Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-1583

Database firewall filter failing with multiple users statements in rules file

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.2.0
    • Fix Version/s: 2.2.2
    • Component/s: dbfwfilter
    • Labels:
      None
    • Environment:
      Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-103-generic x86_64)
    • Sprint:
      MXS-SPRINT-50

      Description

      I'm trying to create two different firewall rules set associations to a single user in Max Scale 2.2.0, my goal are:

      • To avoid function usage on multiple columns along many tables
      • To avoid function usage on specific columns for a single table.

      Both rules are to add protection when masking sensitive data. For this, I have the following maxscale.cnf:

      [MyServer]
      type=server
      address=DBHOST
      port=DBPORT
      protocol=MySQLBackend
       
      [MyMasking]
      type=filter
      module=masking
      warn_type_mismatch=always
      large_payload=abort
      rules=PATH_TO_MASKING_JSON
       
      [MyDBFW]
      type=filter
      module=dbfwfilter
      rules=PATH_TO_FW_RULES_TXT
       
      [MaskingService]
      type=service
      router=readconnroute
      servers=MyServer
      user=DBUSER
      passwd=DBPASS
      filters=MyMasking | MyDBFW
      

      With this FW rules file:

      rule denied_functions_on_common_sensitive_data match uses_function many_common_column_names
       
      users my_user@% match all rules denied_functions_on_common_sensitive_data
       
      rule denied_functions_on_specific_data match uses_function many_specific_column_names
      rule specific_table match regex '.*select.*from.*specific.*'
       
      users my_user@% match all rules denied_functions_on_addresses_data specific_table
      

      I start the server and the masking works great. However, whenever I try to run, for example, a concat function on one of the forbidden columns, the service returns the real values, instead of a Permission denied response.

      I checked the logs and maxadmin and validated that the rules were matched:

      2017-12-15 15:02:02   notice : (3) [dbfwfilter] rule 'specific_table': regex matched on query
      2017-12-15 15:02:02   notice : (3) [dbfwfilter] rule 'denied_functions_on_specific_data': query uses a function with forbidden column: specific_column
      2017-12-15 15:02:03   notice : (3) [dbfwfilter] rule 'denied_functions_on_common_sensitive_data': query uses a function with forbidden column: common_column
      

      However, if I remove one of the users directives in the firewall rules txt file, the one I left activated works, and the server replies 'Permission denied'.

      Could you provide assistance regarding this issue? Thank you.

        Attachments

          Activity

            People

            Assignee:
            johan.wikman Johan Wikman
            Reporter:
            fsilvac Fernando
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: