| title | User-Controlled Log Redaction |
|---|---|
| summary | Learn how to enable or disable user-controlled log redaction in TiDB Cloud to manage the visibility of sensitive data in execution logs. |
User-controlled log redaction lets you manage the visibility of sensitive data in your TiDB Cloud Dedicated cluster{{{ .premium }}} instance logs. By toggling this redaction feature, you can protect your information, balance operational needs with security, and control what appears in your clusterinstance logs.
Log redaction is enabled by default, ensuring that sensitive information in running logs and execution plans is concealed. If you need more detailed log information for clusterinstance maintenance or SQL tuning, you can disable this feature at any time.
Note:
The log redaction feature is only supported for TiDB Cloud Dedicated clusters.
Note:
The log redaction feature is supported for TiDB Cloud Dedicated clusters and {{{ .premium }}} instances.
- You must be in the Organization Owner or Project Owner role of your organization in TiDB Cloud.
- Log redaction cannot be enabled or disabled when the cluster is in the
pausedstate.
- You must be in the Organization Owner role of your organization in TiDB Cloud.
Warning:
Disabling log redaction might expose sensitive information and increase the risk of data leakage. Ensure that you understand and acknowledge this risk before proceeding. Remember to re-enable it as soon as you complete your diagnostic or maintenance task.
To disable log redaction, do the following:
-
Log in to the TiDB Cloud console.
-
Navigate to the ClustersTiDB Instances page, and then click the name of your target clusterinstance to go to its overview page.
Tip:
You can use the combo box in the upper-left corner to switch between organizations, projects, and clusters.
Tip:
You can use the combo box in the upper-left corner to switch between organizations and instances.
-
In the left navigation pane, click Settings > Security.
-
In the Execution Log Redaction section, you can see that the redaction feature is Enabled by default.
-
Click Disable. A warning appears, explaining the risks of disabling log redaction.
-
Confirm the disabling.
After disabling log redaction, note the following:
- The change only applies to new database connections.
- Existing connections are unaffected. You need to reconnect them for the changes to take effect.
- Logs for new sessions will no longer be redacted.
To check the updated logs after log redaction is disabled, do the following:
-
Simulate a performance issue caused by a slow query. For example, execute the following SQL statement:
SELECT *, SLEEP(2) FROM users WHERE email LIKE "%useremail%";
-
Wait a few minutes for the slow query log to update.
-
Review the log to confirm that the sensitive data is not redacted.
To maintain data security, enable log redaction as soon as you complete your diagnostic or maintenance task as follows.
-
Log in to the TiDB Cloud console.
-
Navigate to the ClustersTiDB Instances page, and then click the name of your target clusterinstance to go to its overview page.
Tip:
You can use the combo box in the upper-left corner to switch between organizations, projects, and clusters.
Tip:
You can use the combo box in the upper-left corner to switch between organizations and instances.
-
In the left navigation pane, click Settings > Security.
-
In the Execution Log Redaction section, you can see that the redaction feature is Disabled.
-
Click Enable to enable it.
-
Reconnect to the database for the change to take effect on new sessions.