Moved default values for query_masking rules for encrypt/decrypt to config.xml

2024-09-20 00:30:49 +00:00 · 2020-09-14 18:15:07 +03:00 · 2020-09-14 18:15:07 +03:00 · 30b1831752
commit 30b1831752
parent bb1d126ce5
3 changed files with 9 additions and 8 deletions
--- a/debian/clickhouse-server.install
+++ b/debian/clickhouse-server.install
@ -2,6 +2,5 @@ usr/bin/clickhouse-server
 usr/bin/clickhouse-copier
 usr/bin/clickhouse-report
 etc/clickhouse-server/config.xml
-etc/clickhouse-server/config.d/*.xml
 etc/clickhouse-server/users.xml
 etc/systemd/system/clickhouse-server.service
--- a/programs/server/CMakeLists.txt
+++ b/programs/server/CMakeLists.txt
@ -29,8 +29,6 @@ set (CLICKHOUSE_SERVER_LINK
 clickhouse_program_add(server)

 install(FILES config.xml users.xml DESTINATION ${CLICKHOUSE_ETC_DIR}/clickhouse-server COMPONENT clickhouse)
-install(FILES config.xml users.xml DESTINATION ${CLICKHOUSE_ETC_DIR}/clickhouse-server COMPONENT clickhouse)
-install(FILES config.d/query_masking_rules.xml DESTINATION ${CLICKHOUSE_ETC_DIR}/clickhouse-server/config.d COMPONENT clickhouse)

 # TODO We actually need this on Mac, FreeBSD.
 if (OS_LINUX)
--- a/programs/server/config.xml
+++ b/programs/server/config.xml
@ -670,18 +670,22 @@
      -->
    <format_schema_path>/var/lib/clickhouse/format_schemas/</format_schema_path>

-    <!-- Uncomment to use query masking rules.
+    <!-- Default query masking rules, matching lines would be replaced with something else in the logs
+        (both text logs and system.query_log).
        name - name for the rule (optional)
        regexp - RE2 compatible regular expression (mandatory)
        replace - substitution string for sensitive data (optional, by default - six asterisks)
+    -->
    <query_masking_rules>
        <rule>
-            <name>hide SSN</name>
-            <regexp>\b\d{3}-\d{2}-\d{4}\b</regexp>
-            <replace>000-00-0000</replace>
+            <name>hide encrypt/decrypt arguments</name>
+            <regexp>((?:aes_)?(?:encrypt|decrypt)(?:_mysql)?)\s*\(\s*(?:'(?:\\'|.)+'|.*?)\s*\)</regexp>
+            <!-- or more secure, but also more invasive:
+                (aes_\w+)\s*\(.*\)
+            -->
+            <replace>\1(???)</replace>
        </rule>
    </query_masking_rules>
-    -->

    <!-- Uncomment to use custom http handlers.
        rules are checked from top to bottom, first match runs the handler