Skip to content

Shield sensitive data in Postgres and MySQL

License

Notifications You must be signed in to change notification settings

dhnaranjo/hypershield

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Hypershield

⚡ Shield sensitive data in Postgres and MySQL

Great for business intelligence tools like Blazer

How It Works

Hypershield creates shielded views (in the hypershield schema by default) that hide sensitive tables and columns. The advantage of this approach over column-level privileges is you can use SELECT *.

By default, it hides columns with:

  • encrypted
  • password
  • token
  • secret

Give database users access to these views instead of the original tables.

Database Setup

Postgres

Create a new schema in your database

CREATE SCHEMA hypershield;

Grant privileges

GRANT USAGE ON SCHEMA hypershield TO myuser;

-- replace migrations with the user who manages your schema
ALTER DEFAULT PRIVILEGES FOR ROLE migrations IN SCHEMA hypershield
    GRANT SELECT ON TABLES TO myuser;

-- keep public in search path for functions
ALTER ROLE myuser SET search_path TO hypershield, public;

And connect as the user and make sure there’s no access the original tables

SELECT * FROM public.users LIMIT 1;

MySQL

Create a new schema in your database

CREATE SCHEMA hypershield;

Grant privileges

GRANT SELECT, SHOW VIEW ON hypershield.* TO myuser;
FLUSH PRIVILEGES;

And connect as the user and make sure there’s no access the original tables

SELECT * FROM mydb.users LIMIT 1;

Installation

Add this line to your application’s Gemfile:

gem 'hypershield', group: :production

Refresh the schema

rake hypershield:refresh

And query away on your shielded views

SELECT * FROM users LIMIT 1;

When you run database migrations, the schema is automatically refreshed.

Configuration

Specify the schema to use and columns to show and hide

Hypershield.schemas = {
  hypershield: {
    hide: %w(encrypted password token secret),
    show: %w(ahoy_visits.visit_token)
  }
}

TODO

  • Create CLI

History

View the changelog

Contributing

Everyone is encouraged to help improve this project. Here are a few ways you can help:

About

Shield sensitive data in Postgres and MySQL

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Ruby 100.0%