Data Management (DMS) allows you to manage the security rules for relational and non-relational databases on the SQL Console tab. The definition and classification of security rules on this tab are different for relational and non-relational databases. This topic describes how to configure security rules for Redis databases on the SQL Console tab.

Checkpoints

  • Permission Execution Statement Criteria: Under this checkpoint, you can specify whether to check user permissions when users submit commands.
    Note For example, you can configure this checkpoint so that DMS checks whether a user has required permissions on a database, table, or column when the user submits a command to perform operations on the object.
  • Statement Criteria: Keys: Under this checkpoint, you can set constraints on key-related commands.
  • Statement Criteria: String: Under this checkpoint, you can set constraints on string-related commands.
  • Statement Criteria: List: Under this checkpoint, you can set constraints on list-related commands.
  • Statement Criteria: SET: Under this checkpoint, you can set constraints on set-related commands.
  • Statement Criteria: SortedSet: Under this checkpoint, you can set constraints on sorted set-related commands.
  • Statement Criteria: Hash: Under this checkpoint, you can set constraints on hash-related commands.
  • Statement Criteria: Other: Under this checkpoint, you can set constraints on commands of other types.
Note You can use the default rules that are provided in templates or customize rules based on your actual needs. For more information, see Create a security rule.

How checkpoints work

Commands that can be run in DMS

The following table describes the SQL command types and sample commands that DMS Enterprise can recognize based on syntax analysis.

Type Command
Key-related read commands
  • EXISTS
  • TTL
  • PTTL
  • RANDOMKEY
  • TYPE
  • SCAN
Key-related write commands
  • DEL
  • DUMP
  • EXPIRE
  • EXPIREART
  • MOVE
  • PERSIST
  • RENAME
  • RENAMENX
  • TOUCH
  • UNLIMK
String-related read commands
  • GET
  • GETRANGE
  • BITCOUNT
  • GETBIT
  • MGET
  • STRLEN
String-related write commands
  • APPEND
  • DECR
  • DECRBY
  • GETSET
  • INCR
  • INCRBY
  • INCRBYFLOAT
  • MSET
  • MSETNX
  • SET
  • SETRANGE
  • SETBIT
List-related read commands
  • LINDEX
  • LLEN
  • LRANGE
List-related write commands
  • BLPOP
  • BRPOP
  • BRPOPLPUSH
  • LINSERT
  • LPOP
  • LPUSH
  • LPUSHX
  • LREM
  • LSET
  • LTRIM
  • RPOP
  • RPOPLPUSH
  • RPUSH
  • RPUSHX
Set-related read commands
  • SCARD
  • SISMEMBER
  • SRANDMEMBER
  • SSCAN
  • SDIFF
  • SINTER
  • SMEMBERS
  • SUNION
Set-related write commands
  • SADD
  • SMOVE
  • SPOP
  • SREM
  • SDIFFSTORE
  • SINTERSTORE
  • SUNIONSTORE
Sorted set-related read commands
  • ZCARD
  • ZCOUNT
  • ZLEXCOUNT
  • ZRANGE
  • ZRANGEBYLEX
  • ZRANGEBYSCORE
  • ZRANK
  • ZREVRNGE
  • ZREVRANGEBYLEX
  • ZREVRANGEBYSCORE
  • ZREVRANK
  • ZSCAN
  • ZSCORE
Sorted set-related write commands
  • ZADD
  • ZINCRBY
  • ZINTERSTORE
  • ZPOPMAX
  • ZPOPMIN
  • ZREM
  • ZUNIONSTORE
  • BZPOPMIN
  • BZPOPMAX
  • ZREMRANGEBYLEX
  • ZREMRANGEBYRANK
  • ZREMRANGEBYSCORE
  • ZUNIONSTORE
Hash-related read commands
  • HEXISTS
  • HGET
  • HLEN
  • HMGET
  • HSCAN
  • HSTRLEN
  • HGETALL
  • HKEYS
  • HVALS
Hash-related write commands
  • HDEL
  • HINCRBY
  • HINCRBYFLOAT
  • HMESET
  • HSET
  • HSETNX
Server read commands
  • DBSIZE
  • CLIENT LIST
  • INFO
  • SLOWLOG
Connection command
  • PING
HyperLogLog commands
  • PFCOUNT
  • PFADD
  • PFMERGE
TairDoc read commands
  • JSONGET
  • JSONMGET
  • JSONTYPE
  • JSONSTRLEN
  • JSONARRLEN
TairDoc write commands
  • JSONDEL
  • JSONSET
  • JSONNUMINCRBY
  • JSONSTRAPPEND
  • JSONARRAPPEND
  • JSONARRPOP
  • JSONARRINSERT
  • JSONARRTRIM
TairString read command
  • EXGET
TairString write commands
  • CAS
  • CAD
  • EXSET
  • EXSETVER
  • EXINCRBY
  • EXINCRBYFLOAT
  • EXCAS
  • EXCAD
TairBloom read commands
  • BFEXISTS
  • BFMEXISTS
  • BFDEBUG
TairBloom write commands
  • BFADD
  • BFMADD
  • BFINSERT
  • BFRESERVE
TairGIS read commands
  • GISGET
  • GISSEARCH
  • GISCONTAINS
  • GISINTERSECTS
  • GISGETALL
TairGIS write commands
  • GISADD
  • GISDEL
TairHash read commands
  • EXHPTTL
  • EXHTTL
  • EXHVER
  • EXHGET
  • EXHGETALL
  • EXHGETWITHVER
  • EXHMGET
  • EXHMGETWITHVER
  • EXHLEN
  • EXHSTRLEN
  • EXHKEYS
  • EXHVALS
  • EXHSCAN
  • EXHEXISTS
TairHash write commands
  • EXHSET
  • EXHSETNX
  • EXHMSET
  • EXHMSETWITHOPTS
  • EXHPEXPIREAT
  • EXHPEXPIRE
  • EXHEXPIREAT
  • EXHEXPIRE
  • EXHSETVER
  • EXHINCRBY
  • EXHINCRBYFLOAT
  • EXHDEL

Factors and actions

  • Factor

    A factor is a predefined variable in DMS. You can use factors to obtain the context to be validated by security rules. The context includes command types and the number of rows to be affected. A factor name consists of the prefix @fac.and the display name of the factor type. Each tab provides different factors for different checkpoints. The following table describes the factors that are provided for the checkpoints on the SQL Console tab.

    Factor Description
    @fac.cmd_type The type of the command. For more information about valid values, see Commands that can be run in DMS.
    @fac.env_type The type of the environment. The value is the display name of the environment type, such as DEV or PRODUCT. For more information, see Change the environment type of an instance.
    @fac.is_read Specifies whether the current command is a read command. Valid values:
    • true
    • false
    @fac.is_write Specifies whether the current command is a write command. Valid values:
    • true
    • false
    @fac.current_sql The current SQL command.
    @fac.user_is_admin Specifies whether the current user is a DMS administrator. Valid values:
    • true
    • false
    @fac.user_is_dba Specifies whether the current user is a database administrator (DBA). Valid values:
    • true
    • false
    @fac.user_is_inst_dba Specifies whether the current user is the DBA of the current database instance. Valid values:
    • true
    • false
  • Action

    An action in a security rule is an operation that DMS performs when the IF condition in the rule is met. For example, DMS can forbid the submission of a ticket, select an approval process, approve a ticket, or reject a ticket. An action in a security rule shows the purpose of the security rule. An action name consists of the prefix @act.and the display name of the action type. Each tab provides different actions for different checkpoints. The following table describes the actions that are provided for the checkpoints on the SQL Console tab.

    Action Description
    @act.reject_execute Rejects to run the current command.
    @act.allow_execute Allows the current command to be run.

Templates of security rules

DMS provides you with a large number of predefined security rule templates. You can use the templates or modify the templates based on your business requirements. The following table describes the templates that are provided for the checkpoints on the SQL Console tab.

Checkpoint Template and feature
Permission Execution Statement Criteria Specifies that DMS checks permissions when regular users submit commands.
Specifies that DMS does not check permissions when DMS users submit commands.
Statement Criteria: Keys Specifies that the whitelisted key-related read commands can be run in an offline environment.
Specifies that the whitelisted key-related read commands can be run in an online environment.
Specifies that the whitelisted key-related write commands can be run in an online environment.
Statement Criteria: String Specifies that the whitelisted string-related read commands can be run in an offline environment.
Specifies that the whitelisted string-related read commands can be run in an online environment.
Specifies that the whitelisted string-related write commands can be run in an online environment.
Statement Criteria: List Specifies that the whitelisted list-related read commands can be run in an offline environment.
Specifies that the whitelisted list-related read commands can be run in an online environment.
Specifies that the whitelisted list-related write commands can be run in an online environment.
Statement Criteria: SET Specifies that the whitelisted set-related read commands can be run in an offline environment.
Specifies that the whitelisted set-related read commands can be run in an online environment.
Specifies that the whitelisted set-related write commands can be run in an online environment.
Statement Criteria: SortedSet Specifies that the whitelisted sorted set-related read commands can be run in an offline environment.
Specifies that the whitelisted sorted set-related read commands can be run in an online environment.
Specifies that the whitelisted sorted set-related write commands can be run in an online environment.
Statement Criteria: Hash Specifies that the whitelisted hash-related read commands can be run in an offline environment.
Specifies that the whitelisted hash-related read commands can be run in an online environment.
Specifies that the whitelisted hash-related write commands can be run in an online environment.
Statement Criteria: Other Specifies that the whitelisted read commands of other types can be run in an offline environment.
Specifies that the whitelisted write commands of other types can be run in an offline environment.
Specifies that the whitelisted hash-related read commands can be run in an online environment.
Specifies that the whitelisted hash-related write commands can be run in an online environment.

Create a security rule

  1. Log on to the DMS console V5.0.
    Note To switch to the previous version of the DMS console, click the 5租户头像 icon in the lower-right corner of the page. For more information, see Switch to the previous version of the DMS console.
  2. On the Security Rules tab, find the security rule set that you want to modify and click Edit in the Actions column.
  3. On the Details page, click the SQL Console tab on the left.
  4. On the SQL Console tab, click Create Rule next to Actions.
  5. In the Create Rule - SQL Console dialog box, set the parameters that are described in the following table.
    Parameter Description
    Checkpoints Required. The checkpoint for which you want to create the security rule. For more information, see Checkpoints.
    Template Database Optional. The template that you want to use to create the security rule. DMS provides a large number of security rule templates. After you select a checkpoint, you can click Load from Template Database and select a template as required. For more information about the available templates, see Templates of security rules.
    Rule Name Required. The name of the custom security rule. If you load a security rule from a template, the rule name is automatically entered.
    Rule DSL Required. The domain-specific language (DSL) statement that you want to use to configure the security rule. For more information, see DSL syntax for security rules. If you load a security rule from a template, the statement is automatically entered.
  6. Click Submit.
  7. By default, the security rule that you create is in the Disabled state. Click Enable in the Actions column.
  8. In the Prompt message, click OK.