All Products
Search
Document Center

PolarDB:Manage data masking rules

Last Updated:Dec 18, 2023

You can create, modify, delete, enable, and disable data masking rules in the PolarDB console. This topic describes how to manage data masking rules.

Prerequisites

The version of the PolarDB for MySQL proxy must be 2.4.12 or later. For more information about how to view and upgrade the version of PolarDB proxy, see Minor version update.

Considerations

  • The dynamic data masking feature applies only to cluster endpoints, including default cluster endpoints and customized cluster endpoints. When you query data from a primary endpoint, the dynamic data masking feature is not applied. For more information about how to view and apply for a cluster endpoint, see View the endpoint and port number.
  • If the query results contain data that needs to be masked and the size of a single row exceeds 16 MB, the query session is closed.

    For example, you want to query the name and description columns of the Person table in which the name column needs to be masked. However, the size of the data in a row of the description column exceeds 16 MB. In this case, the query session is closed when you execute the SELECT name, description FROM person statement.

  • If the data column you want to mask is used as a function parameter, data masking is not applied.

    For example, if a rule has been created to mask data in the name column, your application can still read the actual value of the name column when you execute the SELECT CONCAT(name, '') FROM person statement.

  • If the data column you want to mask is used in the UNION operator, data masking is not applied.

    For example, if a rule has been created to mask data in the name column, your application can still read the actual value of the name column when you execute the SELECT hobby FROM person UNION SELECT name FROM person statement.

Create a data masking rule

  1. Log on to the PolarDB console.
  2. In the upper-left corner of the console, select the region in which the cluster that you want to manage is deployed.
  3. Find the cluster and click the cluster ID.
  4. In the left-side navigation pane, choose Settings and Management > Security.

  5. On the Dynamic Data Masking/Encryption tab, click Add in the upper-left corner.

  6. In the Create Rule dialog box, configure the parameters.

    Table 1. Configure data masking rule parameters

    Parameter

    Required

    Description

    Basic Information

    Rule Name

    Yes

    The name of the data masking rule. The name can be up to 30 characters in length.

    Description

    No

    The description of the data masking rule. The description can be up to 64 characters in length.

    Enable/Disable

    N/A

    Specifies whether to enable the rule.

    Note

    The Enable/Disable switch is turned on when you create a data masking rule.

    Endpoint

    Yes

    The endpoint to which the current rule is applied.

    Configurations

    Database Account Name

    No

    The name of the database account to which the rule is applied. The type of the account that is used to connect to the sandbox instance. Valid values:

    • All Accounts: indicates that the rule applies to all accounts of the cluster. The text box on the right need to be left empty.

    • Include: indicates that the rule applies only to specified database accounts. You need to specify at least one database account name in the text box on the right. Separate multiple accounts with commas (,).

    • Exclude: indicates that the rule applies only to database accounts that are not specified in this section. You need to specify at least one database account name in the text box on the right. Separate multiple accounts with commas (,).

    Note

    The database account names can be in the following formats:

    • account name. Example: user

    • account name@full IP address. Example: user@10.1.1.1

    • account name@IP address with wildcard characters. Example: user@10.1.1.%, user@%.1.1.1, or user@1.%.1

    • account name@IP address/subnet mask. Example: user@10.1.1.0/255.255.255.0

    Database Name

    No

    The name of the database to which the rule is applied. The type of the account that is used to connect to the sandbox instance. Valid values:

    • All Databases: indicates that the rule applies to all the databases in the cluster. The text box on the right need to be left empty.

    • Include: indicates that the rule applies only to specified databases. You need to specify at least one database name in the text box on the right. Separate multiple database names with commas (,).

    Table Name

    No

    The name of the table to which the rule is applied. The type of the account that is used to connect to the sandbox instance. Valid values:

    • All tables: indicates that the rule applies to all the tables in the cluster. The text box on the right need to be left empty.

    • Include: indicates that the rule applies only to specified tables. You need to specify at least one table name in the text box on the right. Separate multiple table names with commas (,).

    Column Name

    Yes

    The name of the field to which the rule is applied. You can specify more than one field name and separate multiple field names with commas (,).

  7. Click OK.

Enable or disable a data masking rule

  1. Log on to the PolarDB console.
  2. In the upper-left corner of the console, select the region in which the cluster that you want to manage is deployed.
  3. Find the cluster and click the cluster ID.
  4. In the left-side navigation pane, choose Settings and Management > Security.

  5. On the Dynamic Data Masking/Encryption tab, find the rule and turn the Enable/Disable switch on or off.

    Note
    • You can select multiple rules in the list and then click Enable or Disable at the bottom of the list to batch enable or disable the rules.

    • Disabled rules are not deleted. You can Enable disabled rules when needed.

  6. In the message that appears, click OK.

Modify a data masking rule

  1. Log on to the PolarDB console.
  2. In the upper-left corner of the console, select the region in which the cluster that you want to manage is deployed.
  3. Find the cluster and click the cluster ID.
  4. In the left-side navigation pane, choose Settings and Management > Security.

  5. On the Dynamic Data Masking/Encryption tab, find the rule and click Modify in the Actions column. In the dialog box that appears, modify the parameters based on your business requirements. For more information about the parameters, see Configure data masking rule parameters.

    Note

    You can modify only the Description parameter and the parameters in the Configurations section. You cannot modify the Rule Name parameter.

  6. Click OK.

Delete a data masking rule

  1. Log on to the PolarDB console.
  2. In the upper-left corner of the console, select the region in which the cluster that you want to manage is deployed.
  3. Find the cluster and click the cluster ID.
  4. In the left-side navigation pane, choose Settings and Management > Security.

  5. On the Dynamic Data Masking/Encryption tab, find the rule and click Delete in the Actions column.

    Note

    You can select multiple rules in the list and then click Delete at the bottom of the list to delete multiple rules at a time.

  6. In the message that appears, click OK.

Related API operations

Operation

Description

DescribeMaskingRules

Queries the data masking rules that are applied for a PolarDB cluster or the details of a specified data masking rule.

ModifyMaskingRules

Modifies or adds a data masking rule.

DeleteMaskingRules

Deletes a data masking rule.