From 71f74ea0d264e1f3d92c2b88f3e8a72b67d13660 Mon Sep 17 00:00:00 2001
From: Esa Korhonen <esa.korhonen@mariadb.com>
Date: Tue, 16 Jan 2018 12:20:18 +0200
Subject: [PATCH] Add warning about SUPER-users to Switchover Limitations
 documentation

---
 Documentation/Monitors/MariaDB-Monitor.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/Documentation/Monitors/MariaDB-Monitor.md b/Documentation/Monitors/MariaDB-Monitor.md
index e0cc8134d..cd601ecf7 100644
--- a/Documentation/Monitors/MariaDB-Monitor.md
+++ b/Documentation/Monitors/MariaDB-Monitor.md
@@ -277,6 +277,18 @@ The backends must all use GTID-based replication, and the domain id should not
 change during a switchover or failover. Master and slaves must have
 well-behaving GTIDs with no extra events on slave servers.
 
+Switchover requires that the cluster is "frozen" for the duration of the
+operation. This means that no data modifying statements such as INSERT or UPDATE
+are executed and the GTID position of the master server is stable. When
+switchover begins, the monitor sets the global *read_only* flag on the old
+master backend to stop any updates. *read_only* does not affect users with the
+SUPER-privilege so any such user can issue writes during a switchover. These
+writes have a high chance to break replication, because the write may not be
+replicated to all slaves before they switch to the new master. To prevent this,
+any users who commonly do updates should not have the SUPER-privilege. For even
+more security, the only SUPER-user session during a switchover should be the
+MaxScale monitor user.
+
 ### Configuration parameters
 
 #### `auto_failover`