All Products
Search

This Product

    PolarDB:Manage data masking rules

    Document Center

    PolarDB:Manage data masking rules

    Last Updated:Dec 18, 2023

    You can create, modify, delete, enable, and disable data masking rules in the PolarDB console. This topic describes how to manage data masking rules.

    Prerequisites

    The version of the PolarDB for MySQL proxy must be 2.4.12 or later. For more information about how to view and upgrade the version of PolarDB proxy, see Minor version update.

    Considerations

    • The dynamic data masking feature applies only to cluster endpoints, including default cluster endpoints and customized cluster endpoints. When you query data from a primary endpoint, the dynamic data masking feature is not applied. For more information about how to view and apply for a cluster endpoint, see View the endpoint and port number.
    • If the query results contain data that needs to be masked and the size of a single row exceeds 16 MB, the query session is closed.

      For example, you want to query the name and description columns of the Person table in which the name column needs to be masked. However, the size of the data in a row of the description column exceeds 16 MB. In this case, the query session is closed when you execute the SELECT name, description FROM person statement.

    • If the data column you want to mask is used as a function parameter, data masking is not applied.

      For example, if a rule has been created to mask data in the name column, your application can still read the actual value of the name column when you execute the SELECT CONCAT(name, '') FROM person statement.

    • If the data column you want to mask is used in the UNION operator, data masking is not applied.

      For example, if a rule has been created to mask data in the name column, your application can still read the actual value of the name column when you execute the SELECT hobby FROM person UNION SELECT name FROM person statement.

    Create a data masking rule

    1. Log on to the PolarDB console.
    2. In the upper-left corner of the console, select the region in which the cluster that you want to manage is deployed.
    3. Find the cluster and click the cluster ID.

    4. In the left-side navigation pane, choose Settings and Management > Security.

    5. On the Dynamic Data Masking/Encryption tab, click Add in the upper-left corner.

    6. In the Create Rule dialog box, configure the parameters.

      Table 1. Configure data masking rule parameters

      Parameter

      Required

      Description

      Basic Information

      Rule Name

      Yes

      The name of the data masking rule. The name can be up to 30 characters in length.

      Description

      No

      The description of the data masking rule. The description can be up to 64 characters in length.

      Enable/Disable

      N/A

      Specifies whether to enable the rule.

      Note

      The Enable/Disable switch is turned on when you create a data masking rule.

      Endpoint

      Yes

      The endpoint to which the current rule is applied.

      Configurations

      Database Account Name

      No

      The name of the database account to which the rule is applied. The type of the account that is used to connect to the sandbox instance. Valid values:

      • All Accounts: indicates that the rule applies to all accounts of the cluster. The text box on the right need to be left empty.

      • Include: indicates that the rule applies only to specified database accounts. You need to specify at least one database account name in the text box on the right. Separate multiple accounts with commas (,).

      • Exclude: indicates that the rule applies only to database accounts that are not specified in this section. You need to specify at least one database account name in the text box on the right. Separate multiple accounts with commas (,).

      Note

      The database account names can be in the following formats:

      • account name. Example: user

      • account name@full IP address. Example: user@10.1.1.1

      • account name@IP address with wildcard characters. Example: user@10.1.1.%, user@%.1.1.1, or user@1.%.1

      • account name@IP address/subnet mask. Example: user@10.1.1.0/255.255.255.0

      Database Name

      No

      The name of the database to which the rule is applied. The type of the account that is used to connect to the sandbox instance. Valid values:

      • All Databases: indicates that the rule applies to all the databases in the cluster. The text box on the right need to be left empty.

      • Include: indicates that the rule applies only to specified databases. You need to specify at least one database name in the text box on the right. Separate multiple database names with commas (,).

      Table Name

      No

      The name of the table to which the rule is applied. The type of the account that is used to connect to the sandbox instance. Valid values:

      • All tables: indicates that the rule applies to all the tables in the cluster. The text box on the right need to be left empty.

      • Include: indicates that the rule applies only to specified tables. You need to specify at least one table name in the text box on the right. Separate multiple table names with commas (,).

      Column Name

      Yes

      The name of the field to which the rule is applied. You can specify more than one field name and separate multiple field names with commas (,).

    7. Click OK.

    Enable or disable a data masking rule

    1. Log on to the PolarDB console.
    2. In the upper-left corner of the console, select the region in which the cluster that you want to manage is deployed.
    3. Find the cluster and click the cluster ID.

    4. In the left-side navigation pane, choose Settings and Management > Security.

    5. On the Dynamic Data Masking/Encryption tab, find the rule and turn the Enable/Disable switch on or off.

      Note

      • You can select multiple rules in the list and then click Enable or Disable at the bottom of the list to batch enable or disable the rules.

      • Disabled rules are not deleted. You can Enable disabled rules when needed.

    6. In the message that appears, click OK.

    Modify a data masking rule

    1. Log on to the PolarDB console.
    2. In the upper-left corner of the console, select the region in which the cluster that you want to manage is deployed.
    3. Find the cluster and click the cluster ID.

    4. In the left-side navigation pane, choose Settings and Management > Security.

    5. On the Dynamic Data Masking/Encryption tab, find the rule and click Modify in the Actions column. In the dialog box that appears, modify the parameters based on your business requirements. For more information about the parameters, see Configure data masking rule parameters.

      Note

      You can modify only the Description parameter and the parameters in the Configurations section. You cannot modify the Rule Name parameter.

    6. Click OK.

    Delete a data masking rule

    1. Log on to the PolarDB console.
    2. In the upper-left corner of the console, select the region in which the cluster that you want to manage is deployed.
    3. Find the cluster and click the cluster ID.

    4. In the left-side navigation pane, choose Settings and Management > Security.

    5. On the Dynamic Data Masking/Encryption tab, find the rule and click Delete in the Actions column.

      Note

      You can select multiple rules in the list and then click Delete at the bottom of the list to delete multiple rules at a time.

    6. In the message that appears, click OK.

    Related API operations

    Operation

    Description

    DescribeMaskingRules

    Queries the data masking rules that are applied for a PolarDB cluster or the details of a specified data masking rule.

    ModifyMaskingRules

    Modifies or adds a data masking rule.

    DeleteMaskingRules

    Deletes a data masking rule.