Sicurezza Redshift
Introduzione a Redshift
Jason Myers
Principal Engineer
Sicurezza Redshift
- Controllo accesso a livello di colonna
- Row-level security tramite policy
- Data masking tramite policy
Permessi a livello di colonna
- Nasconde completamente una colonna
- Puoi verificare con
SVV_COLUMN_PRIVILEGES
SELECT *
FROM SVV_COLUMN_PRIVILEGES
WHERE relation_name = 'products';
relation_name | column_name | privilege_type | identity_name | identity_type
==============|==============|================|===============|==============
products | product_name | SELECT | amelia | user
products | product_name | SELECT | analytics | role
Row-level security
- Policy che prefiltrano i dati
CREATE RLS POLICY policy_books
WITH (category VARCHAR(255))
USING (category = 'Dark Academia');
SELECT product_line, category, product_name
FROM products;
product_line | category | product_name
=============|===============|===================
Books | Dark Academia | A Deadly Education
Row-level security
- SVV_RLS_POLICY per visualizzare le policy
SELECT polname AS policy_name,
polatts AS column_details,
polqual AS condition
FROM SVV_RLS_POLICY;
policy_name | column_details | condition
============|================================================|===========================
policy_books | [{"colname":"category","type":"VARCHAR(255)"}] | category = 'Dark Academia'
Vista admin per Row-level security
- SVV_RLS_APPLIED_POLICY può essere usata dai superuser per vedere le query interessate
SELECT username,
command,
relschema,
relname,
polname,
FROM SVV_RLS_APPLIED_POLICY;
username | command | relschema | relname | polname
=========|=========|===========|==========|=============
aashvi | s | public | products | policy_books
Panoramica Dynamic Masking
- Policy che offusca i valori restituiti da una query
- Solo un superuser o chi ha i permessi può vederli
- Usi
- Numeri ID nazionali (es. Social Security Number)
- Carte di credito
SELECT name, social_security_number
FROM customers;
name | social_security_number
======== | =======================
John Doe | XXX-XX-1234
Jane Doe | XXX-XX-5678
Passons à la pratique !
Introduzione a Redshift
