Data Management (DMS) allows you to configure security rules for operations in the SQL Console module. You can manage relational databases and non-relational databases in SQL Console. This topic describes the security rules for operations in SQL Console. In this example, the security rules for ApsaraDB RDS for MySQL are used.
Checkpoints in SQL Console
Checkpoint | Description |
Basic Configuration Item | Allows you to specify basic configurations such as the maximum number of rows that can be returned per query, whether result sets can be modified, and whether sensitive data can be calculated. |
SQL Execution Quantity Criteria | Allows you to limit the number of SQL statements that can be submitted at a time. |
DQL SQL Criteria | Allows you to set constraints on the execution of data query language (DQL) statements. |
Other SQL Criteria | Allows you to set constraints on the execution of multiple types of SQL statements. For example, you can allow the execution of unidentified SQL statements and reject the execution of statements that delete full tables. |
SQL Permission Criteria | Allows you to set constraints on the execution of SQL statements based on permissions on databases, tables, sensitive columns, and rows. |
SQL Execution Performance Criteria | Allows you to reject the execution of DDL statements if the size of tablespace involved exceeds the upper limit or reject the execution of DML statements if the number of rows affected exceeds the upper limit. |
Exception Recognition Criteria of Database and Table Column Permissions | Allows you to specify whether to continue or reject the execution of SQL statements such as DQL, DML, DDL, or data control language (DCL) statements if parsing exceptions occur. |
SQL Execution Criteria in Logical Databases | Allows you to set constraints on the execution of different types of SQL statements. |
DMS provides a large number of predefined configurations and rules for checkpoints. You can modify the configurations, change the status of rules, and customize security rules based on your business requirements. For more information, see the Configure rules in a rule set section of the "Manage security rules" topic.
The following flowchart shows how checkpoints work.
Factors and actions
A factor is a predefined variable that is provided by DMS. You can use factors to obtain the context to be validated by security rules, such as the categories of SQL statements and the number of data rows to be affected.
All factors start with
@fac., followed by the factor name.Each module on the Details page of a security rule set provides different factors for different checkpoints.
Table 1. Factors provided by the SQL Console module
Factor
Description
@fac.sql_count
The number of SQL statements that are submitted at a time.
@fac.select_sql_count
The number of DQL statements among the SQL statements that are submitted at a time.
@fac.dml_sql_count
The number of DML statements among the SQL statements that are submitted at a time.
@fac.sql_type
The category of an SQL statement. For more information, see the SQL statements that can be executed in DMS section of this topic.
@fac.sql_sub_type
The subcategory of an SQL statement. For more information, see the SQL statements that can be executed in DMS section of this topic.
@fac.env_type
The environment type. The value is an environment identifier, such as
DEVorPRODUCT. For more information, see Instance environment type.@fac.fulltable_delete
Indicates whether the current SQL statement is a full table
DELETE. The valid values are:true
false
@fac.fulltable_update
Specifies whether the current SQL statement is a full table
UPDATE. Valid values:true
false
@fac.current_sql
The current SQL statement.
@fac.user_is_admin
Indicates whether the current user is a DMS administrator. Valid values:
true
false
@fac.user_is_dba
Indicates whether the current user is a database administrator (DBA). Valid values:
true
false
@fac.user_is_inst_dba
Indicates whether the current user is a DBA of the current database instance. Valid values:
true
false
@fac.user_is_sec_admin
Indicates whether the current user is a security administrator. Valid values:
true
false
@fac.sql_affected_rows
The number of rows to be affected by the current SQL statement.
NoteA
COUNToperation will be performed, so please use with caution.@fac.sql_relate_table_store_size
The estimated total size of the table to be accessed by the current SQL statement. Unit: MB.
NoteThis value is estimated based on the metadata that is obtained by DMS. The value is not an actual value.
Action: The behavior that the system performs when an
ifcondition is met. This action expresses the main purpose of a security rule, such as prohibiting ticket submission, selecting an approval process, allowing execution, or denying execution.All actions start with
@act., followed by the action name.Each module on the Details page of a security rule set provides different actions for different checkpoints.
Table 2. Actions provided by the SQL Console module
Action
Description
@act.reject_execute
Rejects the execution of the current SQL statement.
@act.allow_execute
Allows the execution of the current SQL statement.
@act.reject_sql_type_execute
To reject a specific type of SQL statement, you must specify the SQL subtype. For example:
@act.reject_sql_type_execute 'UPDATE'.@act.allow_sql_type_execute
To allow the execution of a specific type of SQL, you must specify the exact SQL subtype. For example:
@act.allow_sql_type_execute 'UPDATE'.@act.check_dml_sec_column_permission
Checks whether a user has permissions on sensitive fields. If the user does not have the required permissions, a DML statement for data change is not executed.
@act.uncheck_dml_sec_column_permission
Does not check whether a user has permissions on sensitive fields.
@act.check_sql_access_permission
Checks whether a user has specific permissions on the databases, tables, or fields that are involved in the SQL statements to be executed. For example, you can check whether a user has the permissions to query data or change data.
@act.uncheck_sql_access_permission
Does not check whether a user has specific permissions on the databases, tables, or fields that are involved in the SQL statements to be executed.
@act.enable_sec_column_mask
Masks sensitive fields in query result sets that are returned for SQL statements submitted by users who do not have permissions on the sensitive fields.
@act.disable_sec_column_mask
Does not mask sensitive fields in query result sets that are returned for SQL statements submitted by users who do not have permissions on the sensitive fields.
SQL statements that can be executed in DMS
DML
INSERT
INSERT_SELECT
SELECT_INTO
MULTI_INSERT
REPLACE
REPLACE_INTO
UPDATE
DELETE
MERGE
REMOVE
MSCK_REPAIR
REFRESH_MATERIALIZED_VIEW
BEGIN
START_TRANSACTION
COMMIT
ROLLBACK
SAVEPOINT
RELEASE_SAVEPOINT
SET
ADD_EDGE
ADD_VERTEX
SET_PROPERTY
GDB_DROP
INSERT_MANY
INSERT_ONE
DELETE_MANY
DELETE_ONE
UPDATE_MANY
UPDATE_ONE
WLM_ADD_RULE
DDL
CREATE
CREATE_SCHEMA
CREATE_INDEX
CREATE_VIEW
CREATE_SEQUENCE
CREATE_TABLE
CREATE_TABLEGROUP
CREATE_PACKAGE
CREATE_SELECT
TRUNCATE
DROP
DROP_SCHEMA
DROP_INDEX
DROP_VIEW
DROP_TABLE
DROP_TABLEGROUP
DROP_SEQUENCE
RENAME
ALTER_TABLE_DROP_COLUMN
ALTER_TABLE_CHARACTER_COLLATE
ALTER_TABLE_AUTOINCREMENT
ALTER
ALTER_SCHEMA
ALTER_INDEX
ALTER_VIEW
ALTER_TABLE
ALTER_TABLEGROUP
ALTER_SEQUENCE
CREATE_FUNCTION
ALTER_FUNCTION
DROP_FUNCTION
CREATE_PROCEDURE
ALTER_PROCEDURE
DROP_PROCEDURE
MONGO_CREATE_INDEX
MONGO_DROP_INDEX
CREATE_DATABASE
ALTER_DATABASE
DROP_DATABASE
CREATE_USER
ALTER_USER
DROP_USER
CREATE_ROLE
DROP_ROLE
EXEC
CALL_PROCEDURE
CREATE_TRIGGER
ALTER_TRIGGER
DROP_TRIGGER
CREATE_EVENT
ALTER_EVENT
DROP_EVENT
ROLLBACK_DDL
CANCEL_DDL
VACUUM
SUBMIT_JOB
CANCEL_JOB
BUILD_TABLE
IF
DQL
SELECT
DESC
EXPLAIN
SHOW_INDEX
SHOW
CHECK_TABLE
SHOW_DDL
LIST
GDB_QUERY
CHECKSUM
SELECT_PG_TERMINATION_BACKEND
WLM_LIST_RULE
DCL
GRANT
DECLARE
SET
ANALYZE
FLUSH
OPTIMIZE
KILL
RECOVER_DDL
REMOVE_DDL
SELECT_PG_TERMINATION_BACKEND
FAQ
Q: Can I restrict the execution of
SELECT *statements?A: Yes. This action requires an instance with security collaboration mode enabled.
In the top navigation bar of the DMS console, choose Security and Disaster Recovery > Security Rules.
On the Rule Sets tab, select the rule set that corresponds to your data engine type.
Find the target rule set and click Edit in the Actions column to go to the Details page.
In the left-side navigation pane, select SQL console. Under Checkpoints, select SQL execution count criteria.
Click Add Rule and enter the following DSL script.
if @fac.sql_sub_type in ['SELECT'] AND @fun.is_contain_str(@fac.current_sql,'*') then @act.reject_execute 'The SQL statement contains *. Please use an alternative method.' end
Q: How do I configure rules to restrict large queries in the SQL console?
A: This action requires an instance with security collaboration mode enabled.
In the top navigation bar of the DMS console, choose Security and Disaster Recovery > Security Rules.
On the Rule Sets tab, select the rule set that corresponds to your data engine type.
Find the target rule set and click Edit in the Actions column to go to the Details page.
In the left-side navigation pane, select SQL console. In the search box, enter "full table scan" and click the Search button.
Select the target rule from the list and click its Edit button to configure it.