脱敏数据类型 ========================== 数据动态脱敏用于在 OushuDB 数据库中实时保护敏感数据。通过对特定字段进行脱敏处理,确保数据在查询时只对授权用户展示必要的信息,从而降低数据泄露的风险。 功能介绍 -------- - **动态脱敏**:用户在数据查询时对敏感字段进行动态脱敏处理,保持原数据不变。 - **用户权限控制**:根据用户角色动态调整数据展示。 功能使用 -------- .. container:: refentry :name: 动态脱敏模块初始化 .. container:: titlepage .. container:: refnamediv .. rubric:: 动态脱敏模块初始化 :name: 动态脱敏模块初始化 ``1. 为需要数据脱敏的数据库增加环境变量`` .. note:: 此例数据库名字为 demo_anon,为每个需要动态脱敏功能的数据库做一次性加载 .. code:: programlisting demo_anon=# ALTER DATABASE demo_anon SET session_preload_libraries = 'anon'; ALTER DATABASE ``2. 退出当前session,重新连接,创建动态脱敏功能扩展`` .. code:: programlisting demo_anon=# \q ❯ psql -d demo_anon psql (12.12) Type "help" for help. demo_anon=# CREATE EXTENSION anon CASCADE; NOTICE: installing required extension "pgcrypto" CREATE EXTENSION demo_anon=# ``3. 动态脱敏模块初始化`` .. code:: programlisting SELECT anon.init(); .. container:: refentry :name: 动态脱敏模块应用 .. container:: titlepage .. container:: refnamediv .. rubric:: 动态脱敏模块应用 :name: 动态脱敏模块应用 ``1. 创建一个schema, 将其设置为需要脱敏的schema,设置一个脱敏的目标的schema(不存在后续会自动创建).`` .. code:: programlisting demo_anon=# create schema demo_dymanic_masking; CREATE SCHEMA demo_anon=# set search_path to demo_dymanic_masking; SET demo_anon=# set anon.maskschema ='demo_dynamic_masking_tar'; SET demo_anon=# select anon.set_sourceschema_to(current_schema()); NOTICE: Try set anon.sourceschema to 'demo_dymanic_masking'. set_sourceschema_to ---------------------- demo_dymanic_masking (1 row) ``2. 打开动态脱敏`` .. code:: programlisting demo_anon=# SELECT anon.start_dynamic_masking(); start_dynamic_masking ----------------------- t (1 row) ``3. 创建一个读取脱敏信息的用户,并标记`` .. code:: programlisting demo_anon=# CREATE ROLE demo_dynamic_masking_r LOGIN; NOTICE: resource queue required -- using default resource queue "vc_default.pg_default" CREATE ROLE demo_anon=# SECURITY LABEL FOR anon ON ROLE demo_dynamic_masking_r IS 'MASKED'; SECURITY LABEL ``4. 创建表格,插入数据`` .. code:: programlisting CREATE TABLE people ( id TEXT, firstname TEXT, lastname TEXT, phone TEXT) DISTRIBUTED BY (id); INSERT INTO people VALUES ('T1','Sarah', 'Conor','0609110911'); demo_anon=# SELECT * FROM people; id | firstname | lastname | phone ----+-----------+----------+------------ T1 | Sarah | Conor | 0609110911 (1 row) ``5. 声明脱敏规则`` .. code:: programlisting demo_anon=#SECURITY LABEL FOR anon ON COLUMN people.lastname IS 'MASKED WITH FUNCTION anon.fake_last_name()'; SECURITY LABEL demo_anon=#SECURITY LABEL FOR anon ON COLUMN people.phone IS 'MASKED WITH FUNCTION anon.partial(phone,2,$$******$$,2)'; SECURITY LABEL ``6. 另一个用户登录,select 得到脱敏后数据`` .. code:: programlisting demo_anon=# set role to demo_dynamic_masking_r; SET demo_anon=> set search_path to demo_dynamic_masking_tar; SET demo_anon=> select * from people; id | firstname | lastname | phone ----+-----------+-------------------+------------ T1 | Sarah | Example Last Name | 06******11 (1 row) .. container:: refsect1 :name: id-1.9.3.176.9 .. rubric:: 设置详细脱敏规则另见 :name: 设置详细脱敏规则另见 `SECURITY LABEL `__