diff --git a/privilege-management.md b/privilege-management.md index 9fe98feafb091..9abb56563f932 100644 --- a/privilege-management.md +++ b/privilege-management.md @@ -195,6 +195,7 @@ Dynamic privileges include: * `ROLE_ADMIN` * `CONNECTION_ADMIN` * `SYSTEM_VARIABLES_ADMIN` +* `RESTRICTED_REPLICA_WRITER_ADMIN` allows privilege owners to perform write or update operations without being affected when the read-only mode is enabled in the TiDB cluster. For details, see [`tidb_restricted_read_only`](/system-variables.md#tidb_restricted_read_only-new-in-v520). To see the full set of dynamic privileges, execute the `SHOW PRIVILEGES` statement. Because plugins are permitted to add new privileges, the list of privileges that are assignable might differ based on your TiDB installation. diff --git a/system-variables.md b/system-variables.md index 3ff7cb13e95c3..74bd5a0c68409 100644 --- a/system-variables.md +++ b/system-variables.md @@ -1488,6 +1488,21 @@ SET tidb_query_log_max_len = 20 - leader-and-follower: Read from leader or follower node - See [follower reads](/follower-read.md) for additional details. +### tidb_restricted_read_only New in v5.2.0 + +- Scope: GLOBAL +- Default value: `0` +- Value options: `0`, `1` +- This variable controls the read-only status of the entire cluster. If the variable is enabled (which means that the value is `1`), all TiDB servers in the entire cluster are in the read-only mode. In this case, TiDB only executes the statements that do not modify data, such as `SELECT`, `USE`, and `SHOW`. For other statements such as `INSERT` and `UPDATE`, TiDB rejects executing those statements in the read-only mode. +- Enabling the read-only mode using this variable only ensures that the entire cluster finally enters the read-only status. If you have changed the value of this variable in a TiDB cluster but the change has not yet propagated to other TiDB servers, the un-updated TiDB servers are still **not** in the read-only mode. +- When this variable is enabled, the SQL statements being executed are not affected. TiDB only performs the read-only check for the SQL statements **to be** executed. +- When this variable is enabled, TiDB handles the uncommitted transactions in the following ways: + - For uncommitted read-only transactions, you can commit the transactions normally. + - For uncommitted transactions that are not read-only, SQL statements that perform write operations in these transactions are rejected. + - For uncommitted read-only transactions with modified data, the commit of these transactions is rejected. +- After the read-only mode is enabled, all users (including the users with the `SUPER` privilege) cannot execute the SQL statements that might write data unless the user is explicitly granted the `RESTRICTED_REPLICA_WRITER_ADMIN` privilege. +- Users with `RESTRICTED_VARIABLES_ADMIN` or `SUPER` privileges can modify this variable. However, if the [security enhanced mode](#tidb_enable_enhanced_security) is enabled, only the users with the `RESTRICTED_VARIABLES_ADMIN` privilege can modify this variable. + ### tidb_retry_limit - Scope: SESSION | GLOBAL