User-Controlled Log Redaction
User-controlled log redaction lets you manage the visibility of sensitive data in your TiDB Cloud Dedicated cluster logs. By toggling this redaction feature, you can protect your information, balance operational needs with security, and control what appears in your cluster logs.
Log redaction is enabled by default, ensuring that sensitive information in running logs and execution plans is concealed. If you need more detailed log information for cluster maintenance or SQL tuning, you can disable this feature at any time.
Prerequisites
- You must be in the Organization Owner or Project Owner role of your organization in TiDB Cloud.
- Log redaction cannot be enabled or disabled when the cluster is in the
paused
state.
Disable log redaction
To disable log redaction, do the following:
Log in to the TiDB Cloud console.
Navigate to the Clusters page, and then click the name of your target cluster to go to its overview page.
In the left navigation pane, click Settings > Security.
In the Execution Log Redaction section, you can see that the redaction feature is Enabled by default.
Click Disable. A warning appears, explaining the risks of disabling log redaction.
Confirm the disabling.
After disabling log redaction, note the following:
- The change only applies to new database connections.
- Existing connections are unaffected. You need to reconnect them for the changes to take effect.
- Logs for new sessions will no longer be redacted.
Check the updated logs
To check the updated logs after log redaction is disabled, do the following:
Simulate a performance issue caused by a slow query. For example, execute the following SQL statement:
SELECT *, SLEEP(2) FROM users WHERE email LIKE "%useremail%";Wait a few minutes for the slow query log to update.
Review the log to confirm that the sensitive data is not redacted.
Enable log redaction
To maintain data security, enable log redaction as soon as you complete your diagnostic or maintenance task as follows.
Log in to the TiDB Cloud console.
Navigate to the Clusters page, and then click the name of your target cluster to go to its overview page.
In the left navigation pane, click Settings > Security.
In the Execution Log Redaction section, you can see that the redaction feature is Disabled.
Click Enable to enable it.
Reconnect to the database for the change to take effect on new sessions.