Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Inexpensive MySQL Datamasking with ProxySQL

ProxySQL LLC
February 04, 2017
Technology
0
710

Inexpensive MySQL Datamasking with ProxySQL

Frederic Descamps (Community Manager, Oracle) and Rene Cannao (CEO, ProxySQL) gave this presentation on datamasking best practices in MySQL, MariaDB and Friends at FOSDEM 2017.

Talk abstract is as follows:

During this session we will cover the last development in ProxySQL to support regular expressions and how we can use this strong technique in correlation with the query rules to anonymize live data quickly and transparently.

We will explain the mechanism and how to generate these rules quickly. We show live demo with all challenges we got from the Community and we finish the session by an interactive brainstorm testing queries from the audience.

ProxySQL LLC

February 04, 2017
Tweet

More Decks by ProxySQL LLC

See All by ProxySQL LLC
ProxySQL 2.0 native support for Percona XtraDB Cluster (PXC) 5.7 by Vinicius Grippa
proxysql_sysown
0
260
ProxySQL, the journey from a MySQL proxy to being the de-facto multi-functional tool that scales MySQL
proxysql_sysown
1
350
Kubernetes - The Swiss Army Knife for your ProxySQL Deployments
proxysql_sysown
0
550
Ensuring MySQL High Availability at Scale
proxysql_sysown
0
270
Exploring the latest features in ProxySQL 2.0 (updated to 2.0.9) - FOSDEM 2020
proxysql_sysown
0
860
What's new in ProxySQL 2.0? (Updated to version 2.0.9)
proxysql_sysown
0
830
MySQL DevOps: MySQL High Load Operation (Russian)
proxysql_sysown
0
750
Fault-Tolerance and Load Balancing for Your MySQL Backend (Russian)
proxysql_sysown
0
790
Introduction to High Performance for MySQL, Vlad Fedorkov (ProxySQL)
proxysql_sysown
0
820

Other Decks in Technology

See All in Technology
LINEヤフーのフロントエンド組織・体制の紹介
lycorp_recruit_jp
1
1.2k
PdMはどのように全てのスピードを上げられるか ~ 非連続進化のための具体的な取り組み ~
sansantech
PRO
4
1.2k
watsonx.ai Dojo 環境準備について
oniak3ibm
PRO
0
250
2024年のナビゲーション・フォーカス対応:Composeでキーボード・ナビゲーションをサポートしよう
tahia910
0
110
Creative UIs with Compose: DroidKaigi 2024
chrishorner
1
550
再考 アクターモデル/ reconsider actor model
ytake
0
350
開発者の定量・定性データを組み合わせて開発者体験を把握するための取り組み
ham0215
1
110
Segment Anything Model 2
tenten0727
3
690
なにもしてないのにNew Relicのデータ転送量が増えていたときに確認したこと
tk3fftk
2
230
不動産 x AIことはじめ~データの真価を拓くために
estie
0
110
AIを活用した柔軟かつ効率的な社内リソース検索への取り組み
cygames
0
170
Oracle Autonomous Database:サービス概要のご紹介
oracle4engineer
PRO
1
7.1k

Featured

See All Featured
Code Review Best Practice
trishagee
62
16k
Designing for humans not robots
tammielis
248
25k
Art, The Web, and Tiny UX
lynnandtonic
294
20k
Adopting Sorbet at Scale
ufuk
73
8.9k
How to train your dragon (web standard)
notwaldorf
85
5.6k
Building Adaptive Systems
keathley
36
2.1k
Building Applications with DynamoDB
mza
90
6k
The Straight Up "How To Draw Better" Workshop
denniskardys
230
130k
Bootstrapping a Software Product
garrettdimon
PRO
304
110k
Building an army of robots
kneath
302
42k
The Cult of Friendly URLs
andyhume
76
6k
Building a Scalable Design System with Sketch
lauravandoore
459
32k

Transcript

  1. Inexpensive Datamasking for MySQL with ProxySQL data anonymization for developers

    FOSDEM MySQL & Friends Devroom - February 2017 René Cannaò - ProxySQL Founder Frédéric Descamps - MySQL Community Manager - Oracle 1 / 39

  2. Safe Harbor Statement The following is intended to outline our

    general product direction. It is intended for information purpose only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied up in making purchasing decisions. The development, release and timing of any features or functionality described for Oracle's product remains at the sole discretion of Oracle. Copyright @ 2017 lefred & ProxySQL. All rights reserved. 2 / 39

  3. Who are we ? Copyright @ 2017 lefred & ProxySQL.

    All rights reserved. 3 / 39

  4. René Cannaò @rene_cannao ProxySQL Founder Copyright @ 2017 lefred &

    ProxySQL. All rights reserved. 4 / 39

  5. Frédéric Descamps @lefred MySQL Evangelist Managing MySQL since 3.23 devops

    believer Copyright @ 2017 lefred & ProxySQL. All rights reserved. 5 / 39

  6. What is ProxySQL ? Copyright @ 2017 lefred & ProxySQL.

    All rights reserved. 6 / 39

  7. What is ProxySQL ? the MySQL data stargate Copyright @

    2017 lefred & ProxySQL. All rights reserved. 7 / 39

  8. Why using ProxySQL as datamasking solution? Open Source & Free

    like in beer Copyright @ 2017 lefred & ProxySQL. All rights reserved. 8 / 39

  9. Why using ProxySQL as datamasking solution? Open Source & Free

    like in beer Other solutions are expensive or not working Copyright @ 2017 lefred & ProxySQL. All rights reserved. 9 / 39

  10. Why using ProxySQL as datamasking solution? Open Source & Free

    like in beer Other solutions are expensive or not working Not worse than the other solutions as currently none is perfect Copyright @ 2017 lefred & ProxySQL. All rights reserved. 10 / 39

  11. Why using ProxySQL as datamasking solution? Open Source & Free

    like in beer Other solutions are expensive or not working Not worse than the other solutions as currently none is perfect the best solution would be to have this feature implemented in the server just after the handler API Copyright @ 2017 lefred & ProxySQL. All rights reserved. 11 / 39

  12. The concept We use Regular Expressions to modify the client's

    SQL statement and replace the column(s) we want to hide by some characters. Only the defined users, in our example, we use a developer will have his statements modified. Copyright @ 2017 lefred & ProxySQL. All rights reserved. 12 / 39

  13. Access don't forget to create a user. > insert into

    mysql_users (username, password, active, default_hostgroup) values ('devel','devel',1,1); Copyright @ 2017 lefred & ProxySQL. All rights reserved. 13 / 39

  14. Rules Avoid SELECT * Copyright @ 2017 lefred & ProxySQL.

    All rights reserved. 14 / 39

  15. Rules Avoid SELECT * we need to create some rules

    to block any SELECT * variant on the table Copyright @ 2017 lefred & ProxySQL. All rights reserved. 15 / 39

  16. Rules Avoid SELECT * we need to create some rules

    to block any SELECT * variant on the table if the column is part of many tables, we need to do so for each of them Copyright @ 2017 lefred & ProxySQL. All rights reserved. 16 / 39

  17. Rules (2) Mask the field Copyright @ 2017 lefred &

    ProxySQL. All rights reserved. 17 / 39

  18. Rules (2) Mask the field when the field is selected

    in the columns we need: Copyright @ 2017 lefred & ProxySQL. All rights reserved. 18 / 39

  19. Rules (2) Mask the field when the field is selected

    in the columns we need: to replace the columnn by showing the first 2 characters and a certain amount of Xs Copyright @ 2017 lefred & ProxySQL. All rights reserved. 19 / 39

  20. Rules (2) Mask the field when the field is selected

    in the columns we need: to replace the columnn by showing the first 2 characters and a certain amount of Xs keep the column name Copyright @ 2017 lefred & ProxySQL. All rights reserved. 20 / 39

  21. Rules (2) Mask the field when the field is selected

    in the columns we need: to replace the columnn by showing the first 2 characters and a certain amount of Xs keep the column name 5275653223285289 will become 52XXXXXXXXXX Copyright @ 2017 lefred & ProxySQL. All rights reserved. 21 / 39

  22. Rules Overview Too mask cc_num from table CUSTOMERS, 7 rules

    are needed: Copyright @ 2017 lefred & ProxySQL. All rights reserved. 22 / 39

  23. Rules Overview Too mask cc_num from table CUSTOMERS, 7 rules

    are needed: rule #1 rule_id: 1 active: 1 username: devel agIN: 0 match_pattern: `*cc_num*` re_modi ers: caseless,global agOUT: NULL replace_pattern: cc_num apply: 0 Copyright @ 2017 lefred & ProxySQL. All rights reserved. 23 / 39

  24. rule #2 rule_id: 2 active: 1 username: devel agIN: 0

    match_pattern: (\(?)(`?\w+`?\.)?cc_num(\)?)([ ,\n]) re_modi ers: caseless,global agOUT: NULL replace_pattern: \1CONCAT(LEFT(\2cc_num,2),REPEAT('X',10))\3 cc_num\4 apply: 0 Copyright @ 2017 lefred & ProxySQL. All rights reserved. 24 / 39

  25. rule #3 rule_id: 3 active: 1 username: devel agIN: 0

    match_pattern: \)(\)?) cc_num\s+(\w), re_modi ers: caseless,global agOUT: NULL replace_pattern: )\1 \2, apply: 1 Copyright @ 2017 lefred & ProxySQL. All rights reserved. 25 / 39

  26. rule #4 rule_id: 4 active: 1 username: devel agIN: 0

    match_pattern: \)(\)?) cc_num\s+(.*)\s+from re_modi ers: caseless,global agOUT: NULL replace_pattern: )\1 \2 from apply: 1 Copyright @ 2017 lefred & ProxySQL. All rights reserved. 26 / 39

  27. rule #5 rule_id: 5 active: 1 username: devel match_pattern: ^SELECT\s+\*.*FROM.*CUSTOMERS

    re_modi ers: caseless,global error_msg: Query not allowed due to sensitive information, please contact [email protected] apply: 0 Copyright @ 2017 lefred & ProxySQL. All rights reserved. 27 / 39

  28. rule #6 rule_id: 6 active: 1 username: devel match_pattern: ^SELECT\s+CUSTOMERS\.\*.*FROM.*CUSTOMERS

    re_modi ers: caseless,global error_msg: Query not allowed due to sensitive information, please contact [email protected] apply: 0 Copyright @ 2017 lefred & ProxySQL. All rights reserved. 28 / 39

  29. rule #7 rule_id: 7 active: 1 username: devel match_pattern: ^SELECT\s+(\w+)\.\*.*FROM.*CUSTOMERS\s+(as\s+)?(\1)

    re_modi ers: caseless,global error_msg: Query not allowed due to sensitive information, please contact [email protected] apply: 0 Copyright @ 2017 lefred & ProxySQL. All rights reserved. 29 / 39

  30. Limitations supported in proxySQL >= 1.4.x Copyright @ 2017 lefred

    & ProxySQL. All rights reserved. 30 / 39

  31. Limitations supported in proxySQL >= 1.4.x all fields with the

    same name will be masked whatever the name of the table is Copyright @ 2017 lefred & ProxySQL. All rights reserved. 31 / 39

  32. Limitations supported in proxySQL >= 1.4.x all fields with the

    same name will be masked whatever the name of the table is the regexps can always be not sufficient Copyright @ 2017 lefred & ProxySQL. All rights reserved. 32 / 39

  33. Make it easy This is not really easy isn't it

    ? You can use this small bash script (https://gist.github.com/lefred/c040fee7e9c60ff3ca80f1590c48572b) to generate them: # ./maskit.sh -c cc_num -t CUSTOMERS column: cc_num table: CUSTOMERS let's add the rules... Copyright @ 2017 lefred & ProxySQL. All rights reserved. 33 / 39

  34. Examples Easy ones SELECT * FROM CUSTOMERS; SELECT rstname, lastname,

    cc_num FROM CUSTOMERS; Copyright @ 2017 lefred & ProxySQL. All rights reserved. 34 / 39

  35. Examples (2) More difficult Thank you Thomas Adolph & Dipti

    Joshi for the suggestions select rstname, CONCAT(cc_num), lastname from myapp.CUSTOMERS; select rstname, cc_num, cc_num from myapp.CUSTOMERS; select rstname, `cc_num` from myapp.CUSTOMERS; select rstname, cc_num from myapp.CUSTOMERS; (*) (*) on two lines Copyright @ 2017 lefred & ProxySQL. All rights reserved. 35 / 39

  36. Examples (3) select t1.cc_num from myapp.CUSTOMERS as t1; select rstname,

    cc_num as fred from CUSTOMERS; select rstname, cc_num fred from CUSTOMERS; select rstname, cc_num `as` from CUSTOMERS; select cc_num as `as`, rstname from CUSTOMERS; select `t1`.`cc_num` from myapp.CUSTOMERS as t1; Copyright @ 2017 lefred & ProxySQL. All rights reserved. 36 / 39

  37. Examples (4) select cc_num fred, rstname from CUSTOMERS; select rstname,

    /* cc_num */, from myapp.CUSTOMERS; /* */ select rstname, cc_num from myapp.CUSTOMERS; select CUSTOMERS.* from myapp.CUSTOMERS; select a.* from myapp.CUSTOMERS a; Copyright @ 2017 lefred & ProxySQL. All rights reserved. 37 / 39

  38. We need you ! Copyright @ 2017 lefred & ProxySQL.

    All rights reserved. 38 / 39

  39. Thank you ! Questions ? Copyright @ 2017 lefred &

    ProxySQL. All rights reserved. 39 / 39