[MXS-2992] ALTER TABLE statements not working with masking filter Created: 2020-05-12 Updated: 2021-08-26 Resolved: 2021-08-26 |
|
| Status: | Closed |
| Project: | MariaDB MaxScale |
| Component/s: | masking |
| Affects Version/s: | 2.4.9 |
| Fix Version/s: | 6.2.0 |
| Type: | Bug | Priority: | Minor |
| Reporter: | Robert Buchinger | Assignee: | markus makela |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Environment: |
CentOS 7.8.2003, MariaDB10.2.x Backends |
||
| Description |
|
Not sure if it is 100% a bug. When applying a masking filter that for example should mask out passwords on specific database.tables.column I am not able to run any ALTER TABLE queries. These queries are blocked with
even when I log in as one of the users listed as exempted My filter rule
|
| Comments |
| Comment by Johan Wikman [ 2020-05-12 ] |
|
MaxScale uses a heavily modified parser from sqlite for parsing the statements that passes through it. As it is not the same parser as the one used in the server, there are statements that the server accepts, but that MaxScale fails to parse. There are also statements that MaxScale simply does not parse fully because the details are not interesting. I think ALTER TABLE is one of those. Anyway, unless a particular statement has been fully parsed the masking filter rejects it, because in that case the masking filter cannot know what exactly the statement contains and hence may not be able to mask the result the way it is intended. ALTER TABLE doesn't return a result set, so it could be let through, but currently it isn't. It would also be possible to check up front whether there are any rules that could be applicable to the current user and if there are none, just let all statements through, but currently that is not done. |
| Comment by markus makela [ 2020-07-03 ] |
|
An improvement that could be done is to first check if a user is exempt from all rules before rejecting a partially parsed query. This would allow pre-defined users to bypass this limitation. |