You can create, modify, delete, enable, and disable data masking rules on the PolarDB console. This topic describes how to manage data masking rules.

Prerequisites

The version of the PolarDB proxy must be 2.4.12 or later. For more information about how to view and upgrade the version of PolarDB proxy, see Upgrade versions.

Considerations

  • The dynamic data masking feature applies only to cluster endpoints, including default cluster endpoints and customized cluster endpoints. When you query data from a primary endpoint, the dynamic data masking feature is not applied. For more information about how to view and apply for a cluster endpoint, see View an endpoint and port number.
  • If the query results contain data that needs to be masked and the size of a single row exceeds 16 MB, the query session is closed.

    For example, you want to query the name and description columns of the Person table in which the name column needs to be masked. However, the size of the data in a row of the description column exceeds 16 MB. In this case, the query session is closed when you execute the SELECT name, description FROM person statement.

  • If the data column you want to mask is used as a function parameter, data masking is not applied.

    For example, if a rule has been created to mask data in the name column, your application can still read the actual value of the name column when you execute the SELECT CONCAT(name, '') FROM person statement.

  • If the data column you want to mask is used in the UNION operator, data masking is not applied.

    For example, if a rule has been created to mask data in the name column, your application can still read the actual value of the name column when you execute the SELECT hobby FROM person UNION SELECT name FROM person statement.

Create a rule

  1. Log on to the PolarDB console.
  2. In the upper-left corner of the console, select the region where the cluster is deployed.
  3. Find the cluster and click the cluster ID.
  4. You can enter the data masking rule management page by using one of the following methods:
    • Method 1: Enter from the cluster endpoint configuration page.
      1. In the Endpoints section on the Overview page, find the cluster endpoint and click Modify on the right side of the cluster endpoint.
      2. In the Dynamic Data Masking section, click Rules. 1
    • Method 2: Enter from the left-side navigation pane.

      In the left-side navigation pane, choose Settings and Management > Rules.

  5. In the upper-left corner of the page, click Add. In the pop-up dialog box, set the following parameters:
    Table 1. Configuration table
    Parameter Required? Description
    Basic Information Rule Name Yes The name of the data masking rule. The name is up to 30 characters in length.
    Description No The description of the data masking rule. The description is up to 64 characters in length.
    Enable/Disable N/A Turn Enable/Disable on or off.
    Note When you create a data masking rule, the Enable/Disable switch is turned on by default.
    Configurations Database Account Name No The name of the database account to which the rule is applied. Valid values:
    • All Accounts: indicates that the data masking rule applies to all database accounts in the cluster. You do not need to specify anything in the text box on the right.
    • Include: indicates that the data masking rule applies only to specified database accounts. You must specify at least one database account name in the text box on the right. Separate multiple accounts with commas (,).
    • Exclude: indicates that the data masking rule applies only to database accounts that are not specified in this section. You must specify at least one database account name in the text box on the right. Separate multiple accounts with commas (,).
    Note The database account names can be in any of the following formats:
    • account name. Example: user
    • account name@full IP address. Example: user@1.1.1.1
    • account name@IP address with wildcard characters. Example: user@1.1.1.%, user @%. 1.1.1, or user @ 1.%.1
    • account name@IP/subnet mask. Example: user@1.1.1.0/255.255.255.0
    Database Name No The name of the database to which the rule is applied. Valid values:
    • All Databases: indicates that the data masking rule applies to all databases in the cluster. You do not need to specify anything in the text box on the right.
    • Include: indicates that the data masking rule applies only to specified databases. You must specify at least one database name in the text box on the right. Separate multiple database names with commas (,).
    Table Name No The name of the table to which the rule is applied. Valid values:
    • All tables: indicates that the data masking rule applies to all tables in the cluster. You do not need to specify anything in the text box on the right.
    • Include: indicates that the data masking rule applies only to specified tables. You must specify at least one table name in the text box on the right. Separate multiple table names with commas (,).
    Column Name Yes The name of the field to which the rule is applied. You can specify more than one field name and separate multiple names with commas (,).
  6. Click OK.

Enable or disable a rule

  1. Log on to the PolarDB console.
  2. In the upper-left corner of the console, select the region where the cluster is deployed.
  3. Find the cluster and click the cluster ID.
  4. In the left-side navigation pane, choose Settings and Management > Rules.
  5. Locate the rule you want to manage and turn Enable/Disable on or off.
    2
    Note
    • You can select multiple rules in the rule list and then click Enable or Disable below the list to Enable or Disable the rules in batches.
    • Disable data masking rules will not be deleted. You can Enable the rules again as needed.
  6. In the pop-up dialog box, click OK.

Modify a rule

  1. Log on to the PolarDB console.
  2. In the upper-left corner of the console, select the region where the cluster is deployed.
  3. Find the cluster and click the cluster ID.
  4. In the left-side navigation pane, choose Settings and Management > Rules.
  5. Locate the rule you want to modify, click Modify in the right-side Actions column, and configure the parameters as needed in the pop-up dialog box. For more information about parameter descriptions, see Table 1.
    1
    Note You can change only the parameters in Description and Configurations. Parameters in Rule Name cannot be changed.
  6. Click OK.

Delete a rule

  1. Log on to the PolarDB console.
  2. In the upper-left corner of the console, select the region where the cluster is deployed.
  3. Find the cluster and click the cluster ID.
  4. In the left-side navigation pane, choose Settings and Management > Rules.
  5. Locate the rule you want to delete and click Delete in the right-side Actions column.
    1
    Note You can select multiple rules in the rule list and then click Delete below the list to delete them in batches.
  6. In the pop-up dialog box, click OK.

Related API operations

API Description
DescribeMaskingRules Query the data masking rules that apply to a PolarDB cluster or the details of a specified masking rule.
ModifyMaskingRules Configure or add data masking rules.
DeleteMaskingRules Delete specified data masking rules.