In system-catalogs.md, added description of allow_unsafe_internals with a warning.

Author: florence-crl

src/current/_includes/v25.4/misc/session-vars.md

@@ -1,7 +1,7 @@
 | Variable name | Description | Initial value | Modify with [`SET`]({% link {{ page.version.version }}/set-vars.md %})? | View with [`SHOW`]({% link {{ page.version.version }}/show-vars.md %})? |
 |---|---|---|---|---|
 | <a id="always-distribute-full-scans"></a> `always_distribute_full_scans` | When set to `on`, full table scans are always [distributed]({% link {{ page.version.version }}/architecture/sql-layer.md %}#distsql). | `off` | Yes | Yes |
-| <a id="allow-unsafe-internals"></a><span class="version-tag">New in v25.4:</span> `allow_unsafe_internals` | Controls access to unsafe internals in the `system` database and the [`crdb_internal`]({% link {{ page.version.version }}/crdb-internal.md %}#access-control) schema. When set to `off`, only allowlisted objects are accessible without internal privileges. | `on` | Yes | Yes |
+| <a id="allow-unsafe-internals"></a><span class="version-tag">New in v25.4:</span> `allow_unsafe_internals` | Controls access to unsafe internals in the `system` database and the [`crdb_internal`]({% link {{ page.version.version }}/crdb-internal.md %}#access-control) schema. When set to `off`, only allowlisted objects are accessible without internal privileges.<br><br>**Warning**: In future releases, this session variable will default to `off` and then will be removed. To assess potential downstream impacts on your setup, set `allow_unsafe_internals` to `off` in a non-production environment. | `on` | Yes | Yes |
 | <a id="application-name"></a> `application_name` | The current application name for statistics collection. | Empty string, or `cockroach` for sessions from the [built-in SQL client]({% link {{ page.version.version }}/cockroach-sql.md %}). | Yes | Yes |
 | <a id="autocommit-before-ddl"></a> `autocommit_before_ddl` | When the [`autocommit_before_ddl` session setting]({% link {{page.version.version}}/set-vars.md %}#autocommit-before-ddl) is set to `on`, any schema change statement that is sent during an [explicit transaction]({% link {{page.version.version}}/transactions.md %}) will cause the transaction to [commit]({% link {{page.version.version}}/commit-transaction.md %}) before executing the schema change. This is useful because [CockroachDB does not fully support multiple schema changes in a single transaction]({% link {{ page.version.version }}/online-schema-changes.md %}#schema-changes-within-transactions). : This setting is enabled by default. To disable it for [all roles]({% link {{ page.version.version }}/alter-role.md %}#set-default-session-variable-values-for-all-users), issue the following statement: `ALTER ROLE ALL SET autocommit_before_ddl = false`  | `on` | Yes | Yes |
 | <a id="bytea-output"></a> `bytea_output` | The [mode for conversions from `STRING` to `BYTES`]({% link {{ page.version.version }}/bytes.md %}#supported-conversions). | hex | Yes | Yes |

src/current/v25.4/crdb-internal.md

@@ -9,7 +9,12 @@ The `crdb_internal` [system catalog]({% link {{ page.version.version }}/system-c
 
 ## Access control
 
-{% include_cached new-in.html version="v25.4" %} CockroachDB treats most objects in the `crdb_internal` schema, as well as descriptors in the `system` database, as *unsafe internals*. Access to these objects is controlled by the [`allow_unsafe_internals` session variable]({% link {{ page.version.version }}/session-variables.md %}#allow-unsafe-internals). This defaults to `on`, but you can disable access by setting it to `off`.
+{% include_cached new-in.html version="v25.4" %} CockroachDB treats most objects in the `crdb_internal` schema, as well as descriptors in the `system` database, as *unsafe internals*. Access to these objects is controlled by the [`allow_unsafe_internals` session variable]({% link {{ page.version.version }}/session-variables.md %}#allow-unsafe-internals). This defaults to `on`, but you can disable access by setting it to `off`:
+
+{% include_cached copy-clipboard.html %}
+~~~ sql
+SET allow_unsafe_internals = off;
+~~~
 
 When set to `off`, external sessions can read only the allowlisted `crdb_internal` objects that are supported for production use (the tables marked ✓ in the table below). All other tables and built-in functions that use the `crdb_internal` namespace require either an internal caller or explicitly enabling `allow_unsafe_internals` for the session:
 
@@ -22,6 +27,10 @@ Some SHOW commands, such as [SHOW DATABASES]({% link {{ page.version.version }}/
 
 CockroachDB emits [log events to the `SENSITIVE_ACCESS` channel]({% link {{ page.version.version }}/logging-use-cases.md %}#example-unsafe-internals) when a user overrides or is denied access to unsafe internals, generating a record of emergency access to system internals.
 
+{{site.data.alerts.callout_danger}}
+In future releases, the `allow_unsafe_internals` session variable will default to `off` and then will be removed. To assess potential downstream impacts on your setup, set `allow_unsafe_internals` to `off` in a non-production environment.
+{{site.data.alerts.end}}
+
 <a id="data-exposed-by-crdb_internal"></a>
 
 ## Tables

src/current/v25.4/logging-use-cases.md

@@ -271,9 +271,13 @@ All possible `SENSITIVE_ACCESS` event types are detailed in the [reference docum
 
 #### Example: Unsafe internals
 
+{{site.data.alerts.callout_danger}}
+In future releases, the [`allow_unsafe_internals` session variable]({% link {{ page.version.version }}/session-variables.md %}#allow-unsafe-internals) will default to `off` and then will be removed. To assess potential downstream impacts on your setup, set `allow_unsafe_internals` to `off` in a non-production environment.
+{{site.data.alerts.end}}
+
 CockroachDB emits log events to the `SENSITIVE_ACCESS` channel when a user overrides or is denied access to [unsafe internals]({% link {{ page.version.version }}/crdb-internal.md %}#access-control), creating a log of emergency access to system internals.
 
-The following events may be logged to the `SENSITIVE_ACCESS` channel, depending on whether the `allow_unsafe_internals` session variable is enabled:
+The following events may be logged to the `SENSITIVE_ACCESS` channel, depending on whether the [`allow_unsafe_internals` session variable]({% link {{ page.version.version }}/session-variables.md %}#allow-unsafe-internals) is enabled:
 
 - `unsafe_internals_accessed`
 - `unsafe_internals_denied`

src/current/v25.4/system-catalogs.md

@@ -14,7 +14,11 @@ The following system catalogs are available as schemas preloaded to every databa
 - [`pg_catalog`]({% link {{ page.version.version }}/pg-catalog.md %}),  a schema provided for compatibility with PostgreSQL.
 - [`pg_extension`]({% link {{ page.version.version }}/pg-extension.md %}), a schema catalog with information about CockroachDB extensions.
 
-Access to the `crdb_internal` schema and many descriptors in the `system` database is gated by the [`allow_unsafe_internals` session variable]({% link {{ page.version.version }}/session-variables.md %}#allow-unsafe-internals). For details, see [crdb_internal access control]({% link {{ page.version.version }}/crdb-internal.md %}#access-control).
+{% include_cached new-in.html version="v25.4" %} Access to the `crdb_internal` schema and descriptors in the `system` database is gated by the [`allow_unsafe_internals` session variable]({% link {{ page.version.version }}/session-variables.md %}#allow-unsafe-internals). For details, see [`crdb_internal` access control]({% link {{ page.version.version }}/crdb-internal.md %}#access-control).
+
+{{site.data.alerts.callout_danger}}
+In future releases, the `allow_unsafe_internals` session variable will default to `off` and then will be removed. To assess potential downstream impacts on your setup, set `allow_unsafe_internals` to `off` in a non-production environment.
+{{site.data.alerts.end}}
 
 {{site.data.alerts.callout_danger}}
 Tables in the system catalogs have varying levels of stability. Not all system catalog tables are meant for programmatic purposes. For more information, see [API Support Policy]({% link {{ page.version.version }}/api-support-policy.md %}).