Masking Means Prevention

With the masking filter that was introduced in MariaDB MaxScale 2.1 it is possible to mask columns so that although the columns themselves are visible to clients, the data in those columns is not. For instance, we can arrange things so that a query like

SELECT name, ssn, FROM person 

does not return a result like

+-------+-------------+
+ name  | ssn      |
+-------+-------------+
| Alice | 721-07-4426 |
| Bob   | 435-22-3267 |
... 

but instead something like

+-------+-------------+
+ name  | ssn      |
+-------+-------------+
| Alice | XXXXXXXXXXX |
| Bob   | XXXXXXXXXXX |
... 

Taking the masking filter into use is quite straightforward. In the configuration file you need to specify a section for the filter as follows:

[Masking]
type=filter
module=masking
rules=masking.json 

The rules parameter specifies a file where the actual masking rules are. The rules are specified using JSON and the following is sufficient in order to unconditionally mask the values of all columns whose name is ssn.

{
"rules": [
{
"replace": {
"column": "ssn"
},
"with": {
"fill": "X"
}
}
]
} 

The possibilities for specifying the rules are quite versatile and are explained in detail in the MaxScale documentation.

Up until MaxScale 2.2 the masking could be circumvented. All you needed to do was to access the column using a function.

SELECT name, concat(ssn) FROM person

+-------+-------------+
+ name  | concat(ssn) |
+-------+-------------+
| Alice | 721-07-4426 |
| Bob   | 435-22-3267 |
...

The reason was that as the masking acted strictly on the result set, using a function would hide the column name, thus preventing the masking filter from masking the value. This behaviour could be prevented by manually setting up a firewall filter for preventing the use of functions or some specific functions, but that was quite laborious and cumbersome.

In MaxScale 2.3, the most recent GA version of MaxScale available as part of MariaDB Platform X3, this has been greatly simplified as the masking filter now by default rejects statements that use functions in conjunction with columns that should be masked. With MaxScale 2.3 the result is as follows:

SELECT name, concat(ssn) FROM person

ERROR 1141 (HY000): The function concat is used in conjunction with a field that should be masked for 'user'@'127.0.0.1', access is denied.

This behaviour is controlled with the new configuration parameter prevent_function_usage whose default value is true. If a blanket rejection of all functions is too coarse an approach, then by setting the value to false and by configuring a separate firewall filter, function usage can be controlled in a more detailed manner.