All Products
Search

This Product

    PolarDB:Configure a whitelist rule

    Document Center

    PolarDB:Configure a whitelist rule

    Last Updated:Sep 04, 2023

    You can create, delete, enable, disable, or modify whitelist rules for a cluster in the PolarDB console. This topic describes what are whitelist rules and how to configure whitelist rules.

    Whitelist rules

    After you configure a whitelist rule, SQL statements that are not added to the whitelist rule are blocked or alerted. This can protect the account for your business. This account only executes business-related SQL statements, but not SQL statements that are irrelevant to your business. Multiple SQL statements may be used in actual business and a specific amount of time is required to enter a single SQL statement. To improve efficiency and user experience, PolarProxy provides the following whitelist modes:

    • Training mode: PolarProxy only collects SQL statements and does not block SQL statements or generate alerts.

    • Detection mode: PolarProxy records SQL statements that are not added to the whitelist rule when PolarProxy detects the statements. However, PolarProxy does not block such SQL statements.

    • Protection mode: PolarProxy records and blocks SQL statements that are not added to the whitelist rule when PolarProxy detects the statements.

    You can also configure multiple whitelist rules in the PolarDB console. You can use a separate account to train each whitelist rule. After you enable the detection mode or protection mode, you can also specify the accounts to which each whitelist rule is applicable.

    Create a whitelist rule

    1. Log on to the PolarDB console.
    2. In the upper-left corner of the console, select the region in which the cluster that you want to manage is deployed.
    3. Find the cluster and click the cluster ID.

    4. In the left-side navigation pane, choose Settings and Management > Security Management.

    5. In the upper-left corner of the SQL Firewall tab, click Add.

    6. In the Create a Rule dialog box, configure parameters described in the following table based on the mode that you select.

      Table 1. Parameters of a whitelist rule

      Parameter

      Required

      Description

      Basic Information

      Rule Name

      Yes

      The name of the rule. The name must meet the following requirements:

      • It can contain digits and letters.

      • It can be up to 30 characters in length.

      Description

      No

      The description of the rule.

      Note

      The description can be up to 64 characters in length.

      Endpoint

      Yes

      The endpoint to which the current rule is applicable.

      Configurations

      Rule Type

      Yes

      The type of the rule. Select Whitelist Rule.

      Current Mode

      No

      The mode of the rule. Valid values:

      • Training Mode: collects SQL statements, but does not block SQL statements or generate alerts.

      • Detection Mode: records SQL statements that are not added to the whitelist rule when the statements are detected, but does not block such SQL statements.

      • Protection Mode: records and blocks SQL statements that are not added to the whitelist rule when the statements are detected.

      Database Account Name

      No

      The name of the database account to which the rule is applicable. Valid values:

      • All Accounts: The rule is applicable to all database accounts in the cluster. The field on the right side of the All Accounts option can be left empty.

      • Include: The rule is applicable only to specified database accounts. You must enter at least one database account name in the field on the right side of the Include option. Separate multiple database account names with commas (,).

      • Exclude: The rule is applicable to all database accounts in the cluster except the specified database accounts. You must enter at least one database account name in the field on the right side of the Exclude option. Separate multiple database account names with commas (,).

      Note

      The database account name must be in one of the following formats:

      • Username. Example: user.

      • Username@IP address. Example: user@10.0.0.0.

    7. Click OK.

    8. Perform steps based on the mode of the rule that you select.

      • If you set the Current Mode parameter to Training Mode, perform the following steps:

        1. Connect to the specified database endpoint by using the previously defined database account name.

        2. Use this account to execute business-related SQL statements that are added to the whitelist rule. PolarProxy parameterizes the SQL statements and saves the statements to the whitelist rule of the database. Example: 

          update t set k = 2 where id = 2;

          The parameterized SQL statement:

          update t set k = ? where id = ?

          The question mark (?) in the statement indicates any value. The parameterized SQL statement update t set k = ? where id = ? is saved to the whitelist rule.

        Note

        You can also add the following hint command before a business-related SQL statement to parameterize the statement and add the parameterized statement to the whitelist rule: hint(/* store_to_whitelist */).

      • If you set the Current Mode parameter to Detection Mode, perform the following steps:

        1. Connect to the specified database endpoint by using the previously defined database account name.

        2. Use this account to execute business-related SQL statements. PolarProxy checks for any SQL statements that are not added to the whitelist rule. Example: 

          update t set k = 2 where k = 2

          If an SQL statement is not added to the whitelist rule, PolarProxy allows and records the SQL statement. The following result is displayed:

          Query OK, 0 rows affected (0.03 sec)
Rows matched:1 Changed: 0 Warnings:0

      • If you set the Current Mode parameter to Protection Mode, perform the following steps:

        1. Connect to the specified database endpoint by using the previously defined database account name.

        2. Use this account to execute business-related SQL statements. Example: 

          select id from t where id = 1;

          If an SQL statement is not added to the whitelist rule, PolarProxy records and blocks the SQL statement. The following result is displayed:

          ERROR 1141 (HY000): This SQL is rejected by SQL Firewall. Access denied for user 'xzh'@'x.x.x.x' to database 'xzh': This SQL is not in whitelist wl_test.
    Note

    • Each time you update your business, you must train business-related SQL statements. Otherwise, the SQL statements cannot be executed.

    • You can also create multiple whitelist rules in the PolarDB console. You can use a separate account to train each whitelist rule. After you enable the detection mode or protection mode, you can also specify the accounts to which each whitelist rule is applicable.

    Enable or disable a whitelist rule

    1. Log on to the PolarDB console.
    2. In the upper-left corner of the console, select the region in which the cluster that you want to manage is deployed.
    3. Find the cluster and click the cluster ID.

    4. In the left-side navigation pane, choose Settings and Management > Security Management.

    5. On the SQL Firewall tab, find the rule and turn on or off Enable/Disable.

      Note

      You can select multiple rules in the rule table and then click Enable or Disable to batch enable or disable the rules.

    6. In the Enable or Disable message, click OK.

    Modify a whitelist rule

    1. Log on to the PolarDB console.
    2. In the upper-left corner of the console, select the region in which the cluster that you want to manage is deployed.
    3. Find the cluster and click the cluster ID.

    4. In the left-side navigation pane, choose Settings and Management > Security Management.

    5. On the SQL Firewall tab, find the rule that you want to manage and then click Modify in the Actions column. In the Modify a Rule dialog box, modify the parameters based on your business requirements. For more information about the parameters, see Add a whitelist rule.

      Note

      When you modify a rule, you cannot modify the rule name.

    6. Click OK.

    Note

    You cannot modify the parameterized SQL statements in a rule of a database in the PolarDB console. You must remove the parameterized SQL statements from the proxy_auditing.sql_list table and then add the statements again.

    Delete a whitelist rule

    1. Log on to the PolarDB console.
    2. In the upper-left corner of the console, select the region in which the cluster that you want to manage is deployed.
    3. Find the cluster and click the cluster ID.

    4. In the left-side navigation pane, choose Settings and Management > Security Management.

    5. On the SQL Firewall tab, find the rule that you want to manage and then click Delete in the Actions column.

      Note

      You can select multiple rules in the rule list and then click Delete to batch delete the rules.

    6. In the Delete message, click OK.