address comments

Signed-off-by: AmoebaProtozoa <8039876+AmoebaProtozoa@users.noreply.github.com>

Author: AmoebaProtozoa

cmd/tidb-server/main.go

@@ -1200,9 +1200,11 @@ func setupSEM() {
 	cfg := config.GetGlobalConfig()
 
 	// Strict SEM is gated on the Starter deployment mode (next-gen only;
-	// deploymode.IsStarter already returns false on classic builds), and it
-	// layers on top of an enabled SEM, so it still requires
-	// security.enable-sem=true.
+	// deploymode.IsStarter already returns false on classic builds). It
+	// layers on top of an enabled semv2 (not classic sem), so it requires
+	// both security.enable-sem=true and a non-empty security.sem-config —
+	// the hint allow-list reads sysvar visibility via semv2 helpers, which
+	// silently return false when semv2 is uninitialized.
 	strictSEM := deploymode.IsStarter()
 
 	if !cfg.Security.EnableSEM {
@@ -1218,6 +1220,10 @@ func setupSEM() {
 			logutil.BgLogger().Fatal("failed to enable SEM", zap.Error(err))
 		}
 	} else {
+		if strictSEM {
+			logutil.BgLogger().Warn("Starter deployment mode requires security.sem-config to enable strict SEM; ignoring")
+			strictSEM = false
+		}
 		sem.Enable()
 	}
 

pkg/util/sem/v2/restricted_statement.go

@@ -22,9 +22,12 @@ import (
 	"github.com/pingcap/tidb/pkg/util/dbterror/plannererrors"
 )
 
-// Literal identifiers protected from DROP/RENAME/role-change operations.
-// tidb-cse drives these off a keyspace username policy; upstream has no such
-// concept, so we match the raw names at host '%'.
+// Literal identifiers protected from account modification: restrictedUsers
+// cannot be dropped, renamed, or have their default-role list rewritten;
+// restrictedRoles cannot be granted, revoked, activated via SET ROLE, or
+// installed as anyone's default. tidb-cse drives these off a keyspace
+// username policy; upstream has no such concept, so we match the raw names
+// at host '%'.
 var (
 	restrictedUsers = []string{"cloud_admin", "root"}
 	restrictedRoles = []string{"cloud_admin"}
@@ -183,7 +186,6 @@ func verifySimple(stmt ast.Node) error {
 		*ast.KillStmt,
 		*ast.BinlogStmt,
 		*ast.DropStatsStmt,
-		*ast.AdminStmt,
 		*ast.GrantStmt,
 		*ast.RevokeStmt,
 		*ast.NonTransactionalDMLStmt,
@@ -271,7 +273,7 @@ func verifySimple(stmt ast.Node) error {
 	case *ast.SetResourceGroupStmt:
 		return notSupported("SET RESOURCE GROUP")
 	}
-	return notSupported(fmt.Sprintf("Unsupported Executor %T", stmt))
+	return notSupported(fmt.Sprintf("Unsupported statement: %T", stmt))
 }
 
 func verifyBRIE(stmt *ast.BRIEStmt) error {
@@ -399,7 +401,7 @@ func verifyAdmin(stmt *ast.AdminStmt) error {
 	case ast.AdminShowSlow:
 		return notSupported("ADMIN SHOW SLOW")
 	}
-	return notSupported(fmt.Sprintf("Unsupported statement: %T", stmt))
+	return notSupported(fmt.Sprintf("Unsupported ADMIN type %d", stmt.Tp))
 }
 
 func notSupported(feature string) error {

pkg/util/sem/v2/restricted_statement_test.go

@@ -250,3 +250,14 @@ func TestStatement_Transactional(t *testing.T) {
 		mustPass(t, sql)
 	}
 }
+
+// TestStatement_DefaultDeny pins the allow-list semantics: an unrecognized
+// StmtNode must be rejected. SearchCaseStmt is a real StmtNode that is only
+// valid inside stored-procedure bodies, so the top-level dispatcher never
+// lists it — this is the closest stand-in for "some future stmt type the
+// dispatcher does not know about yet."
+func TestStatement_DefaultDeny(t *testing.T) {
+	err := IsRestrictedStatement(&ast.SearchCaseStmt{})
+	require.Error(t, err, "default-deny: unknown StmtNode must be rejected")
+	require.Contains(t, err.Error(), "Unsupported statement")
+}