Dynamic Data Masking

Introduction

Dynamic data masking is a security feature where sensitive data in a database is masked before being returned when an application queries the database. TaurusDB allows you to add masking rules to mask data in specified databases, tables, and columns.

Principles

After you configure data masking rules as user root, the database will persistently store these rules. When an application executes a query, the database will first check whether the query meets the rules. If it does, the database will mask sensitive data before sending the results to the client.

The data masking rules configured in the following figure are:

The rules apply only when user1 logs in to a database for query.
Only the name and age columns in the t1 table of the db1 database are masked.

The raw data is returned except for the columns configured in the data masking rules.

Figure 1 Diagram
Click to enlarge

As shown in the figure, the name of the string type is displayed as ******, and the age of the INT type is displayed as a random positive integer. The masking method varies depending on the data type. For details, see Table 1.

**Table 1** Data masking
Data Type	After Masking
Integer (TINYINT, SMALLINT, MEDIUMINT, INT, BIGINT, and BOOLEAN)	A positive integer
Decimal (DECIMAL, FLOAT, and DOUBLE)
Time (YEAR)
Time (DATE, TIME, DATETIME, and TIMESTAMP)	DATE: [1000:01:01,9999:12:31.499999] TIME: [00:00:00,838:59:59.499999] DATETIME and TIMESTAMP: [1971:01:01 00:00:00, 2037:12:31 23:59:59.49999]
Other	******

Impact on Performance

After dynamic data masking was enabled and a full-field masking rule (add_mask_rule('', '', '', '')) was configured, configuring 128 data masking rules caused a roughly 10% decrease in database performance in the read-only performance test outlined in the Performance White Paper.

Supported Versions

To use this function, the kernel version of your instance must be 2.0.69.250900 or later.

For details about how to check the kernel version, see How Can I Check the Version of a TaurusDB Instance?

Constraints on Masking Rules

This function can take effect only for SELECT statements.
The masking rules are not applied to system databases. System databases include mysql, information_schema, performance_schema, and sys.
Spaces and special null characters (such as '\t', '\r', and '\n') at the beginning and end of a database name, table name, column name, or username will be ignored after masking.
A database name, table name, or column name should be no longer than 64 bytes. A username should be no longer than 32 bytes. Or, a masking rule will fail to be added.
The administrator list (the value of rds_dynamic_masking_super_users) in a masking rule should be no longer than 4,000 bytes.
Only the root user can add, delete, enable, disable, and update masking rules.
All users can query masking rules.

Parameters for Dynamic Data Masking

On the Parameters page of the management console, you can set the parameters listed in Table 2 to enable dynamic data masking and manage masking rules.

**Table 2** Parameter description
Parameter	Level	Description
rds_dynamic_masking_enabled	Global	Whether to enable dynamic data masking. The default value is OFF.
rds_dynamic_masking_super_users	Global	You can configure multiple administrators separated by commas (,). The masking rules do not take effect for administrators. The default value is an empty string. Example: 'user1,user2'
rds_masking_paramter_max_count	Global	The maximum number of database names, table names, column names, or usernames that can be configured. The default value is 100. It means that a maximum of 100 database names, 100 table names, 100 column names, and 100 usernames can be configured in a rule. Value range: [1, 1000]
rds_masking_map_size	Global	The maximum memory that can be used by masking rules, in MB. The default value is 8. Setting it too high may cause an OOM error. Exercise caution when adjusting it.

Usage

Adding a masking rule

Syntax

CALL dbms_mask.add_mask_rule(
         db_name text,
         table_name text,
         column_name text,
         user_name text);

**Table 3** Parameter description
Parameter	Type	Mandatory	Description
db_name	text	No	The name of the database that the masking rule is to be applied to. You can configure multiple database names separated by commas (,). If db_name is set to an empty string (''), the masking rule takes effect for all databases.
table_name	text	No	The name of the table that the masking rule is to be applied to. You can configure multiple table names separated by commas (,). If table_name is set to an empty string (''), the masking rule takes effect for all tables in the database specified by db_name.
column_name	text	No	The name of the column that the masking rule is to be applied to. You can configure multiple column names separated by commas (,). If column_name is set to an empty string (''), the masking rule takes effect for all columns of the table specified by table_name in the database specified by db_name.
user_name	text	No	The name of the user that the masking rule is to be applied to. You can configure multiple usernames separated by commas (,). If user_name is set to an empty string (''), the masking rule takes effect for all users (excluding administrators).

Permission constraints
Only the root user can add masking rules.
Examples
- Add a masking rule to mask data in columns col_a and col_b of table tab_a in databases db_1 and db_2 for users user1 and user2.
```
CALL dbms_mask.add_mask_rule('db_1,db_2', 'tab_a', 'col_a,col_b', 'user1,user2');
```
- Add a masking rule to mask data in all columns of all tables in all databases for all users.
```
CALL dbms_mask.add_mask_rule('', '', '', '');
```

Querying masking rules

Syntax
```
CALL dbms_mask.show_mask_rule();
```
Permission constraints
All users can query masking rules.
Example
```
CALL dbms_mask.show_mask_rule();
```

Deleting a masking rule

Syntax

CALL dbms_mask.delete_mask_rule(mask_id bigint);

**Table 4** Parameter description
Parameter	Type	Mandatory	Description
mask_id	bigint	Yes	Masking rule ID.

Permission constraints
Only the root user can delete masking rules.
Example
Delete the masking rule whose ID is 2.
```
CALL dbms_mask.delete_mask_rule(2);
```

Updating a masking rule

Syntax

CALL dbms_mask.update_mask_rule(
         mask_id bigint,
         enabled enum('N','Y'),
         db_name text,
         table_name text,
         column_name text,
         user_name text);

**Table 5** Parameter description
Parameter	Type	Mandatory	Description
mask_id	bigint	Yes	Masking rule ID.
enabled	enum	Yes	Whether the masking rule is enabled. The options are: Y: The masking rule is enabled. N: The masking rule is disabled.
db_name	text	No	The name of the database that the masking rule is to be applied to. You can configure multiple database names separated by commas (,). If db_name is set to an empty string (''), the masking rule takes effect for all databases.
table_name	text	No	The name of the table that the masking rule is to be applied to. You can configure multiple table names separated by commas (,). If table_name is set to an empty string (''), the masking rule takes effect for all tables in the database specified by db_name.
column_name	text	No	The name of the column that the masking rule is to be applied to. You can configure multiple column names separated by commas (,). If column_name is set to an empty string (''), the masking rule takes effect for all columns of the table specified by table_name in the database specified by db_name.
user_name	text	No	The name of the user that the masking rule is to be applied to. You can configure multiple usernames separated by commas (,). If user_name is set to an empty string (''), the masking rule takes effect for all users (excluding administrators).

Permission constraints
Only the root user can update masking rules.
Example
Update the status of masking rule 1 to disabled. This rule is used to mask data in all columns of table tab_1 in database db_test for user1.
```
CALL dbms_mask.update_mask_rule(1,'N','db_test', 'tab_1', '', 'user1');
```

Enabling a masking rule

Syntax

CALL dbms_mask.enable_mask_rule(mask_id bigint);

**Table 6** Parameter description
Parameter	Type	Mandatory	Description
mask_id	bigint	Yes	Masking rule ID.

Permission constraints
Only the root user can enable masking rules.
Example
Enable the masking rule whose ID is 2.
```
CALL dbms_mask.enable_mask_rule(2);
```

Disabling a masking rule

Syntax

CALL dbms_mask.disable_mask_rule(mask_id bigint);

**Table 7** Parameter description
Parameter	Type	Mandatory	Description
mask_id	bigint	Yes	Masking rule ID.

Permission constraints
Only the root user can disable masking rules.
Example
Disable the masking rule whose ID is 2.
```
CALL dbms_mask.disable_mask_rule(2);
```

FAQs

What Are the Differences Between Enabling and Disabling a Masking Rule and Updating a Masking Rule?

Updating a masking rule involves modifying the content of the rule based on its ID, such as database names, table names, column names, and usernames. Enabling and disabling a masking rule simply determine whether the rule is active or inactive based on its ID and do not involve updating specific content.

Parent Topic: Common Kernel Functions

Previous topic: Flashback Query

Next topic: Hot Row Update