Add missing configuration options to the box.cfg reference page (#4007)

tarantool · Jan 19, 2024 · a4fb69c · a4fb69c
1 parent 4cd1251
commit a4fb69c
Show file tree

Hide file tree

Showing 5 changed files with 509 additions and 2 deletions.
diff --git a/doc/reference/configuration/cfg_authentication.rst b/doc/reference/configuration/cfg_authentication.rst
@@ -0,0 +1,227 @@
+.. _cfg_authentication:
+
+..  admonition:: Enterprise Edition
+    :class: fact
+
+    Authentication features are supported by the `Enterprise Edition <https://www.tarantool.io/compare/>`_ only.
+
+* :ref:`auth_delay <cfg_auth_delay>`
+* :ref:`auth_retries <cfg_auth_retries>`
+* :ref:`auth_type <cfg_auth_type>`
+* :ref:`disable_guest <cfg_disable_guest>`
+* :ref:`password_min_length <cfg_password_min_length>`
+* :ref:`password_enforce_uppercase <cfg_password_enforce_uppercase>`
+* :ref:`password_enforce_lowercase <cfg_password_enforce_lowercase>`
+* :ref:`password_enforce_digits <cfg_password_enforce_digits>`
+* :ref:`password_enforce_specialchars <cfg_password_enforce_specialchars>`
+* :ref:`password_lifetime_days <cfg_password_lifetime_days>`
+* :ref:`password_history_length <cfg_password_history_length>`
+
+
+.. _cfg_auth_delay:
+
+.. confval:: auth_delay
+
+    Since :doc:`2.11.0 </release/2.11.0>`.
+
+    Specifies a period of time (in seconds) that a specific user should wait
+    for the next attempt after failed authentication.
+
+    With the configuration below, Tarantool refuses the authentication attempt if the previous
+    attempt was less than 5 seconds ago.
+
+    .. code-block:: lua
+
+        box.cfg{ auth_delay = 5 }
+
+
+    | Type: number
+    | Default: 0
+    | Environment variable: TT_AUTH_DELAY
+    | Dynamic: yes
+
+.. _cfg_auth_retries:
+
+.. confval:: auth_retries
+
+    Since :doc:`3.0.0 </release/3.0.0>`.
+
+    Specify the maximum number of authentication retries allowed before ``auth_delay`` is enforced.
+    The default value is 0, which means ``auth_delay`` is enforced after the first failed authentication attempt.
+
+    The retry counter is reset after ``auth_delay`` seconds since the first failed attempt.
+    For example, if a client tries to authenticate fewer than ``auth_retries`` times within ``auth_delay`` seconds, no authentication delay is enforced.
+    The retry counter is also reset after any successful authentication attempt.
+
+    | Type: number
+    | Default: 0
+    | Environment variable: TT_AUTH_RETRIES
+    | Dynamic: yes
+
+
+.. _cfg_auth_type:
+
+.. confval:: auth_type
+
+    Since :doc:`2.11.0 </release/2.11.0>`.
+
+    Specify an authentication protocol:
+
+    - 'chap-sha1': use the `CHAP <https://en.wikipedia.org/wiki/Challenge-Handshake_Authentication_Protocol>`_ protocol to authenticate users with ``SHA-1`` hashing applied to :ref:`passwords <authentication-passwords>`.
+    - 'pap-sha256': use `PAP <https://en.wikipedia.org/wiki/Password_Authentication_Protocol>`_ authentication with the ``SHA256`` hashing algorithm.
+
+    For new users, the :doc:`box.schema.user.create </reference/reference_lua/box_schema/user_create>` method
+    will generate authentication data using ``PAP-SHA256``.
+    For existing users, you need to reset a password using
+    :doc:`box.schema.user.passwd </reference/reference_lua/box_schema/user_passwd>`
+    to use the new authentication protocol.
+
+    | Type: string
+    | Default value: 'chap-sha1'
+    | Environment variable: TT_AUTH_TYPE
+    | Dynamic: yes
+
+
+.. _cfg_disable_guest:
+
+.. confval:: disable_guest
+
+    Since :doc:`2.11.0 </release/2.11.0>`.
+
+    If **true**, disables access over remote connections
+    from unauthenticated or :ref:`guest access <authentication-passwords>` users.
+    This option affects both
+    :doc:`net.box </reference/reference_lua/net_box>` and
+    :ref:`replication <replication-master_replica_bootstrap>` connections.
+
+    | Type: boolean
+    | Default: false
+    | Environment variable: TT_DISABLE_GUEST
+    | Dynamic: yes
+
+.. _cfg_password_min_length:
+
+.. confval:: password_min_length
+
+    Since :doc:`2.11.0 </release/2.11.0>`.
+
+    Specifies the minimum number of characters for a password.
+
+    The following example shows how to set the minimum password length to 10.
+
+    .. code-block:: lua
+
+        box.cfg{ password_min_length = 10 }
+
+    | Type: integer
+    | Default: 0
+    | Environment variable: TT_PASSWORD_MIN_LENGTH
+    | Dynamic: yes
+
+
+.. _cfg_password_enforce_uppercase:
+
+.. confval:: password_enforce_uppercase
+
+    Since :doc:`2.11.0 </release/2.11.0>`.
+
+    If **true**, a password should contain uppercase letters (A-Z).
+
+    | Type: boolean
+    | Default: false
+    | Environment variable: TT_PASSWORD_ENFORCE_UPPERCASE
+    | Dynamic: yes
+
+
+.. _cfg_password_enforce_lowercase:
+
+.. confval:: password_enforce_lowercase
+
+    Since :doc:`2.11.0 </release/2.11.0>`.
+
+    If **true**, a password should contain lowercase letters (a-z).
+
+    | Type: boolean
+    | Default: false
+    | Environment variable: TT_PASSWORD_ENFORCE_LOWERCASE
+    | Dynamic: yes
+
+
+.. _cfg_password_enforce_digits:
+
+.. confval:: password_enforce_digits
+
+    Since :doc:`2.11.0 </release/2.11.0>`.
+
+    If **true**, a password should contain digits (0-9).
+
+    | Type: boolean
+    | Default: false
+    | Environment variable: TT_PASSWORD_ENFORCE_DIGITS
+    | Dynamic: yes
+
+
+.. _cfg_password_enforce_specialchars:
+
+.. confval:: password_enforce_specialchars
+
+    Since :doc:`2.11.0 </release/2.11.0>`.
+
+    If **true**, a password should contain at least one special character (such as ``&|?!@$``).
+
+    | Type: boolean
+    | Default: false
+    | Environment variable: TT_PASSWORD_ENFORCE_SPECIALCHARS
+    | Dynamic: yes
+
+
+.. _cfg_password_lifetime_days:
+
+.. confval:: password_lifetime_days
+
+    Since :doc:`2.11.0 </release/2.11.0>`.
+
+    Specifies the maximum period of time (in days) a user can use the same password.
+    When this period ends, a user gets the "Password expired" error on a login attempt.
+    To restore access for such users, use :doc:`box.schema.user.passwd </reference/reference_lua/box_schema/user_passwd>`.
+
+    .. note::
+
+        The default 0 value means that a password never expires.
+
+    The example below shows how to set a maximum password age to 365 days.
+
+    .. code-block:: lua
+
+        box.cfg{ password_lifetime_days = 365 }
+
+    | Type: integer
+    | Default: 0
+    | Environment variable: TT_PASSWORD_LIFETIME_DAYS
+    | Dynamic: yes
+
+
+.. _cfg_password_history_length:
+
+.. confval:: password_history_length
+
+    Since :doc:`2.11.0 </release/2.11.0>`.
+
+    Specifies the number of unique new user passwords before an old password can be reused.
+
+    In the example below, a new password should differ from the last three passwords.
+
+    .. code-block:: lua
+
+        box.cfg{ password_history_length = 3 }
+
+    | Type: integer
+    | Default: 0
+    | Environment variable: TT_PASSWORD_HISTORY_LENGTH
+    | Dynamic: yes
+
+    .. note::
+        Tarantool uses the ``auth_history`` field in the
+        :doc:`box.space._user </reference/reference_lua/box_space/_user>`
+        system space to store user passwords.
+
diff --git a/doc/reference/configuration/cfg_binary_logging_snapshots.rst b/doc/reference/configuration/cfg_binary_logging_snapshots.rst
@@ -5,12 +5,15 @@
 * :ref:`wal_dir_rescan_delay <cfg_binary_logging_snapshots-wal_dir_rescan_delay>`
 * :ref:`wal_queue_max_size <cfg_binary_logging_snapshots-wal_queue_max_size>`
 * :ref:`wal_cleanup_delay <cfg_binary_logging_snapshots-wal_cleanup_delay>`
+* :ref:`wal_ext <cfg_binary_logging_snapshots-wal_ext>`
+* :ref:`secure_erasing <cfg_binary_logging_secure_erasing>`
 
 .. _cfg_binary_logging_snapshots-force_recovery:
 
 .. confval:: force_recovery
 
     Since version 1.7.4.
+
     If ``force_recovery`` equals true, Tarantool tries to continue if there is
     an error while reading a :ref:`snapshot file<index-box_persistence>`
     (at server instance start) or a :ref:`write-ahead log file<internals-wal>`
@@ -31,6 +34,7 @@
 .. confval:: wal_max_size
 
     Since version 1.7.4.
+
     The maximum number of bytes in a single write-ahead log file.
     When a request would cause an .xlog file to become larger than
     ``wal_max_size``, Tarantool creates another WAL file.
@@ -45,6 +49,7 @@
 .. confval:: snap_io_rate_limit
 
     Since version 1.4.9.
+
     Reduce the throttling effect of :doc:`box.snapshot() </reference/reference_lua/box_snapshot>` on
     INSERT/UPDATE/DELETE performance by setting a limit on how many
     megabytes per second it can write to disk. The same can be
@@ -64,7 +69,9 @@
 
 .. confval:: wal_mode
 
-    Since version 1.6.2. Specify fiber-WAL-disk synchronization mode as:
+    Since version 1.6.2.
+
+    Specify fiber-WAL-disk synchronization mode as:
 
     * ``none``: write-ahead log is not maintained.
       A node with ``wal_mode = none`` can't be replication master;
@@ -83,6 +90,7 @@
 .. confval:: wal_dir_rescan_delay
 
     Since version 1.6.2.
+
     Number of seconds between periodic scans of the write-ahead-log
     file directory, when checking for changes to write-ahead-log
     files for the sake of :ref:`replication <replication>` or :ref:`hot standby <index-hot_standby>`.
@@ -97,6 +105,7 @@
 .. confval:: wal_queue_max_size
 
     Since version :doc:`2.8.1 </release/2.8.1>`.
+
     The size of the queue (in bytes) used by a :ref:`replica <replication-roles>` to submit
     new transactions to a :ref:`write-ahead log<internals-wal>` (WAL).
     This option helps limit the rate at which a replica submits transactions to the WAL.
@@ -118,6 +127,7 @@
 .. confval:: wal_cleanup_delay
 
     Since version :doc:`2.6.3 </release/2.6.3>`.
+
     The delay (in seconds) used to prevent the :ref:`Tarantool garbage collector <cfg_checkpoint_daemon-garbage-collector>`
     from immediately removing :ref:`write-ahead log<internals-wal>` files after a node restart.
     This delay eliminates possible erroneous situations when the master deletes WALs
@@ -136,4 +146,68 @@
     | Type: number
     | Default: 14400 seconds
     | Environment variable: TT_WAL_CLEANUP_DELAY
-    | Dynamic: **yes**
+    | Dynamic: **yes**
+
+
+.. _cfg_binary_logging_snapshots-wal_ext:
+
+.. confval:: wal_ext
+
+    Since version :doc:`2.11.0 </release/2.11.0>`.
+
+    (**Enterprise Edition only**) Allows you to add auxiliary information to each :ref:`write-ahead log <internals-wal>` record.
+    For example, you can enable storing an old and new tuple for each CRUD operation performed.
+    This information might be helpful for implementing a CDC (Change Data Capture) utility that transforms a data replication stream.
+
+    You can enable storing old and new tuples as follows:
+
+    *   Set the ``old`` and ``new`` options to ``true`` to store old and new tuples in a write-ahead log for all spaces.
+
+        ..  code-block:: lua
+
+            box.cfg {
+                wal_ext = { old = true, new = true }
+            }
+
+    *   To adjust these options for specific spaces, use the ``spaces`` option.
+
+        ..  code-block:: lua
+
+            box.cfg {
+                wal_ext = {
+                    old = true, new = true,
+                    spaces = {
+                        space1 = { old = false },
+                        space2 = { new = false }
+                    }
+                }
+            }
+
+
+        The configuration for specific spaces has priority over the global configuration,
+        so only new tuples are added to the log for ``space1`` and only old tuples for ``space2``.
+
+    Note that records with additional fields are :ref:`replicated <replication-architecture>` as follows:
+
+    *   If a replica doesn't support the extended format configured on a master, auxiliary fields are skipped.
+    *   If a replica and master have different configurations for WAL records, a master's configuration is ignored.
+
+    | Type: map
+    | Default: nil
+    | Environment variable: TT_WAL_EXT
+    | Dynamic: **yes**
+
+
+.. _cfg_binary_logging_secure_erasing:
+
+.. confval:: secure_erasing
+
+    Since version :doc:`3.0.0 </release/3.0.0>`.
+
+    (**Enterprise Edition only**) If **true**, forces Tarantool to overwrite a data file a few times before deletion to render recovery of a deleted file impossible.
+    The option applies to both ``.xlog`` and ``.snap`` files as well as Vinyl data files.
+
+    | Type: boolean
+    | Default: false
+    | Environment variable: TT_SECURE_ERASING
+    | Dynamic: **yes**