Adding Data Assets
After data assets (databases) are added to the system, you can identify, encrypt, decrypt, and mask sensitive data in the databases.
This section uses the MySQL database as an example. Add data assets based on the site requirements.
Constraint
|
Database |
Version |
|---|---|
|
MySQL |
5.5, 5.6, 5.7, 8.0, 8.0.13+ |
|
Oracle |
11.1, 11.2, 12c, 19c |
|
SQLServer |
2012, 2016 |
|
PostgreSQL |
9.4, 11.5 |
|
DM |
6, 7.6, 8.1 |
|
Kingbase |
V8 R3, V8 R6 |
|
MariaDB |
10.2 |
|
GaussDB |
A |
|
TDSQL |
5.7 |
|
TBASE |
V2.15.17.3 |
|
RDS_MYSQL |
5.6, 5.7, 8.0 |
|
RDS_PostgreSQL |
11 |
|
HotDB |
2.5.6 |
|
HighGO |
4.5 |
|
DWS |
8.1 |
|
Database |
System Catalog Requiring the SELECT Permission |
Database Account Permission |
|---|---|---|
|
MySQL |
mysql.user performance_schema.* |
select insert create update delete drop alter index |
|
RDS_MYSQL |
mysql.user performance_schema.* |
select insert create update delete drop alter index |
|
TDSQL |
mysql.user performance_schema.* |
select insert create update delete drop alter index |
|
MariaDB |
mysql.user performance_schema.* |
select insert create update delete drop alter index |
|
DM |
SYS.ALL_SUBPART_KEY_COLUMNS SYS.ALL_USERS SYS.ALL_CONS_COLUMNS SYS.ALL_CONSTRAINTS SYS.ALL_TABLES SYS.ALL_TABLE_COLUMNS SYS.ALL_COL_COMMENTS SYS.ALL_PART_KEY_COLUMNS SYS.ALL_IND_COLUMNS SYS.ALL_INDEXS V$VERSION V$LOCK SYS.DBMS_LOB SYS.DBMS_METADATA |
The user role must be dba. |
|
postgreSQL |
pg_catalog.pg_class pg_catalog.pg_index pg_catalog.pg_user pg_catalog.pg_indexes information_schema.columns information_schema.sequences information_schema.tables pg_catalog.pg_sequence |
The user must be the table owner or the dba role. |
|
RDS_PostgreSQL |
pg_catalog.pg_class pg_catalog.pg_index pg_catalog.pg_user pg_catalog.pg_indexes information_schema.columns information_schema.sequences information_schema.tables pg_catalog.pg_sequence |
The user must be the table owner or the dba role. |
|
TBASE |
pg_catalog.pg_class pg_catalog.pg_index pg_catalog.pg_user pg_catalog.pg_indexes information_schema.columns information_schema.sequences information_schema.tables pg_catalog.pg_sequence |
The user must be the table owner or the dba role. |
|
GAUSSDB |
pg_catalog.pg_class pg_catalog.pg_index pg_catalog.pg_user pg_catalog.pg_indexes information_schema.columns information_schema.sequences information_schema.tables pg_catalog.pg_sequence |
The user must be the table owner or the dba role. |
|
Kingbase 8.6 (pg) |
pg_catalog.pg_class pg_catalog.pg_index pg_catalog.pg_user pg_catalog.pg_indexes information_schema.columns information_schema.sequences information_schema.tables pg_catalog.pg_sequence pg_catalog.pg_matviews |
The user must be the table owner or the dba role. |
|
KINGBASE 8.3 |
sys_catalog.sys_class sys_catalog.sys_index sys_catalog.sys_user sys_catalog.sys_indexes information_schema.columns information_schema.sequences information_schema.tables sys_catalog.sys_sequence sys_catalog.sys_matviews |
The user must be the table owner or the dba role. |
|
Oracle |
SYS.ALL_SUBPART_KEY_COLUMNS SYS.DUAL SYS.ALL_USERS SYS.ALL_CONS_COLUMNS SYS.ALL_CONSTRAINTS SYS.ALL_TABLES SYS.ALL_TABLE_COLUMNS SYS.ALL_COL_COMMENTS SYS.ALL_PART_KEY_COLUMNS SYS.ALL_IND_COLUMNS SYS.ALL_INDEXS SYS.V_$INSTANCE SYS.DBMS_LOB SYS.DBMS_METADATA DBA_TABLES DBA_TAB_COLS |
The user role must be dba. |
|
SQLserver |
sys.tables sys.indexes sys.index_columns sys.default_constraints sys.systypes sys.extended_properties sys.foreign_key_columns sys.check_constraints sys.foreign_keys sys.columns sys.objects sys.all_columns sys.types sys.syslogins sys.all_objects sys.schemas sys.key_constraints sys.computed_columns sys.triggers sys.partition_schemes sys.dm_sql_referencing_entities |
schemaSelect schemaInsert schemaUpdate schemaAlter createTable VIEW SERVER STATE SELECT permission of the encrypted table INSERT permission of the encrypted table ALTER permission of the encrypted table |
|
HighGO |
pg_catalog.pg_class pg_catalog.pg_index pg_catalog.pg_user pg_catalog.pg_indexes information_schema.columns information_schema.sequences information_schema.tables pg_catalog.pg_sequence |
The user must be the table owner or the dba role. |
|
DWS |
pg_catalog.pg_class pg_catalog.pg_index pg_catalog.pg_user pg_catalog.pg_indexes information_schema.columns information_schema.sequences information_schema.tables pg_catalog.pg_sequence |
The user must be the table owner or the dba role. |
Procedure
- Log in to a database encryption and access control instance as the sysadmin user.
- In the navigation pane, choose Assets Management > Data Source Management.
- Click Add Data Source in the upper right corner.
- In the Add Data Source dialog box, configure asset information. For details, see Table 3.
Table 3 Parameters for adding a data source Parameter
Description
Database Information
Data Source
Customized data asset name.
Data Source Type
Select a database type from the drop-down list box. For details about supported database versions, see Constraint.
Data Source Version
Select a database version from the drop-down list box.
Read/Write Separation/RAC
If the database is deployed in read/write isolation mode, select this option and configure information about the secondary database node.
Data Source Address
IP address of the database.
Data Source Port
Connection port of the database.
Proxy Address
Select a proxy address from the drop-down list box, that is, the IP address for accessing and controlling the database.
Proxy Port
Set a proxy port. O&M personnel access the database through the proxy IP address and proxy port.
- The value range is 1025 to 65535.
- You can set any idle port within the range. Ports that have been used by other data assets cannot be used. For example, if data asset A uses port 14000, data asset B cannot use this port.
You can click Auto Assign to let the system automatically assign idle proxy ports.
Database/Instance/SID/Service/Schema
Set the database, instance name, SID, service name, or schema.
Database Account
Database login user.
Database Password
Password for logging in to the database.
Encryption Parameters
Encryption Mode
- Asset encryption mode. The options are as follows:
- One Key Per Asset: The DEKs of assets are the same. Connection query and cross-database query are supported.
- One Key Per Column: The DEKs of assets are different. Join query and cross-database query are not supported.
Default Display without Permission
- Set what is displayed to the users who do not have the permissions to access the database. The options are as follows:
- Ciphertext: Ciphertext is displayed. The encoding format is Base64 or hexadecimal. For details, see Setting Encryption Parameters.
- Default Data: Default data is displayed. You need to set the default data of the string type.
- NULL: The content is blank.
(Optional) Host Information
After the monitoring threshold is configured, the system encrypts data in batches only within the monitoring threshold of the database server. If the resource usage exceeds the threshold, the system stops encrypting data to reduce the impact on services. You are advised to set the following parameters if possible.
Host IP
Host IP address.
Host Port
SSH service port of the host. The default SSH service port is 22.
Username
Username for logging in to the host.
Password
Password for logging in to the host.
Character Set
Character set used by the host, which is automatically obtained after the host is connected.
Host Operating System
Host OS, which is automatically obtained after the host is connected.
Kernel
Host kernel, which is automatically obtained after the host is connected.
Monitoring Threshold
Thresholds for host monitoring metrics (CPU, memory, I/O, and network). The system encrypts database data only within the threshold to reduce the impact on services.
Log Information
Database Log File Name
Path and name of the database log file. Example: /usr/local/mysql/binlogs/mysql-bin.000060
- (Optional) After the configuration is complete, click Test Database Connection and check whether the database can be connected.
- (Optional) Click Test Account Permission to check whether the database account permission meets the encryption requirements.
If the database account permission does not meet the encryption requirements, configure the database account permission by referring to Table 2.
- (Optional) If the host information is configured, click Test Host Connection. Check whether the host can be connected and whether its character set and OS can be automatically obtained.
- Click Save to save the data asset configuration.
After the asset is added, you can view its information in the data source list, as shown in Figure 1.
- In the list, click
to enable the database proxy.
After this function is enabled, you can access the database through the proxy IP address and proxy port.
Related Operations
- Click
in the Policy Configuration column of the data source list. The encryption task configuration page is displayed. You are advised to identify sensitive data before configuring an encryption task. For details, see Scanning Sensitive Data in Assets. - Click
in the Policy Configuration column of the data source list. The masking rule configuration page is displayed. You are advised to identify sensitive data before configuring a masking rule. For details, see Scanning Sensitive Data in Assets. - Click Edit in the Actions column of the data source list to modify data asset information.
- Click Delete in the Actions column of the data source list to delete unnecessary data assets.
If a message is displayed, indicating that the table structure of the current database is not rolled back, perform the operations in Rolling Back the Table Structure or Configuring a Decryption Task based on site requirements.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
