postgresql_anonymizer 方便的数据脱敏扩展
postgresql_anonymizer 是一个灵活切强大的数据脱敏扩展,以下是一个简单的使用
环境准备
基于docker-compose 运行
- dockerfile
FROM dalongrong/pgspider:base as build
WORKDIR /app
RUN apt-get update && apt-get install -y cmake automake autoconf libtool pkg-config libssl-dev
RUN wget https://gitlab.com/dalibo/postgresql_anonymizer/-/archive/0.6.0/postgresql_anonymizer-0.6.0.tar.gz && tar zxvf postgresql_anonymizer-0.6.0.tar.gz && mv postgresql_anonymizer-0.6.0 anonymizer && cp -rf anonymizer /app/postgresql-11.6/contrib/anonymizer
RUN wget https://github.com/lacanoid/pgddl/archive/0.16.tar.gz && tar zxvf 0.16.tar.gz && mv pgddl-0.16 pgddl && cp -rf pgddl /app/postgresql-11.6/contrib/pgddl
RUN cd /app/postgresql-11.6/contrib/pgddl && make && make install
RUN cd /app/postgresql-11.6/contrib/anonymizer && make && make install
FROM debian:stretch-slim
ENV GOSU_VERSION 1.11
RUN apt-get update && apt-get install -y wget libreadline-dev
# explicitly set user/group IDs
RUN set -eux; \
groupadd -r postgres --gid=999; \
# https://salsa.debian.org/postgresql/postgresql-common/blob/997d842ee744687d99a2b2d95c1083a2615c79e8/debian/postgresql-common.postinst#L32-35
useradd -r -g postgres --uid=999 --home-dir=/var/lib/postgresql --shell=/bin/bash postgres; \
# also create the postgres user's home directory with appropriate permissions
# see https://github.com/docker-library/postgres/issues/274
mkdir -p /var/lib/postgresql; \
chown -R postgres:postgres /var/lib/postgresql
RUN wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture)" \
&& chmod +x /usr/local/bin/gosu \
&& gosu nobody true
# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
RUN set -eux; \
if [ -f /etc/dpkg/dpkg.cfg.d/docker ]; then \
# if this file exists, we're likely in "debian:xxx-slim", and locales are thus being excluded so we need to remove that exclusion (since we need locales)
grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
sed -ri '/\/usr\/share\/locale/d' /etc/dpkg/dpkg.cfg.d/docker; \
! grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
fi; \
apt-get update; apt-get install -y locales; rm -rf /var/lib/apt/lists/*; \
localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
ENV LANG en_US.utf8
# install "nss_wrapper" in case we need to fake "/etc/passwd" and "/etc/group" (especially for OpenShift)
# https://github.com/docker-library/postgres/issues/359
# https://cwrap.org/nss_wrapper.html
RUN set -eux; \
apt-get update; \
apt-get install -y --no-install-recommends libnss-wrapper; \
rm -rf /var/lib/apt/lists/*
RUN mkdir /docker-entrypoint-initdb.d
COPY --from=build /usr/local/pgspider /usr/local/pgspider
RUN sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/pgspider/share/postgresql/postgresql.conf.sample; \
grep -F "listen_addresses = '*'" /usr/local/pgspider/share/postgresql/postgresql.conf.sample
RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql
ENV PATH $PATH:/usr/local/pgspider/bin
ENV PGDATA /var/lib/postgresql/data
RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA"
VOLUME /var/lib/postgresql/data
COPY docker-entrypoint.sh /usr/local/bin/
RUN ln -s usr/local/bin/docker-entrypoint.sh / # backwards compat
ENTRYPOINT ["docker-entrypoint.sh"]
EXPOSE 5432
CMD ["postgres"]
- docker-compose 文件
version: "3"
services:
pg:
image: dalongrong/pgspider:anonymizer
ports:
- "5432:5432"
environment:
- "POSTGRES_PASSWORD=dalong"
- 启动
docker-compose up -d
- 修改database session 启动配置
修改完成之后需要重启数据库
ALTER DATABASE postgres SET session_preload_libraries = 'anon';
扩展使用
- 创建表以及数据
CREATE TABLE people (
id SERIAL PRIMARY KEY,
fistname text,
lastname text,
phone text
);
INSERT INTO "public"."people"("id","fistname","lastname","phone")
VALUES
(1,E'dalong',E'rong',E'111111');
- 创建扩展
CREATE EXTENSION IF NOT EXISTS anon CASCADE;
SELECT anon.start_dynamic_masking();
- 创建security label
CREATE ROLE dalongrong PASSWORD 'dalong' LOGIN;
SECURITY LABEL FOR anon ON role dalongrong IS 'MASKED';
- 定义安全规则
SECURITY LABEL FOR anon ON COLUMN people.lastname
IS 'MASKED WITH FUNCTION anon.fake_last_name()';
SECURITY LABEL FOR anon ON COLUMN people.phone
IS 'MASKED WITH FUNCTION anon.partial(phone,2,$$******$$,2)';
- 使用动态脱敏
使用创建的角色 dalongrong 以及密码
select * from people;
效果
原始数据
说明
postgresql_anonymizer 目前还在开发中,是一个不错的扩展,期待ga
参考资料
https://gitlab.com/dalibo/postgresql_anonymizer
https://github.com/rongfengliang/pgspider-docker