Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-1583

Database firewall filter failing with multiple users statements in rules file

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • 2.2.0
    • 2.2.2
    • dbfwfilter
    • None
    • Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-103-generic x86_64)
    • MXS-SPRINT-50

    Description

      I'm trying to create two different firewall rules set associations to a single user in Max Scale 2.2.0, my goal are:

      • To avoid function usage on multiple columns along many tables
      • To avoid function usage on specific columns for a single table.

      Both rules are to add protection when masking sensitive data. For this, I have the following maxscale.cnf:

      [MyServer]
      		 
      type=server
      		 
      address=DBHOST
      		 
      port=DBPORT
      		 
      protocol=MySQLBackend
      		 
       
      		 
      [MyMasking]
      		 
      type=filter
      		 
      module=masking
      		 
      warn_type_mismatch=always
      		 
      large_payload=abort
      		 
      rules=PATH_TO_MASKING_JSON
      		 
       
      		 
      [MyDBFW]
      		 
      type=filter
      		 
      module=dbfwfilter
      		 
      rules=PATH_TO_FW_RULES_TXT
      		 
       
      		 
      [MaskingService]
      		 
      type=service
      		 
      router=readconnroute
      		 
      servers=MyServer
      		 
      user=DBUSER
      		 
      passwd=DBPASS
      		 
      filters=MyMasking | MyDBFW

      With this FW rules file:

      rule denied_functions_on_common_sensitive_data match uses_function many_common_column_names
      		 
       
      		 
      users my_user@% match all rules denied_functions_on_common_sensitive_data
      		 
       
      		 
      rule denied_functions_on_specific_data match uses_function many_specific_column_names
      		 
      rule specific_table match regex '.*select.*from.*specific.*'
      		 
       
      		 
      users my_user@% match all rules denied_functions_on_addresses_data specific_table

      I start the server and the masking works great. However, whenever I try to run, for example, a concat function on one of the forbidden columns, the service returns the real values, instead of a Permission denied response.

      I checked the logs and maxadmin and validated that the rules were matched:

      2017-12-15 15:02:02   notice : (3) [dbfwfilter] rule 'specific_table': regex matched on query
      		 
      2017-12-15 15:02:02   notice : (3) [dbfwfilter] rule 'denied_functions_on_specific_data': query uses a function with forbidden column: specific_column
      		 
      2017-12-15 15:02:03   notice : (3) [dbfwfilter] rule 'denied_functions_on_common_sensitive_data': query uses a function with forbidden column: common_column

      However, if I remove one of the users directives in the firewall rules txt file, the one I left activated works, and the server replies 'Permission denied'.

      Could you provide assistance regarding this issue? Thank you.

      Attachments

        Activity

          People

            johan.wikman Johan Wikman
            fsilvac Fernando
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.