[MXS-1583] Database firewall filter failing with multiple users statements in rules file Created: 2017-12-15  Updated: 2018-01-29  Resolved: 2018-01-29

Status: Closed
Project: MariaDB MaxScale
Component/s: dbfwfilter
Affects Version/s: 2.2.0
Fix Version/s: 2.2.2

Type: Bug Priority: Major
Reporter: Fernando Assignee: Johan Wikman
Resolution: Fixed Votes: 0
Labels: None
Environment:

Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-103-generic x86_64)

Sprint: MXS-SPRINT-50

 Description   

I'm trying to create two different firewall rules set associations to a single user in Max Scale 2.2.0, my goal are:

  • To avoid function usage on multiple columns along many tables
  • To avoid function usage on specific columns for a single table.

Both rules are to add protection when masking sensitive data. For this, I have the following maxscale.cnf:

[MyServer]
 
type=server
 
address=DBHOST
 
port=DBPORT
 
protocol=MySQLBackend
 
 
 
[MyMasking]
 
type=filter
 
module=masking
 
warn_type_mismatch=always
 
large_payload=abort
 
rules=PATH_TO_MASKING_JSON
 
 
 
[MyDBFW]
 
type=filter
 
module=dbfwfilter
 
rules=PATH_TO_FW_RULES_TXT
 
 
 
[MaskingService]
 
type=service
 
router=readconnroute
 
servers=MyServer
 
user=DBUSER
 
passwd=DBPASS
 
filters=MyMasking | MyDBFW

With this FW rules file:

rule denied_functions_on_common_sensitive_data match uses_function many_common_column_names
 
 
 
users my_user@% match all rules denied_functions_on_common_sensitive_data
 
 
 
rule denied_functions_on_specific_data match uses_function many_specific_column_names
 
rule specific_table match regex '.*select.*from.*specific.*'
 
 
 
users my_user@% match all rules denied_functions_on_addresses_data specific_table

I start the server and the masking works great. However, whenever I try to run, for example, a concat function on one of the forbidden columns, the service returns the real values, instead of a Permission denied response.

I checked the logs and maxadmin and validated that the rules were matched:

2017-12-15 15:02:02   notice : (3) [dbfwfilter] rule 'specific_table': regex matched on query
 
2017-12-15 15:02:02   notice : (3) [dbfwfilter] rule 'denied_functions_on_specific_data': query uses a function with forbidden column: specific_column
 
2017-12-15 15:02:03   notice : (3) [dbfwfilter] rule 'denied_functions_on_common_sensitive_data': query uses a function with forbidden column: common_column

However, if I remove one of the users directives in the firewall rules txt file, the one I left activated works, and the server replies 'Permission denied'.

Could you provide assistance regarding this issue? Thank you.

 Comments   
Comment by markus makela [ 2017-12-19 ]

If you remove both users lines and add the following, does it work?

users my_user@% match all rules denied_functions_on_common_sensitive_data denied_functions_on_addresses_data specific_table

If this fixes it, the problem is a missing error when a new users definition overwrites a previous user definition.

Comment by Fernando [ 2017-12-21 ]

Thanks for your replies!
I'll try your suggestion, Markus (after so many tries, I'm not sure if that did work). Although it would not satisfy my requirement, since it would only filter sensitive data columns for the specific table, and not others.

I'll also check version 2.2.2 ASAP and let you know how it went, Johan.

EDIT: just realized 2.2.2 is not released yet. I'll be expecting it, whenever you're able to release it.

Regards

Comment by markus makela [ 2017-12-21 ]

Ah, so you would need an OR operation between two sets of rules? That makes sense and I guess it should be possible to do that even with the current implementation.

Comment by Fernando [ 2017-12-21 ]

Oh, how would that be achieved? I tried some combinations unsuccessfully, since I couldn't find references in the documentation.
Thanks once again.

Comment by markus makela [ 2017-12-21 ]

What I meant is that the way you have defined the users appears to be a valid way of defining them and if it doesn't work we can safely label this as a bug.

Comment by markus makela [ 2018-01-16 ]

I think this would work: users my_user@% match any rules denied_functions_on_common_sensitive_data denied_functions_on_addresses_data specific_table

fsilvac Please try if it works how you expect it to work.

Comment by Fernando [ 2018-01-19 ]

Thank you Markus.
However, that would not work, because it would filter any query with column names identical to those of the specific table I wan't to block.

For example, I want to block access to functions using the number column of the table phones (so they can't bypass dynamic masking). However, I don't wan't to block access to the number column of another table called requests. That's why I would want an instruction set like this:

rule denied_functions_on_phone_data match uses_function number
rule phones_table match regex '.select.*from.*phones.'

users my_user@% match all rules denied_functions_on_phone_data phones_table

If I use any, that would block access to the number column from table requests as well.

Generated at Thu Feb 08 04:07:52 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.