本文參考鏈接如下:
openGauss動態數據脫敏
https://opengauss.org/zh/blogs/blogs.html?post/chenguang/opengauss%E5%8A%A8%E6%80%81%E6%95%B0%E6%8D%AE%E8%84%B1%E6%95%8F
openGauss數據動態脫敏
https://opengauss.org/zh/blogs/blogs.html?post/jiajunfeng/opengauss%E6%95%B0%E6%8D%AE%E5%8A%A8%E6%80%81%E8%84%B1%E6%95%8F
openGauss從2.0版本開始支持動態數據脫敏特性,并且采用基于語句改寫方法,在查詢解析獲取查詢樹后,根據用戶定義的脫敏策略識別查詢樹目標結點,并對待脫敏結點進行改寫構造“脫敏查詢樹”,再交由數據庫內核執行最終返回脫敏后數據。
openGauss數據動態脫敏使用方法
- 開啟參數:enable_security_policy
- 創建資源標簽:create resource label
- 創建脫敏策略:create masking policy
通過三步配置就可以開啟數據動態脫敏,接下來進行幾種不同脫敏策略的測試,測試環境是Centos7.6 openGauss 3.0.0,目前數據庫內部預置8種脫敏策略,另外用戶也可以自定義函數來配置。本文將對這9種方式分別進行測試。
測試準備
首先需要檢查數據庫enable_security_policy參數為on
openGauss=# show enable_security_policy;
enable_security_policy
------------------------
on
(1 row)
然后使用初始用戶omm,創建兩個普通用戶,用于配置脫敏策略
create user user_dev password 'dev@1234';
create user user_app password 'app@1234';
賦予public模式的權限給用戶
grant all on schema public to user_dev,user_app;
創建測試表,測試7種數據類型,目前暫不支持pg_catalog.date,bytea,blob,clob,xml,json,jsonb類型
create table public.tb_for_mask(
id int,bid bigint,did double precision,nid numeric,
flag boolean,ts timestamp,str varchar,str2 varchar
);
賦予表權限給用戶
grant all on table public.tb_for_mask to user_dev,user_app;
插入測試數據
insert into tb_for_mask values(
12345678,120000000000,1.2345678,1.2345678,
true,clock_timestamp(),'1234-5678-9012-3456','9876-5432-1098-7654'
);
接著創建資源標簽(表的數據列只能配置到一個資源標簽下)
create resource label res_lab_id add column(tb_for_mask.id);
create resource label res_lab_bid add column(tb_for_mask.bid);
create resource label res_lab_did add column(tb_for_mask.did);
create resource label res_lab_nid add column(tb_for_mask.nid);
create resource label res_lab_flag add column(tb_for_mask.flag);
create resource label res_lab_ts add column(tb_for_mask.ts);
create resource label res_lab_str add column(tb_for_mask.str);
create resource label res_lab_str2 add column(tb_for_mask.str2);
最后我們可以使用create masking policy指定不同的策略來進行測試。
策略一:maskall
maskall是將字符串類型的所有值脫敏為x,其它幾種類型顯示為該類型的默認值。
創建maskall策略語句如下:
create masking policy my_masking_policy
maskall on label(
res_lab_id,res_lab_bid,res_lab_did,res_lab_nid,
res_lab_flag,res_lab_ts,res_lab_str,res_lab_str2
)
filter on roles(user_dev, user_app), app(psql, gsql),ip('192.168.137.250');
對于用戶user_dev或user_app,使用psql或者gsql,從192.168.137.250訪問查詢tb_for_mask表時會觸發脫敏測試my_masking_policy,資源標簽里設置的列會被脫敏處理。
接著用戶user_dev使用gsql從192.168.137.250登錄數據庫,訪問tb_for_mask表將觸發脫敏策略。
$ gsql -h192.168.137.250 -Uuser_dev postgres -r --password=dev@1234
gsql ((openGauss 3.0.0 build 02c14696) compiled at 2022-04-01 18:12:34 commit 0 last mr )
Non-SSL connection (SSL connection is recommended when requiring high-security)
Type "help" for help.
openGauss=> select * from tb_for_mask;
id | bid | did | nid | flag | ts | str | str2
----+-----+-----+-----+------+---------------------+---------------------+---------------------
0 | 0 | 0 | 0 | f | 1970-01-01 00:00:00 | xxxxxxxxxxxxxxxxxxx | xxxxxxxxxxxxxxxxxxx
(1 row)
策略二:randommasking
randommasking將字符串類型的值脫敏為隨機數字或字母,并且每次都是不同的值,其它幾種類型顯示為該類型的默認值。
創建randommasking策略語句如下:
drop masking policy if exists my_masking_policy ;
create masking policy my_masking_policy
randommasking on label(
res_lab_id,res_lab_bid,res_lab_did,res_lab_nid,
res_lab_flag,res_lab_ts,res_lab_str,res_lab_str2
)
filter on roles(user_dev, user_app), app(psql, gsql),ip('192.168.137.250');
對所有的資源標簽設置脫敏策略為randommasking。
用戶user_dev使用gsql從192.168.137.250登錄數據庫,訪問tb_for_mask表將觸發脫敏策略。
$ gsql -h192.168.137.250 -Uuser_dev postgres -r --password=dev@1234
gsql ((openGauss 3.0.0 build 02c14696) compiled at 2022-04-01 18:12:34 commit 0 last mr )
Non-SSL connection (SSL connection is recommended when requiring high-security)
Type "help" for help.
openGauss=> select * from tb_for_mask;
id | bid | did | nid | flag | ts | str | str2
----+-----+-----+-----+------+---------------------+---------------------+---------------------
0 | 0 | 0 | 0 | f | 1970-01-01 00:00:00 | c7cb61cb2751f399dde | 5963b6237d0b77a6fcc
(1 row)
openGauss=> select * from tb_for_mask;
id | bid | did | nid | flag | ts | str | str2
----+-----+-----+-----+------+---------------------+---------------------+---------------------
0 | 0 | 0 | 0 | f | 1970-01-01 00:00:00 | cf9ba67bdb99271c503 | 0126dd99740deee678d
(1 row)
策略三:creditcardmasking
creditcardmasking將字符串類型的值保留連接符號-和末尾4位數字,其余全部設為x。
設置creditcardmasking策略語句如下:
alter masking policy my_masking_policy
modify creditcardmasking on label(
res_lab_str2
);
這里使用alter修改策略為creditcardmasking。
用戶user_dev使用gsql從192.168.137.250登錄數據庫,訪問tb_for_mask表將觸發脫敏策略。
$ gsql -h192.168.137.250 -Uuser_dev postgres -r --password=dev@1234
gsql ((openGauss 3.0.0 build 02c14696) compiled at 2022-04-01 18:12:34 commit 0 last mr )
Non-SSL connection (SSL connection is recommended when requiring high-security)
Type "help" for help.
openGauss=> select * from tb_for_mask;
id | bid | did | nid | flag | ts | str | str2
----+-----+-----+-----+------+---------------------+---------------------+---------------------
0 | 0 | 0 | 0 | f | 1970-01-01 00:00:00 | 02ad7c4c980c08c9182 | xxxx-xxxx-xxxx-7654
(1 row)
可以看到str2脫敏策略:保留連接符號-和末尾4位數字,其余全部為x。
策略四:basicemailmasking
basicemailmasking將字符串類型郵箱格式值對@符號之前的所有數據內容設為x。
設置basicemailmasking策略語句如下:
alter masking policy my_masking_policy
modify basicemailmasking on label(
res_lab_str2
);
這里使用alter修改策略為basicemailmasking。
同時修改str2字段的值為一個郵箱格式。
update tb_for_mask set str2='chong.peng@enmotch.com' where id=12345678;
用戶user_dev使用gsql從192.168.137.250登錄數據庫,訪問tb_for_mask表將觸發脫敏策略。
$ gsql -h192.168.137.250 -Uuser_dev postgres -r --password=dev@1234
gsql ((openGauss 3.0.0 build 02c14696) compiled at 2022-04-01 18:12:34 commit 0 last mr )
Non-SSL connection (SSL connection is recommended when requiring high-security)
Type "help" for help.
openGauss=> select * from tb_for_mask;
id | bid | did | nid | flag | ts | str | str2
----+-----+-----+-----+------+---------------------+---------------------+------------------------
0 | 0 | 0 | 0 | f | 1970-01-01 00:00:00 | 21624e8f64817485e3f | xxxxxxxxxx@enmotch.com
(1 row)
可以看到str2脫敏策略為基本的郵箱格式脫敏。
策略五:fullemailmasking
fullemailmasking將字符串類型郵箱格式值僅保留@符號和郵箱dot結尾,其余全部設為x。
設置fullemailmasking策略語句如下:
alter masking policy my_masking_policy
modify fullemailmasking on label(
res_lab_str2
);
這里使用alter修改策略為fullemailmasking。
用戶user_dev使用gsql從192.168.137.250登錄數據庫,訪問tb_for_mask表將觸發脫敏策略。
$ gsql -h192.168.137.250 -Uuser_dev postgres -r --password=dev@1234
gsql ((openGauss 3.0.0 build 02c14696) compiled at 2022-04-01 18:12:34 commit 0 last mr )
Non-SSL connection (SSL connection is recommended when requiring high-security)
Type "help" for help.
openGauss=> select * from tb_for_mask;
id | bid | did | nid | flag | ts | str | str2
----+-----+-----+-----+------+---------------------+---------------------+------------------------
0 | 0 | 0 | 0 | f | 1970-01-01 00:00:00 | 2510768c9a40c6eff5d | xxxxxxxxxx@xxxxxxx.com
(1 row)
策略六:shufflemasking
shufflemasking將字符串類型的值交換位置,打亂順序。
設置shufflemasking策略語句如下:
alter masking policy my_masking_policy
modify shufflemasking on label(
res_lab_str2
);
這里使用alter修改策略為shufflemasking。
用戶user_dev使用gsql從192.168.137.250登錄數據庫,訪問tb_for_mask表將觸發脫敏策略。
$ gsql -h192.168.137.250 -Uuser_dev postgres -r --password=dev@1234
gsql ((openGauss 3.0.0 build 02c14696) compiled at 2022-04-01 18:12:34 commit 0 last mr )
Non-SSL connection (SSL connection is recommended when requiring high-security)
Type "help" for help.
openGauss=> select * from tb_for_mask;
id | bid | did | nid | flag | ts | str | str2
----+-----+-----+-----+------+---------------------+---------------------+------------------------
0 | 0 | 0 | 0 | f | 1970-01-01 00:00:00 | 17b7aa115fe1de88109 | ecgom@t.nocpgnnchhmo.e
(1 row)
策略七:alldigitsmasking
alldigitsmasking將字符串類型的值中所有的數字脫敏為0,其它字符不變。
設置alldigitsmasking策略語句如下:
alter masking policy my_masking_policy
modify alldigitsmasking on label(
res_lab_str2
);
這里使用alter修改策略為alldigitsmasking。
修改str2字段的值,便于后續觀察。
update tb_for_mask set str2='12345chong.peng@enmotch.com6789' where id=12345678;
用戶user_dev使用gsql從192.168.137.250登錄數據庫,訪問tb_for_mask表將觸發脫敏策略。
$ gsql -h192.168.137.250 -Uuser_dev postgres -r --password=dev@1234
gsql ((openGauss 3.0.0 build 02c14696) compiled at 2022-04-01 18:12:34 commit 0 last mr )
Non-SSL connection (SSL connection is recommended when requiring high-security)
Type "help" for help.
openGauss=> select str2 from tb_for_mask;
str2
---------------------------------
00000chong.peng@enmotch.com0000
(1 row)
策略八:regexpmasking
regexpmasking將字符串類型的值進行正則表達式脫敏。
設置regexpmasking策略語句如下:
alter masking policy my_masking_policy
modify regexpmasking('[\d+]','*',7,8) on label(
res_lab_str2
);
修改str2字段的值,便于后續觀察。
update tb_for_mask set str2='9876-5432-1098-7654' where id=12345678;
用戶user_dev使用gsql從192.168.137.250登錄數據庫,訪問tb_for_mask表將觸發脫敏策略。
$ gsql -h192.168.137.250 -Uuser_dev postgres -r --password=dev@1234
gsql ((openGauss 3.0.0 build 02c14696) compiled at 2022-04-01 18:12:34 commit 0 last mr )
Non-SSL connection (SSL connection is recommended when requiring high-security)
Type "help" for help.
openGauss=> select str2 from tb_for_mask;
str2
---------------------
9876-54**-****-7654
(1 row)
策略九:使用自定義函數
創建一個簡單的函數,脫敏數據為八個字符Y
create or replace function foo(varchar) returns varchar
as $function$
declare
begin
return 'YYYYYYYY';
end;
$function$ language plpgsql;
設置策略語句如下:
alter masking policy my_masking_policy
modify public.foo on label(
res_lab_str2
);
用戶user_dev使用gsql從192.168.137.250登錄數據庫,訪問tb_for_mask表將觸發脫敏策略。
$ gsql -h192.168.137.250 -Uuser_dev postgres -r --password=dev@1234
gsql ((openGauss 3.0.0 build 02c14696) compiled at 2022-04-01 18:12:34 commit 0 last mr )
Non-SSL connection (SSL connection is recommended when requiring high-security)
Type "help" for help.
openGauss=> select str2 from tb_for_mask;
str2
----------
YYYYYYYY
(1 row)
八種策略脫敏前后對比
| 策略 | 原數據 | 脫敏數據 |
|---|---|---|
| maskall | 1234-5678-9012-3456 | xxxxxxxxxxxxxxxxxxx |
| randommasking | 1234-5678-9012-3456 | cf9ba67bdb99271c503 |
| creditcardmasking | 9876-5432-1098-7654 | xxxx-xxxx-xxxx-7654 |
| basicemailmasking | chong.peng@enmotch.com | xxxxxxxxxx@enmotch.com |
| fullemailmasking | chong.peng@enmotch.com | xxxxxxxxxx@xxxxxxx.com |
| shufflemasking | chong.peng@enmotch.com | ecgom@t.nocpgnnchhmo.e |
| regexpmasking | 9876-5432-1098-7654 | 9876-54**-****-7654 |
| alldigitsmasking | 12345chong.peng@enmotch.com6789 | 00000chong.peng@enmotch.com0000 |
