本文参考链接如下:
openGauss动态数据脱敏
https://opengauss.org/zh/blogs/blogs.html?post/chenguang/opengauss%E5%8A%A8%E6%80%81%E6%95%B0%E6%8D%AE%E8%84%B1%E6%95%8F
openGauss数据动态脱敏
https://opengauss.org/zh/blogs/blogs.html?post/jiajunfeng/opengauss%E6%95%B0%E6%8D%AE%E5%8A%A8%E6%80%81%E8%84%B1%E6%95%8F
openGauss从2.0版本开始支持动态数据脱敏特性,并且采用基于语句改写方法,在查询解析获取查询树后,根据用户定义的脱敏策略识别查询树目标结点,并对待脱敏结点进行改写构造“脱敏查询树”,再交由数据库内核执行最终返回脱敏后数据。
openGauss数据动态脱敏使用方法
- 开启参数:enable_security_policy
- 创建资源标签:create resource label
- 创建脱敏策略:create masking policy
通过三步配置就可以开启数据动态脱敏,接下来进行几种不同脱敏策略的测试,测试环境是Centos7.6 openGauss 3.0.0,目前数据库内部预置8种脱敏策略,另外用户也可以自定义函数来配置。本文将对这9种方式分别进行测试。
测试准备
首先需要检查数据库enable_security_policy参数为on
openGauss=# show enable_security_policy;
enable_security_policy
------------------------
on
(1 row)
然后使用初始用户omm,创建两个普通用户,用于配置脱敏策略
create user user_dev password 'dev@1234';
create user user_app password 'app@1234';
赋予public模式的权限给用户
grant all on schema public to user_dev,user_app;
创建测试表,测试7种数据类型,目前暂不支持pg_catalog.date,bytea,blob,clob,xml,json,jsonb类型
create table public.tb_for_mask(
id int,bid bigint,did double precision,nid numeric,
flag boolean,ts timestamp,str varchar,str2 varchar
);
赋予表权限给用户
grant all on table public.tb_for_mask to user_dev,user_app;
插入测试数据
insert into tb_for_mask values(
12345678,120000000000,1.2345678,1.2345678,
true,clock_timestamp(),'1234-5678-9012-3456','9876-5432-1098-7654'
);
接着创建资源标签(表的数据列只能配置到一个资源标签下)
create resource label res_lab_id add column(tb_for_mask.id);
create resource label res_lab_bid add column(tb_for_mask.bid);
create resource label res_lab_did add column(tb_for_mask.did);
create resource label res_lab_nid add column(tb_for_mask.nid);
create resource label res_lab_flag add column(tb_for_mask.flag);
create resource label res_lab_ts add column(tb_for_mask.ts);
create resource label res_lab_str add column(tb_for_mask.str);
create resource label res_lab_str2 add column(tb_for_mask.str2);
最后我们可以使用create masking policy指定不同的策略来进行测试。
策略一:maskall
maskall是将字符串类型的所有值脱敏为x,其它几种类型显示为该类型的默认值。
创建maskall策略语句如下:
create masking policy my_masking_policy
maskall on label(
res_lab_id,res_lab_bid,res_lab_did,res_lab_nid,
res_lab_flag,res_lab_ts,res_lab_str,res_lab_str2
)
filter on roles(user_dev, user_app), app(psql, gsql),ip('192.168.137.250');
对于用户user_dev或user_app,使用psql或者gsql,从192.168.137.250访问查询tb_for_mask表时会触发脱敏测试my_masking_policy,资源标签里设置的列会被脱敏处理。
接着用户user_dev使用gsql从192.168.137.250登录数据库,访问tb_for_mask表将触发脱敏策略。
$ gsql -h192.168.137.250 -Uuser_dev postgres -r --password=dev@1234
gsql ((openGauss 3.0.0 build 02c14696) compiled at 2022-04-01 18:12:34 commit 0 last mr )
Non-SSL connection (SSL connection is recommended when requiring high-security)
Type "help" for help.
openGauss=> select * from tb_for_mask;
id | bid | did | nid | flag | ts | str | str2
----+-----+-----+-----+------+---------------------+---------------------+---------------------
0 | 0 | 0 | 0 | f | 1970-01-01 00:00:00 | xxxxxxxxxxxxxxxxxxx | xxxxxxxxxxxxxxxxxxx
(1 row)
策略二:randommasking
randommasking将字符串类型的值脱敏为随机数字或字母,并且每次都是不同的值,其它几种类型显示为该类型的默认值。
创建randommasking策略语句如下:
drop masking policy if exists my_masking_policy ;
create masking policy my_masking_policy
randommasking on label(
res_lab_id,res_lab_bid,res_lab_did,res_lab_nid,
res_lab_flag,res_lab_ts,res_lab_str,res_lab_str2
)
filter on roles(user_dev, user_app), app(psql, gsql),ip('192.168.137.250');
对所有的资源标签设置脱敏策略为randommasking。
用户user_dev使用gsql从192.168.137.250登录数据库,访问tb_for_mask表将触发脱敏策略。
$ gsql -h192.168.137.250 -Uuser_dev postgres -r --password=dev@1234
gsql ((openGauss 3.0.0 build 02c14696) compiled at 2022-04-01 18:12:34 commit 0 last mr )
Non-SSL connection (SSL connection is recommended when requiring high-security)
Type "help" for help.
openGauss=> select * from tb_for_mask;
id | bid | did | nid | flag | ts | str | str2
----+-----+-----+-----+------+---------------------+---------------------+---------------------
0 | 0 | 0 | 0 | f | 1970-01-01 00:00:00 | c7cb61cb2751f399dde | 5963b6237d0b77a6fcc
(1 row)
openGauss=> select * from tb_for_mask;
id | bid | did | nid | flag | ts | str | str2
----+-----+-----+-----+------+---------------------+---------------------+---------------------
0 | 0 | 0 | 0 | f | 1970-01-01 00:00:00 | cf9ba67bdb99271c503 | 0126dd99740deee678d
(1 row)
策略三:creditcardmasking
creditcardmasking将字符串类型的值保留连接符号-和末尾4位数字,其余全部设为x。
设置creditcardmasking策略语句如下:
alter masking policy my_masking_policy
modify creditcardmasking on label(
res_lab_str2
);
这里使用alter修改策略为creditcardmasking。
用户user_dev使用gsql从192.168.137.250登录数据库,访问tb_for_mask表将触发脱敏策略。
$ gsql -h192.168.137.250 -Uuser_dev postgres -r --password=dev@1234
gsql ((openGauss 3.0.0 build 02c14696) compiled at 2022-04-01 18:12:34 commit 0 last mr )
Non-SSL connection (SSL connection is recommended when requiring high-security)
Type "help" for help.
openGauss=> select * from tb_for_mask;
id | bid | did | nid | flag | ts | str | str2
----+-----+-----+-----+------+---------------------+---------------------+---------------------
0 | 0 | 0 | 0 | f | 1970-01-01 00:00:00 | 02ad7c4c980c08c9182 | xxxx-xxxx-xxxx-7654
(1 row)
可以看到str2脱敏策略:保留连接符号-和末尾4位数字,其余全部为x。
策略四:basicemailmasking
basicemailmasking将字符串类型邮箱格式值对@符号之前的所有数据内容设为x。
设置basicemailmasking策略语句如下:
alter masking policy my_masking_policy
modify basicemailmasking on label(
res_lab_str2
);
这里使用alter修改策略为basicemailmasking。
同时修改str2字段的值为一个邮箱格式。
update tb_for_mask set str2='chong.peng@enmotch.com' where id=12345678;
用户user_dev使用gsql从192.168.137.250登录数据库,访问tb_for_mask表将触发脱敏策略。
$ gsql -h192.168.137.250 -Uuser_dev postgres -r --password=dev@1234
gsql ((openGauss 3.0.0 build 02c14696) compiled at 2022-04-01 18:12:34 commit 0 last mr )
Non-SSL connection (SSL connection is recommended when requiring high-security)
Type "help" for help.
openGauss=> select * from tb_for_mask;
id | bid | did | nid | flag | ts | str | str2
----+-----+-----+-----+------+---------------------+---------------------+------------------------
0 | 0 | 0 | 0 | f | 1970-01-01 00:00:00 | 21624e8f64817485e3f | xxxxxxxxxx@enmotch.com
(1 row)
可以看到str2脱敏策略为基本的邮箱格式脱敏。
策略五:fullemailmasking
fullemailmasking将字符串类型邮箱格式值仅保留@符号和邮箱dot结尾,其余全部设为x。
设置fullemailmasking策略语句如下:
alter masking policy my_masking_policy
modify fullemailmasking on label(
res_lab_str2
);
这里使用alter修改策略为fullemailmasking。
用户user_dev使用gsql从192.168.137.250登录数据库,访问tb_for_mask表将触发脱敏策略。
$ gsql -h192.168.137.250 -Uuser_dev postgres -r --password=dev@1234
gsql ((openGauss 3.0.0 build 02c14696) compiled at 2022-04-01 18:12:34 commit 0 last mr )
Non-SSL connection (SSL connection is recommended when requiring high-security)
Type "help" for help.
openGauss=> select * from tb_for_mask;
id | bid | did | nid | flag | ts | str | str2
----+-----+-----+-----+------+---------------------+---------------------+------------------------
0 | 0 | 0 | 0 | f | 1970-01-01 00:00:00 | 2510768c9a40c6eff5d | xxxxxxxxxx@xxxxxxx.com
(1 row)
策略六:shufflemasking
shufflemasking将字符串类型的值交换位置,打乱顺序。
设置shufflemasking策略语句如下:
alter masking policy my_masking_policy
modify shufflemasking on label(
res_lab_str2
);
这里使用alter修改策略为shufflemasking。
用户user_dev使用gsql从192.168.137.250登录数据库,访问tb_for_mask表将触发脱敏策略。
$ gsql -h192.168.137.250 -Uuser_dev postgres -r --password=dev@1234
gsql ((openGauss 3.0.0 build 02c14696) compiled at 2022-04-01 18:12:34 commit 0 last mr )
Non-SSL connection (SSL connection is recommended when requiring high-security)
Type "help" for help.
openGauss=> select * from tb_for_mask;
id | bid | did | nid | flag | ts | str | str2
----+-----+-----+-----+------+---------------------+---------------------+------------------------
0 | 0 | 0 | 0 | f | 1970-01-01 00:00:00 | 17b7aa115fe1de88109 | ecgom@t.nocpgnnchhmo.e
(1 row)
策略七:alldigitsmasking
alldigitsmasking将字符串类型的值中所有的数字脱敏为0,其它字符不变。
设置alldigitsmasking策略语句如下:
alter masking policy my_masking_policy
modify alldigitsmasking on label(
res_lab_str2
);
这里使用alter修改策略为alldigitsmasking。
修改str2字段的值,便于后续观察。
update tb_for_mask set str2='12345chong.peng@enmotch.com6789' where id=12345678;
用户user_dev使用gsql从192.168.137.250登录数据库,访问tb_for_mask表将触发脱敏策略。
$ gsql -h192.168.137.250 -Uuser_dev postgres -r --password=dev@1234
gsql ((openGauss 3.0.0 build 02c14696) compiled at 2022-04-01 18:12:34 commit 0 last mr )
Non-SSL connection (SSL connection is recommended when requiring high-security)
Type "help" for help.
openGauss=> select str2 from tb_for_mask;
str2
---------------------------------
00000chong.peng@enmotch.com0000
(1 row)
策略八:regexpmasking
regexpmasking将字符串类型的值进行正则表达式脱敏。
设置regexpmasking策略语句如下:
alter masking policy my_masking_policy
modify regexpmasking('[\d+]','*',7,8) on label(
res_lab_str2
);
修改str2字段的值,便于后续观察。
update tb_for_mask set str2='9876-5432-1098-7654' where id=12345678;
用户user_dev使用gsql从192.168.137.250登录数据库,访问tb_for_mask表将触发脱敏策略。
$ gsql -h192.168.137.250 -Uuser_dev postgres -r --password=dev@1234
gsql ((openGauss 3.0.0 build 02c14696) compiled at 2022-04-01 18:12:34 commit 0 last mr )
Non-SSL connection (SSL connection is recommended when requiring high-security)
Type "help" for help.
openGauss=> select str2 from tb_for_mask;
str2
---------------------
9876-54**-****-7654
(1 row)
策略九:使用自定义函数
创建一个简单的函数,脱敏数据为八个字符Y
create or replace function foo(varchar) returns varchar
as $function$
declare
begin
return 'YYYYYYYY';
end;
$function$ language plpgsql;
设置策略语句如下:
alter masking policy my_masking_policy
modify public.foo on label(
res_lab_str2
);
用户user_dev使用gsql从192.168.137.250登录数据库,访问tb_for_mask表将触发脱敏策略。
$ gsql -h192.168.137.250 -Uuser_dev postgres -r --password=dev@1234
gsql ((openGauss 3.0.0 build 02c14696) compiled at 2022-04-01 18:12:34 commit 0 last mr )
Non-SSL connection (SSL connection is recommended when requiring high-security)
Type "help" for help.
openGauss=> select str2 from tb_for_mask;
str2
----------
YYYYYYYY
(1 row)
八种策略脱敏前后对比
| 策略 | 原数据 | 脱敏数据 |
|---|---|---|
| maskall | 1234-5678-9012-3456 | xxxxxxxxxxxxxxxxxxx |
| randommasking | 1234-5678-9012-3456 | cf9ba67bdb99271c503 |
| creditcardmasking | 9876-5432-1098-7654 | xxxx-xxxx-xxxx-7654 |
| basicemailmasking | chong.peng@enmotch.com | xxxxxxxxxx@enmotch.com |
| fullemailmasking | chong.peng@enmotch.com | xxxxxxxxxx@xxxxxxx.com |
| shufflemasking | chong.peng@enmotch.com | ecgom@t.nocpgnnchhmo.e |
| regexpmasking | 9876-5432-1098-7654 | 9876-54**-****-7654 |
| alldigitsmasking | 12345chong.peng@enmotch.com6789 | 00000chong.peng@enmotch.com0000 |
