proxy.golang.org : github.com/artyom/shadowdb
Command shadowdb creates a new MySQL database that contains VIEWs pointing to original database tables with content of sensitive columns masked. The use case for shadowdb is to have a read-only MySQL database similar to the original one but with some sensitive text information replaced by placeholders. Naturally one can use MySQL permissions system to only grant SELECT privilege to subset of table columns, but this approach breaks programs which expect to be able to read values of sensitive columns as well. Such scenario can be handled by creating a separate database with SQL VIEWs referencing original database tables but returning placeholder values for columns with sensitive data. Consider the following table: Here's an example of query against such table: The view limiting visibility of the "name" column for such table can be created like this: Now query against masked_db.users view returns the same number of columns as original_db.users, but has asterisks in place of the "name" column values: Command shadowdb automates such process by discovering fields of each table in the original database and creating (or updating) corresponding views for them, masking provided sensitive fields. Additionally this command creates/updates privileges for the given MySQL user so that such user can only select non-masked fields from the original database and all fields of the created views. If original database schema changes, shadowdb command should be run again — it will update views to reflect original database tables. Note that it does not remove views for dropped tables, you have to manually do this. shadowdb automatically creates destination (masked) database as necessary, as well as the user to grant select privileges to. It does not configure authorization for such user. List of sensitive fields is expected to be in CSV format of table_name,column_name pairs (case insensitive) without header, see the -mask flag. It is implied that masked columns are of some text type (varchar, etc.), if they're not, clients working with created views may be surprised by seeing text placeholder value instead of non-text type of the original table. MySQL credentials (user and password) are read from the "client" section of the .my.cnf file which is expected to have the following format: The user is expected to have SUPER privileges (or their subset sufficient to create databases, views and grant privileges). If -tls flag is used, program connects to the server over TLS and expects server certificate to be signed with certificate authority from the system CA pool. On UNIX systems the environment variables SSL_CERT_FILE and SSL_CERT_DIR can be used to override the system default locations for the SSL certificate file and SSL certificate files directory, respectively.
Registry
-
Source
- Documentation
- JSON
purl: pkg:golang/github.com/artyom/shadowdb
License: MIT
Latest release: almost 5 years ago
First release: almost 5 years ago
Namespace: github.com/artyom
Stars: 0 on GitHub
Forks: 0 on GitHub
See more repository details: repos.ecosyste.ms
Last synced: about 2 months ago