thevar1able/ClickHouse
1
0
Fork 0
mirror of https://github.com/ClickHouse/ClickHouse.git synced 2024-11-10 09:32:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

Moved default values for query_masking rules for encrypt/decrypt to config.xml

Browse Source
This commit is contained in:
Vasily Nemkov 2020-09-14 18:15:07 +03:00
parent bb1d126ce5
commit 30b1831752
3 changed files with 9 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
debian/clickhouse-server.install vendored
View File

@ -2,6 +2,5 @@ usr/bin/clickhouse-server
usr/bin/clickhouse-copier usr/bin/clickhouse-copier
usr/bin/clickhouse-report usr/bin/clickhouse-report
etc/clickhouse-server/config.xml etc/clickhouse-server/config.xml
etc/clickhouse-server/config.d/*.xml
etc/clickhouse-server/users.xml etc/clickhouse-server/users.xml
etc/systemd/system/clickhouse-server.service etc/systemd/system/clickhouse-server.service

2
programs/server/CMakeLists.txt
View File

@ -29,8 +29,6 @@ set (CLICKHOUSE_SERVER_LINK
clickhouse_program_add(server) clickhouse_program_add(server)
install(FILES config.xml users.xml DESTINATION ${CLICKHOUSE_ETC_DIR}/clickhouse-server COMPONENT clickhouse) install(FILES config.xml users.xml DESTINATION ${CLICKHOUSE_ETC_DIR}/clickhouse-server COMPONENT clickhouse)
install(FILES config.xml users.xml DESTINATION ${CLICKHOUSE_ETC_DIR}/clickhouse-server COMPONENT clickhouse)
install(FILES config.d/query_masking_rules.xml DESTINATION ${CLICKHOUSE_ETC_DIR}/clickhouse-server/config.d COMPONENT clickhouse)
# TODO We actually need this on Mac, FreeBSD. # TODO We actually need this on Mac, FreeBSD.
if (OS_LINUX) if (OS_LINUX)

14
programs/server/config.xml
View File

@ -670,18 +670,22 @@
--> -->
<format_schema_path>/var/lib/clickhouse/format_schemas/</format_schema_path> <format_schema_path>/var/lib/clickhouse/format_schemas/</format_schema_path>
<!-- Uncomment to use query masking rules. <!-- Default query masking rules, matching lines would be replaced with something else in the logs
(both text logs and system.query_log).
name - name for the rule (optional) name - name for the rule (optional)
regexp - RE2 compatible regular expression (mandatory) regexp - RE2 compatible regular expression (mandatory)
replace - substitution string for sensitive data (optional, by default - six asterisks) replace - substitution string for sensitive data (optional, by default - six asterisks)
-->
<query_masking_rules> <query_masking_rules>
<rule> <rule>
<name>hide SSN</name> <name>hide encrypt/decrypt arguments</name>
<regexp>\b\d{3}-\d{2}-\d{4}\b</regexp> <regexp>((?:aes_)?(?:encrypt|decrypt)(?:_mysql)?)\s*\(\s*(?:'(?:\\'|.)+'|.*?)\s*\)</regexp>
<replace>000-00-0000</replace> <!-- or more secure, but also more invasive:
(aes_\w+)\s*\(.*\)
-->
<replace>\1(???)</replace>
</rule> </rule>
</query_masking_rules> </query_masking_rules>
-->
<!-- Uncomment to use custom http handlers. <!-- Uncomment to use custom http handlers.
rules are checked from top to bottom, first match runs the handler rules are checked from top to bottom, first match runs the handler