Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MySQL数据脱敏inception改为goinception #1307

Merged
merged 49 commits into from
Jan 13, 2022
Merged

MySQL数据脱敏inception改为goinception #1307

merged 49 commits into from
Jan 13, 2022

Conversation

unknowissue
Copy link
Contributor

#Inception转为goInception,将archery中数据脱敏的IP和端口指向goInception的
#不修改整体逻辑,主要修改由goInception返回的结果中关键字,比如db修改为schema
#后续再优化逻辑,似乎并没有命中*判断

@unknowissue
Copy link
Contributor Author

嘶,有点问题, select a.* from t1 a 没有脱敏效果
hanchuanchuan/goInception#417

@codecov
Copy link

codecov bot commented Jan 4, 2022

Codecov Report

Merging #1307 (9fa9407) into master (c996a87) will decrease coverage by 2.28%.
The diff coverage is 90.35%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #1307      +/-   ##
==========================================
- Coverage   78.00%   75.72%   -2.29%     
==========================================
  Files          79       80       +1     
  Lines       12236    12465     +229     
==========================================
- Hits         9545     9439     -106     
- Misses       2691     3026     +335     
Impacted Files Coverage Δ
sql/engines/__init__.py 71.23% <ø> (ø)
sql/engines/inception.py 16.76% <0.00%> (-69.37%) ⬇️
sql/models.py 96.10% <ø> (ø)
sql/utils/data_masking.py 9.09% <ø> (-83.64%) ⬇️
sql/engines/goinception.py 81.13% <68.33%> (-5.72%) ⬇️
sql/engines/mysql.py 91.52% <80.00%> (ø)
sql/utils/go_data_masking.py 94.18% <94.18%> (ø)
sql/engines/tests.py 99.82% <100.00%> (-0.01%) ⬇️
sql/utils/tests.py 100.00% <100.00%> (ø)
... and 3 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c996a87...9fa9407. Read the comment docs.

@unknowissue
Copy link
Contributor Author

@hhyo 哈喽,帮忙看看呗,我再最新的values.yaml和docker-compose.yml中声明了使用最新的goInception版本,但是测试时,仍然使用旧的版本,是我哪里没有写对么?
谢谢啦

@hhyo
Copy link
Owner

hhyo commented Jan 4, 2022

@hhyo 哈喽,帮忙看看呗,我再最新的values.yaml和docker-compose.yml中声明了使用最新的goInception版本,但是测试时,仍然使用旧的版本,是我哪里没有写对么? 谢谢啦

脱敏的测试都是使用的mock,并非是真实获取inception信息,只需要修改case里面的mock数据格式即可

@hhyo
Copy link
Owner

hhyo commented Jan 5, 2022

看ci还有一个错误

@unknowissue
Copy link
Contributor Author

好像这样可以了?
@hhyo
帮忙确认一下,
尴尬。。。。

Copy link
Owner

@hhyo hhyo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

如果确认可以完全替代inception,建议直接剔除inception相关的所有代码

@unknowissue
Copy link
Contributor Author

如果确认可以完全替代inception,建议直接剔除inception相关的所有代码

我们不考虑做个兼容版么?是不是有同学还喜欢用inception啊。

@hhyo
Copy link
Owner

hhyo commented Jan 11, 2022

如果确认可以完全替代inception,建议直接剔除inception相关的所有代码

我们不考虑做个兼容版么?是不是有同学还喜欢用inception啊。

没必要了,目前的版本inception只用来做语句解析,已经不支持审核执行,脱敏如果可以替代,就没有保留的必要

@hhyo
Copy link
Owner

hhyo commented Jan 11, 2022

#145 (comment)

这个里面失效的场景可以都验证下

@unknowissue
Copy link
Contributor Author

#145 (comment)

这个里面失效的场景可以都验证下

我 try try

@unknowissue
Copy link
Contributor Author

改了一版,将引用inception都改为引用goinception
可以试一下了

@hhyo hhyo merged commit 07ff897 into hhyo:master Jan 13, 2022
# 解析查询语句,禁用部分Inception无法解析关键词
p = sqlparse.parse(sql)[0]
for token in p.tokens:
if token.ttype is Keyword and token.value.upper() in ['UNION', 'UNION ALL']:
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

可以测试下是否已经支持这种无法的解析

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

这个['UNION', 'UNION ALL'] goinception在v1.2.4-73 版本后[https://github.com/hanchuanchuan/goInception/issues/351]已经支持了,返回的是一个重复的list,archery需要增加一个去重函数,我稍后更新一下。

table_ref.append({'schema': list_i['schema'], 'table': list_i['table']})

# 获取全部激活的脱敏字段信息,减少循环查询,提升效率
masking_columns = DataMaskingColumns.objects.filter(active=True)
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

以前不了解,实际上懒加载这块不会真正查询,不过脱敏效率好像还行

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

这个地方我也没搞懂,不过,好像没啥问题。

@hhyo
Copy link
Owner

hhyo commented Jan 13, 2022

已合并,docker镜像push后演示地址会自动更新,辛苦做一些测试验证,同时相关的文档也可以进行一些调整和补充,感谢~

@unknowissue unknowissue deleted the masking-inception-goInception branch January 13, 2022 01:18
@unknowissue unknowissue restored the masking-inception-goInception branch January 13, 2022 01:18
@unknowissue
Copy link
Contributor Author

已合并,docker镜像push后演示地址会自动更新,辛苦做一些测试验证,同时相关的文档也可以进行一些调整和补充,感谢~

好的,我look look
辛苦啦

@unknowissue
Copy link
Contributor Author

已合并,docker镜像push后演示地址会自动更新,辛苦做一些测试验证,同时相关的文档也可以进行一些调整和补充,感谢~

好的,我look look 辛苦啦
文档:
前提条件
1、MySQL如使用脱敏功能,建议使用goinception的v1.2.5-10及以上版本(docker 部署goinception需要使用latest),最低为v1.2.5版本(1.25不支持 select * )
配置修改
1、配置基本不变,inception地址和端口不需要填写
注意事项
1、目前还不支持子查询脱敏,比如select * from (select * from tab)

@hhyo
Copy link
Owner

hhyo commented Jan 23, 2022

测试发现两个问题,覆盖场景比Inception的少,需要解决一下

  1. 无法识别哪些语句不能正常脱敏,导致 QUERY_CHECK 参数失效,不能脱敏的语句也能正常查询,有较大风险
    嵌套子查询: select * from (select * from users ) t;
    多列函数:select concat(id,phone) from users;

  2. 不支持诸如 [*,column_a]| [a.*, column_a, b.*] 的脱敏
    select *,phone from users;
    select a.*,a.phone,b.* from users a join sql_users_groups b on a.id =b.users_id;

上述例子都可以在演示环境进行测试

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants