postgresql_anonymizer 方便的数据脱敏扩展

postgresql_anonymizer 是一个灵活切强大的数据脱敏扩展，以下是一个简单的使用

环境准备

基于docker-compose 运行

• dockerfile

FROM dalongrong/pgspider:base as build

WORKDIR /app

RUN apt-get update && apt-get install -y cmake automake autoconf libtool pkg-config libssl-dev

RUN wget https://gitlab.com/dalibo/postgresql_anonymizer/-/archive/0.6.0/postgresql_anonymizer-0.6.0.tar.gz && tar zxvf postgresql_anonymizer-0.6.0.tar.gz && mv postgresql_anonymizer-0.6.0 anonymizer && cp -rf anonymizer /app/postgresql-11.6/contrib/anonymizer

RUN wget https://github.com/lacanoid/pgddl/archive/0.16.tar.gz && tar zxvf 0.16.tar.gz && mv pgddl-0.16 pgddl && cp -rf pgddl /app/postgresql-11.6/contrib/pgddl

RUN cd /app/postgresql-11.6/contrib/pgddl && make && make install

RUN cd /app/postgresql-11.6/contrib/anonymizer && make && make install

​

FROM debian:stretch-slim

ENV GOSU_VERSION 1.11

RUN apt-get update && apt-get install -y wget libreadline-dev

# explicitly set user/group IDs

RUN set -eux; 

 groupadd -r postgres --gid=999; 

# https://salsa.debian.org/postgresql/postgresql-common/blob/997d842ee744687d99a2b2d95c1083a2615c79e8/debian/postgresql-common.postinst#L32-35

 useradd -r -g postgres --uid=999 --home-dir=/var/lib/postgresql --shell=/bin/bash postgres; 

# also create the postgres user's home directory with appropriate permissions

# see https://github.com/docker-library/postgres/issues/274

 mkdir -p /var/lib/postgresql; 

 chown -R postgres:postgres /var/lib/postgresql

​

RUN wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture)" 

   && chmod +x /usr/local/bin/gosu 

   && gosu nobody true

# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default

RUN set -eux; 

   if [ -f /etc/dpkg/dpkg.cfg.d/docker ]; then 

   # if this file exists, we're likely in "debian:xxx-slim", and locales are thus being excluded so we need to remove that exclusion (since we need locales)

   grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; 

   sed -ri '//usr/share/locale/d' /etc/dpkg/dpkg.cfg.d/docker; 

   ! grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; 

   fi; 

   apt-get update; apt-get install -y locales; rm -rf /var/lib/apt/lists/*; 

   localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8

ENV LANG en_US.utf8

​

# install "nss_wrapper" in case we need to fake "/etc/passwd" and "/etc/group" (especially for OpenShift)

# https://github.com/docker-library/postgres/issues/359

# https://cwrap.org/nss_wrapper.html

RUN set -eux; 

   apt-get update; 

   apt-get install -y --no-install-recommends libnss-wrapper; 

   rm -rf /var/lib/apt/lists/*

​

RUN mkdir /docker-entrypoint-initdb.d

COPY --from=build /usr/local/pgspider /usr/local/pgspider

RUN sed -ri "s!^#?(listen_addresses)s*=s*S+.*!1 = '*'!" /usr/local/pgspider/share/postgresql/postgresql.conf.sample; 

   grep -F "listen_addresses = '*'" /usr/local/pgspider/share/postgresql/postgresql.conf.sample

RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql

ENV PATH $PATH:/usr/local/pgspider/bin

ENV PGDATA /var/lib/postgresql/data

RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA"

VOLUME /var/lib/postgresql/data

COPY docker-entrypoint.sh /usr/local/bin/

RUN ln -s usr/local/bin/docker-entrypoint.sh / # backwards compat

ENTRYPOINT ["docker-entrypoint.sh"]

​

EXPOSE 5432

CMD ["postgres"]

• docker-compose 文件

version: "3"

services: 

  pg:

    image: dalongrong/pgspider:anonymizer

    ports: 

    - "5432:5432"

    environment: 

    - "POSTGRES_PASSWORD=dalong"

• 启动

docker-compose up -d

• 修改database session 启动配置
  修改完成之后需要重启数据库

 

ALTER DATABASE postgres SET session_preload_libraries = 'anon';

扩展使用

• 创建表以及数据

CREATE TABLE people (

    id SERIAL PRIMARY KEY,

    fistname text,

    lastname text,

    phone text

);

INSERT INTO "public"."people"("id","fistname","lastname","phone")

VALUES

(1,E'dalong',E'rong',E'111111');

• 创建扩展

CREATE EXTENSION IF NOT EXISTS anon CASCADE;

SELECT anon.start_dynamic_masking();

• 创建security label

CREATE ROLE dalongrong PASSWORD 'dalong' LOGIN;

SECURITY LABEL FOR anon ON role dalongrong IS 'MASKED';

• 定义安全规则

SECURITY LABEL FOR anon ON COLUMN people.lastname 

IS 'MASKED WITH FUNCTION anon.fake_last_name()';

SECURITY LABEL FOR anon ON COLUMN people.phone 

IS 'MASKED WITH FUNCTION anon.partial(phone,2,$$******$$,2)';

• 使用动态脱敏

  使用创建的角色 dalongrong 以及密码

select * from people;

效果

原始数据

说明

postgresql_anonymizer 目前还在开发中，是一个不错的扩展，期待ga

参考资料

https://gitlab.com/dalibo/postgresql_anonymizer
https://github.com/rongfengliang/pgspider-docker