800 Subject: [PATCH 16/19] Update reference/tools/tidb-control.md Co-authored-by: TomShawn <41534398+TomShawn@users.noreply.github.com> --- reference/tools/tidb-control.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reference/tools/tidb-control.md b/reference/tools/tidb-control.md index 3a93aa016d293..f8187f4e7d25e 100644 --- a/reference/tools/tidb-control.md +++ b/reference/tools/tidb-control.md @@ -45,7 +45,7 @@ TiDB Control consists of multiple layers of commands. You can use `-h/--help` af - `--port`: TiDB Service port (default 10080) - `--pdhost`: PD Service address (default 127.0.0.1) - `--pdport`: PD Service port (default 2379) -- `--ca`: The CA file path used on the TLS connection +- `--ca`: The CA file path used for the TLS connection - `--ssl-key`: The key file path used for the TLS connection - `--ssl-cert`: The certificate file path used for the TLS connection From bcb9a7ee1235ebc29d7918f709e5498bfe434407 Mon Sep 17 00:00:00 2001 From: toutdesuite Date: Wed, 13 May 2020 18:19:44 +0800 Subject: [PATCH 17/19] Update reference/sql/statements/alter-instance.md Co-authored-by: TomShawn <41534398+TomShawn@users.noreply.github.com> --- reference/sql/statements/alter-instance.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reference/sql/statements/alter-instance.md b/reference/sql/statements/alter-instance.md index ba7e5f7fd08a4..93d32a221bce5 100644 --- a/reference/sql/statements/alter-instance.md +++ b/reference/sql/statements/alter-instance.md @@ -12,7 +12,7 @@ The `ALTER INSTANCE` statement is used to make changes to a single TiDB instance You can execute the `ALTER INSTANCE RELOAD TLS` statement to reload the certificate ([`ssl-cert`](/reference/configuration/tidb-server/configuration-file.md#ssl-cert)), the key ([`ssl-key`](/reference/configuration/tidb-server/configuration-file.md#ssl-key)), and the CA ([`ssl-ca`](/reference/configuration/tidb-server/configuration-file.md#ssl-ca)) from the original configuration path. -The newly loaded certificate, key, and CA take effect on the connection established after the statement is successfully executed. They have no effect on the connection established before the statement is executed. +The newly loaded certificate, key, and CA take effect on the connection that is established after the statement is successfully executed. The connection established before this statement execution is not affected. When an error occurs during reloading, you receive an error message and continue to use the previous key and certificate by default. However, if you have added the optional `NO ROLLBACK ON ERROR`, when an error occurs during reloading, the error is not returned, and the subsequent requests are handled on condition that the TLS secure connection is disabled. From 3c973a267e6d7bd64ebd79316c65a8ed8890cb8f Mon Sep 17 00:00:00 2001 From: toutdesuite Date: Wed, 13 May 2020 18:20:40 +0800 Subject: [PATCH 18/19] Update reference/sql/statements/alter-instance.md Co-authored-by: TomShawn <41534398+TomShawn@users.noreply.github.com> --- reference/sql/statements/alter-instance.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reference/sql/statements/alter-instance.md b/reference/sql/statements/alter-instance.md index 93d32a221bce5..426495bc02a48 100644 --- a/reference/sql/statements/alter-instance.md +++ b/reference/sql/statements/alter-instance.md @@ -14,7 +14,7 @@ You can execute the `ALTER INSTANCE RELOAD TLS` statement to reload the certific The newly loaded certificate, key, and CA take effect on the connection that is established after the statement is successfully executed. The connection established before this statement execution is not affected. -When an error occurs during reloading, you receive an error message and continue to use the previous key and certificate by default. However, if you have added the optional `NO ROLLBACK ON ERROR`, when an error occurs during reloading, the error is not returned, and the subsequent requests are handled on condition that the TLS secure connection is disabled. +When an error occurs during reloading, by default, this error message is returned and the previous key and certificate continue to be used. However, if you have added the optional `NO ROLLBACK ON ERROR`, when an error occurs during reloading, the error is not returned, and the subsequent requests are handled with the TLS security connection disabled. ## Syntax diagram From e9bef479e5f33688aae902d4e13aea977b7c3a81 Mon Sep 17 00:00:00 2001 From: toutdesuite Date: Wed, 13 May 2020 18:25:26 +0800 Subject: [PATCH 19/19] Update reference/sql/statements/alter-instance.md Co-authored-by: TomShawn <41534398+TomShawn@users.noreply.github.com> --- reference/sql/statements/alter-instance.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reference/sql/statements/alter-instance.md b/reference/sql/statements/alter-instance.md index 426495bc02a48..e647d797f13d5 100644 --- a/reference/sql/statements/alter-instance.md +++ b/reference/sql/statements/alter-instance.md @@ -30,7 +30,7 @@ ALTER INSTANCE RELOAD TLS; ## MySQL compatibility -The `ALTER INSTANCE RELOAD TLS` statement only supports reloading from the original configuration path. It dose not support the dynamic modification of the loading path, nor does it support dynamic enablement of the TLS encrypted connection feature when TiDB is started. This feature is disabled by default when you restart TiDB. +The `ALTER INSTANCE RELOAD TLS` statement only supports reloading from the original configuration path. It does not support dynamically modifying the loading path or dynamically enabling the TLS encrypted connection feature when TiDB is started. This feature is disabled by default when you restart TiDB. ## See also