*: add column-level masking policy feature document

[tiancaiamao]

First-time contributors' checklist

• I've signed the Contributor License Agreement, which is required for the repository owners to accept my contribution.

What is changed, added or deleted? (Required)

Which TiDB version(s) do your changes apply to? (Required)

Tips for choosing the affected version(s):

By default, CHOOSE MASTER ONLY so your changes will be applied to the next TiDB major or minor releases. If your PR involves a product feature behavior change or a compatibility change, CHOOSE THE AFFECTED RELEASE BRANCH(ES) AND MASTER.

For details, see tips for choosing the affected versions (in Chinese).

• master (the latest development version)
• v9.0 (TiDB 9.0 versions)
• v8.5 (TiDB 8.5 versions)
• v8.1 (TiDB 8.1 versions)
• v7.5 (TiDB 7.5 versions)
• v7.1 (TiDB 7.1 versions)
• v6.5 (TiDB 6.5 versions)
• v6.1 (TiDB 6.1 versions)
• v5.4 (TiDB 5.4 versions)

What is the related PR or file link(s)?

• This PR is translated from:
• Other reference link(s): *: add document for column-level masking policy feature docs#22613

Do your changes match any of the following descriptions?

• Delete files
• Change aliases
• Need modification after applied to another branch
• Might cause conflicts after applied to another branch

[qiancai]

@tiancaiamao Please involve a tech reviewer for this PR. Thanks.

[bb7133]

Please address the comments~

[ti-chi-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from qiancai. For more information see the Code Review Process.
Please ensure that each of them provides their approval before proceeding.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[qiancai]

Suggested change

	此功能对于满足 PCI-DSS（支付卡行业数据安全标准）等合规要求以及数据隐私法规（如 GDPR - 通用数据保护条例、CCPA - 加州消费者隐私法案）特别有用，这些法规要求严格控制谁可以查看信用卡号、个人标识符和其他机密信息等敏感信息。
	列级脱敏策略适用于需要限制敏感数据可见性的场景，例如控制信用卡号、身份证号、电话号码、电子邮件地址、出生日期等敏感信息的访问范围。

[tiancaiamao]

从使用场景描述角度，原始的描述可能是更准确且易被理解的。
comment 后的描述更通用，但是反而不便于用户直接理解场景。

[ti-chi-bot]

@tiancaiamao: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-verify	7d9bc9c	link	true	/test pull-verify

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[tiancaiamao]

从使用场景描述角度，原始的描述可能是更准确且易被理解的。
comment 后的描述更通用，但是反而不便于用户直接理解场景。

[tiancaiamao]

常规则的使用，我们说的脱敏都是针对查询讲的
比如，select sensitive_col from t where ... 这种我们知道会 masking
但是非常规的，就可能涉及
insert into t1 select select sensitive_col from t where ...
用户如果把敏感列数据读出来，再写到另一张表里面
那它是否应该从另一张表中读出脱敏数据？
这个行为就是 RESTRICT ON 来决定，它要限制作用域是什么
所以文档后面就有 RESTRICT ON 语义，来进一步描述

[tiancaiamao]

对。就是我这些策略可以创建后暂时不使用，于是可以开启和关闭
而不是整体删和重建

[tiancaiamao]

@qiancai 这里是否特殊说明一下，CTAS 其实是没有实现的，或者叫保留给将来使用
原因不是 column masking 这边没做实现
而是说，由于我们的 DDL 那边本身是没有支持 create table as select 这样的用法
必须分成两步做，create table like + insert into select
由于没有 create table as select 的实现，column masking 也就没有实际 去实现 CTAS

[tiancaiamao]

是最外层阶段做的脱敏
只要不是最外层阶段，它们用到的都还是原始的值
也就是 masking 表达式始终应该作用于最最外面一层

[tiancaiamao]

行为应该是在最后给到用户的输入那里脱敏
而不是在脱敏过的结果之上应用视图

[tiancaiamao]

这里还涉及 BR/TiCDC 版本
就是 TiDB / BR / TiCDC 必须都是支持的版本中，才能够支持