Upload
others
View
9
Download
0
Embed Size (px)
Citation preview
DgSecure OnDemand – Installation and Configuration| Copyright © 2020
1
DgSecure OnDemand-Agent Installation
and Configuration
DgSecure OnDemand – Installation and Configuration| Copyright © 2020
2
Table of Contents 1. Installation of DgSecure Agents ......................................................................................................... 3
1.1 Pre-requisites .................................................................................................................................. 3
1.2 Download Installer .......................................................................................................................... 3
1.3 Installation Steps ............................................................................................................................. 4
1.4 Add Agent to DgSecure ................................................................................................................... 5
2. Masking Grants ....................................................................................................................................... 8
2.1 Redshift ........................................................................................................................................... 8
2.2 Snowflake ........................................................................................................................................ 9
2.3 SQL Server ..................................................................................................................................... 10
2.4 Azure ............................................................................................................................................. 14
2.5 RDS ................................................................................................................................................ 15
2.5.1 MySQL ................................................................................................................................... 15
2.5.2 PostgreSQL ............................................................................................................................ 16
2.5.3 AWS ....................................................................................................................................... 17
2.5.4 Oracle .................................................................................................................................... 19
2.5.5 Aurora DB .............................................................................................................................. 24
2.5.6 Maria DB ................................................................................................................................ 24
DgSecure OnDemand – Installation and Configuration| Copyright © 2020
3
1. Installation of DgSecure Agents DgSecure OnDemand supports masking and detection on RDBMS databases, and file systems
on S3. For detection of sensitive data on databases, a Detection agent must be installed,
directed to the target source system. Similarly, for masking a Masker agent must be installed.
Detection on S3 files system can be performed on S3 file systems can be performed using
OnDemand, for this two agents S3LFA agent and Cloud agent have to be configured and
installed to the target source system. The Cloud agent browses files hosted in the cloud and the
S3LFA agent performs sensitive data detection on the browsed files. This document outlines how
to install and configure these agents.
1.1 Pre-requisites 1. Provision an EC2 instance with the following specifications:
Operating System: CentOS/RHEL 6.4 or 6.7 recommended, other Linux flavors
are also supported
Minimum RAM: 8 GB
Minimum Hard Disc: 20 GB
2. The instance should be able to connect to the RDS or Redshift data repository which is to be scanned.
3. Java 1.7 or later is required on the EC2 instance provisioned above.
1.2 Download Installer 1. Click on the Help tab at the top panel.
2. Click on the link to the agent you want to install.
DgSecure OnDemand – Installation and Configuration| Copyright © 2020
4
A zip file containing the agent installer will get downloaded.
1.3 Installation Steps On the provisioned EC2 machine, perform the following steps to install the agent:
1. Download the installer. 2. Unzip the file using the following command:
For Detection agent:
For Masking agent:
For S3LFA and Cloud agent:
3. To provide the required permissions, execute the following commands
For Detection agent:
For Masking agent:
For S3LFA agent:
For Cloud agent:
4. To install the required DgSecure agent, execute the following commands:
For Detection agent:
For Masking agent:
unzip DgSecureDiscoverIDP-<version>-linux-x64-installer.zip
unzip DgSecureMaskerIDP-<version>-linux-x64-installer.zip
chmod +x<download-directory>/DgSecureDiscoverIDP-<version>-linux-x64-
installer.run
sudo <download-directory>/DgSecureDiscoverIDP-<version>-linux-x64-
installer.run
chmod +x <download-directory>/DgSecureMaskerIDP-<version>-linux-x64-
installer.run
sudo <download-directory>/DgSecureMaskerIDP-<version>-linux-x64-
installer.run
unzip DgSecureS3LFAIDP-<version>-linux-x64-installer.zip
chmod +x <directory>/DgSecureFilesIDP-<version>-linux-x64-installer.run
chmod +x <directory>/DgSecureCloudIDP-<version>-linux-x64-installer.run
<directory>/DgSecureDiscoverIDP-<version>-linux-x64-installer.run
DgSecure OnDemand – Installation and Configuration| Copyright © 2020
5
For S3LFA agent:
For Cloud agent:
5. Read the End User License Agreement (EULA) 6. To accept the license enter “y.” 7. Enter the path of the required installation directory. By default the installation will be done
in the following directory:
8. Skip to step 13 if you are installing a Detection or Masker agent. Select Default option to
deploy Files IDP: This is the file system that you want to scan. 9. Select S3 File System: Files IDP compatible with S3 File System will be deployed for use
by DgSecure. 10. Select Default value for FileSystem: The provisioned CDH5/EMR/HW cluster / Files IDP 11. Select Default value for Meta Name for S3 IDP: ‘dgsecure-test’ (case sensitive -- all
lower case). 12. Select Default value for AWS Compute Region for S3 IDP: ‘us-east-1’ (case sensitive --
all lower case). 13. By default a random controller ID is generated. Replace this with ‘dataguise’ (case
sensitive -- all lower case).
1.4 Add Agent to DgSecure Configure connectivity between the DgSecure server and the Agent instance. Following options
are available:
Install an AWS Classic Load Balancer (CLB) instance fronting the Agent, and use that IP address/hostname in the configuration.
Expose the Agent IP address/hostname as a public address.
Once the Agent IP address or Hostname is available, perform the following steps to configure
DgSecure OnDemand:
/opt/Dataguise
<directory>/DgSecureMaskerIDP-<version>-linux-x64-installer.run
<directory>/DgSecureFilesIDP-<version>-linux-x64-installer.run
<directory>/DgSecureCloudIDP-<version>-linux-x64-installer.run
DgSecure OnDemand – Installation and Configuration| Copyright © 2020
6
1. Click on the Agents tab.
2. Click Add New Agent.
3. Provide the Agent details and save.
DgSecure OnDemand – Installation and Configuration| Copyright © 2020
7
4. Once the Agent configuration is saved, the following listing will appear. The highlighted
row is the configuration for the newly added Agent.
5. After adding the Agent, a source to the target database has to be added. Click on the “Sources” tab.
6. Click Add New Source.
7. Provide the target database details. Test and save the source system information.
DgSecure OnDemand – Installation and Configuration| Copyright © 2020
8
2. Masking Grants DgSecure OnDemand creates a user to execute masking on the target database. The user requires certain permissions to successfully mask the data. To get these necessary permissions, the user needs to execute different grant scripts for different databases. This document outlines these grant scripts, their prerequisites and the permissions granted. DgSecure OnDemand supports the following databases:
1. Redshift
2. Snowflake
3. SQL Server
4. Azure
5. RDS
MySQL
PostgreSQL
AWS
Oracle
Aurora DB
Maria DB
Masking grants for different database have been discussed in further sections.
2.1 Redshift
i. Prerequisites
To perform masking on Redshift database, the user needs to perform a set of functions. These functions are written in Python and available in a zipped file. User need to upload these to Redshift. The script reads the library and performs the masking function. Perform the following steps to upload the file containing masking functions and to create a library:
1. Download the AllFunctions.zip file from the following location:
https://dg-saas.s3.amazonaws.com/MaskerPrerequisiteFiles/Scripts/redshift/AllFunctions.zip
Upload the AllFunctions.zip file to the S3 storage or to a separate folder in the S3
storage.
2. To check if a library exists or not, execute the following query on the Redshift connection
using psql or a similar Redshift client.
Select 1 from pg_library where name = 'lib_AllFunctions';
If the above query returns result as 1, it signifies that there is an existing library. Execute
the following command to drop the existing library.
Drop library lib_AllFunctions;
3. Execute the following command to create a new library:
CREATE LIBRARY lib_AllFunctions LANGUAGE plpythonu FROM 'https://<LOCATION OF
THE ZIP FILE>/AllFunctions.zip
CREDENTIALS 'aws_access_key_id=<User Name>;aws_secret_access_key=<Password>;
NOTE: For more details on how to create a Redshift library, please visit:
https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_LIBRARY.html
DgSecure OnDemand – Installation and Configuration| Copyright © 2020
9
ii. Variables
Set the following variables before executing the script:
sch1 : Comma Separated values of all the schemas to be masked.
user_name : Redshift user name to be used for masking.
user_db_name : Name of the database that has to be masked.
chooseapassword: Create a password.
iii. Script
2.2 Snowflake
i. Variables
Set the following variables before executing the script:
user_name: Masker user to be created.
role_name: Role to be created to assign to the masker user.
password: Password associated with the masker user.
warehouse_name: Name of the warehouse used for masking.
dg_database_name: Database used while making the connection under which dg objects
will be created.
database_name: Database on which masking is to be performed.
dg_schema_name: Schema used for creating dg objects.
schema_name: Schema on which masking is to be performed
----------------------------------------------------------------------------------------------------------------------------------------
CREATE USER user_name createuser PASSWORD ‘chooseapassword';-----
Execute if no user exists
--Login with the user created above, and execute the following commands:
ALTER USER user_name createuser;----- the user created above will be
altered and granted the user the required permissions
GRANT SELECT, INSERT, UPDATE, DELETE, REFERENCES ON ALL TABLES IN SCHEMA
information_schema, pg_catalog, sch1, dg, public TO user_name;----- To
mask tables
GRANT CREATE, TEMPORARY, TEMP ON DATABASE <user_db_name>,dev TO
user_name;----- will provide the user privilege to create temporary
tables in the specified database. To run Amazon Redshift Spectrum
queries, the database user must have permission to create temporary
tables in the database.
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA information_schema,
pg_catalog,------ will provide the user privilege execute the masking
operation
GRANT USAGE ON LANGUAGE plpythonu TO user_name;----will provide the
user the privilege to use Python Library containing masking functions
----------------------------------------------------------------------------------------------------------------------------------------
DgSecure OnDemand – Installation and Configuration| Copyright © 2020
10
ii. Script
2.3 SQL Server
i. Variables
Set the following variables before executing the script:
@DB_NAMES_TO_MASK = 'Target_Database': Specify all the databases on which
masking has to be performed, with comma separation. Masking will only be performed on
these databases.
For instance, if you want to perform masking on the databases SQL_CUSTS and
SQLFIN, set @DB_NAMES_TO_MASK = 'SQL_CUSTS, SQL_FIN'
@DG_USER_TYPE = 'S': To authenticate login from the server, set this property to ‘S’.
To authenticate using Windows or Windows Impersonation, set this property to ‘W’.
@DG_USER = 'User_Name': Enter the name of the user using which you will login to run
the masking tasks on DgSecure. If no such user exists, enter a user name, for instance,
@DG_USER = 'Masker'. A new user ‘Masker’ will automatically get created.
@DG_DB = 'DG': This is the database to which DgSecure’s masker will connect
(‘Target_Name’). All the tables required for masking will automatically be created by this
----------------------------------------------------------------------------
\connect user_db_name;-------Database which has to be masked
--user with the SECURITYADMIN role or another role with the MANAGE GRANTS
privilege on the account can grant privileges on objects
create role <role_name>;
create user <user_name> password='<password>' default_role=<role_name>;
-- Below permission grants the user minimum priviledges to execute a masking
task
grant role <role_name> to user <user_name>;
grant operate,usage on warehouse <warehouse_name> to role <role_name>;
grant usage,CREATE SCHEMA on database <dg_database_name> to role
<role_name>;---- create schema needed for the dg schema that the user
creates
-- Create the <dg_schema_name> with the masker user before proceeding
further. This is the schema which you use while creating a masker task from
set config params.
grant usage,CREATE TABLE,CREATE FUNCTION on schema
<dg_database_name>.<dg_schema_name> to role <role_name>;---- creation of dg
tables and masking functions
grant usage on database <database_name> to role <role_name>;---- access to
the database on which masking needs to be performed
grant usage on schema <database_name>.<schema_name> to role <role_name>;----
access to the schema for masking
grant select,update on all tables in schema <database_name>.<schema_name> to
role <role_name>; ---- to mask the tables
----------------------------------------------------------------------------
DgSecure OnDemand – Installation and Configuration| Copyright © 2020
11
script. Set @DG_DB = 'DG,' signifies that you should connect to DG database in the
DgSecure Connection Manager.
@DG_Collation='SQL_Latin1_General_CP1_CI_AS or Latin1_General_CI_AI': This will
set the collation of the database with which DgSecure will connect. Collation must be the
same as the target database collation. By default, collation is set to
'SQL_Latin1_General_CP1_CI_AS or Latin1_General_CI_AI'.
You can change this to the language that your database uses. For instance,
Set @DG_Collation='Modern_Spanish_100_CI_AS' for Spanish.
@DBFilePath = null: Keep it null, if you want to use the default path for data files or
provide the path where you want to create the data files. For instance, 'd:\Database Files'
@DG_USER_PASS = null: If password is set to null, the password will be the same as
the username for the newly created user.
DgSecure OnDemand – Installation and Configuration| Copyright © 2020
12
ii. Script
----------------------------------------------------------------------------
\connect user_db_name;-------Database which has to be masked
--user with the SECURITYADMIN role or another role with the MANAGE GRANTS
privilege on the account can grant privileges on objects
create role <role_name>;
create user <user_name> password='<password>' default_role=<role_name>;
-- Below permission grants the user minimum priviledges to execute a masking
task
grant role <role_name> to user <user_name>;
grant operate,usage on warehouse <warehouse_name> to role <role_name>;
grant usage,CREATE SCHEMA on database <dg_database_name> to role
<role_name>; -- create schema needed for the dg schema that the user
creates
-- Create the <dg_schema_name> with the masker user before proceeding
further. This is the schema which you use while creating a masker task from
set config params.
grant usage,CREATE TABLE,CREATE FUNCTION on schema
<dg_database_name>.<dg_schema_name> to role <role_name>; -- creation of
dg tables and masking functions
grant usage on database <database_name> to role <role_name>; -- access to
the database on which masking needs to be performed
grant usage on schema <database_name>.<schema_name> to role <role_name>;
-- access to the schema for masking
grant select,update on all tables in schema <database_name>.<schema_name> to
role <role_name>; -- to mask the tables
----------------------------------------------------------------------------
----------------------------------------------------------------------------
if UPPER(@DG_USER_TYPE) = 'W'
Begin
Print 'Creating DG User With WINDOWS_LOGIN'
IF NOT EXISTS (select name from sys.server_principals where
upper(name) = upper(@DG_USER))
Begin
BEGIN TRY
Set @sql = 'CREATE LOGIN ['+@DG_USER+'] FROM WINDOWS
WITH DEFAULT_DATABASE=[master], DEFAULT_LANGUAGE=[us_english]'
EXECUTE (@sql)
print ' Windows User '+@DG_USER+ ' created'
END TRY
BEGIN CATCH
print ' Windows User '+@DG_USER+ ' could not
be created';
SELECT
@ErrorMessage = ERROR_MESSAGE(),
@ErrorSeverity = ERROR_SEVERITY(),
@ErrorState = ERROR_STATE();
RAISERROR (@ErrorMessage, -- Message text.
@ErrorSeverity, -- Severity.
@ErrorState -- State.
);
END CATCH
End
else
Begin
print ' Windows User '+@DG_USER+ ' already exists'
End
End
Else
DgSecure OnDemand – Installation and Configuration| Copyright © 2020
13
Begin
Print 'Creating DG User With SQL_LOGIN'
IF NOT EXISTS (select name from sys.sql_logins where upper(name)
= upper(@DG_USER))
Begin
BEGIN TRY
Set @sql = 'CREATE LOGIN ['+@DG_USER+'] WITH
PASSWORD=N''' + (case when @DG_USER_PASS is null then @DG_USER else
@DG_USER_PASS end) + ''', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF,
CHECK_POLICY=OFF'
EXECUTE (@sql)
print ' SQL User '+@DG_USER+ ' created'
END TRY
BEGIN CATCH
print ' SQL User '+@DG_USER+ ' could not
be created';
SELECT
@ErrorMessage = ERROR_MESSAGE(),
@ErrorSeverity = ERROR_SEVERITY(),
@ErrorState = ERROR_STATE();
RAISERROR (@ErrorMessage, -- Message text.
@ErrorSeverity, -- Severity.
@ErrorState -- State.
);
END CATCH
End
else
Begin
print ' SQL User '+@DG_USER+ ' already exists'
End
End
----------------------------------------------------------------------------
DgSecure OnDemand – Installation and Configuration| Copyright © 2020
14
2.4 Azure
i. Variables
Set the following variables before executing the script:
@DB_NAMES_TO_MASK = 'Target_Database': Specify all the databases on which
masking has to be performed, with comma separation. Masking will only be performed on
these databases.
For instance, if you want to perform masking on the databases SQL_CUSTS and
SQLFIN, set @DB_NAMES_TO_MASK = 'SQL_CUSTS, SQL_FIN'
@DG_USER_TYPE = 'S': To authenticate login from the server, set this property to ‘S’.
To authenticate using Windows or Windows Impersonation, set this property to ‘W’.
@DG_USER = 'User_Name': Enter the name of the user using which you will login to run
the masking tasks on DgSecure. If no such user exists, enter a user name for instance,
@DG_USER = 'Masker'. A new user ‘Masker’ will automatically get created.
@DG_DB = 'DG': This is the database to which DgSecure’s masker will connect
(‘Target_Name’). All the tables required for masking will automatically be created by this
script. Set @DG_DB = 'DG,' signifies that you should connect to DG database in the
DgSecure Connection Manager.
@DG_Collation='SQL_Latin1_General_CP1_CI_AS or Latin1_General_CI_AI': This will
set the collation of the database with which DgSecure will connect. Collation must be the
same as the target database collation. By default, collation is set to
'SQL_Latin1_General_CP1_CI_AS or Latin1_General_CI_AI'.
You can change this to the language that your database uses. For instance,
Set @DG_Collation='Modern_Spanish_100_CI_AS' for Spanish.
@DBFilePath = null: Keep it null, if you want to use the default path for data files or
provide the path where you want to create the data files. For instance, 'd:\Database Files'
@DG_USER_PASS = null: If password is set to null, the password will be the same as
the username for the newly created user.
ii. Script
----------------------------------------------------------------------------
Print 'Creating DG User With SQL_LOGIN'
Begin
Set @sql = 'CREATE USER ['+@DG_USER+'] WITH PASSWORD=N''' +
(case when @DG_USER_PASS is null then @DG_USER else @DG_USER_PASS end) +
''''
EXECUTE (@sql)
Set @sql = 'ALTER ROLE db_owner ADD MEMBER ['+@DG_USER+']'
EXECUTE (@sql)
print ' SQL User '+@DG_USER+ ' created'
End
----------------------------------------------------------------------------
DgSecure OnDemand – Installation and Configuration| Copyright © 2020
15
2.5 RDS Following are the scripts for different RDS databases supported by DgSecure.
2.5.1 MySQL
i. Variables
Set the following variables before executing the script:
user_name: Masker user to be created.
db_name: - Name of the database where DG metadata will be saved.
target_db_name: Database where masked data will be stored.
ii. Script
----------------------------------------------------------------------------
CREATE USER 'user_name'@'localhost' IDENTIFIED BY 'user_name';
-- For ssl uncomment below script
-- GRANT USAGE ON *.* TO 'ssluser'@'localhost' identified by 'root' REQUIRE SSL;
-- 1. <db_name> - Name of the database where DG metadata will be saved;
GRANT ALTER ON <db_name>.* TO 'user_name'@'localhost';
GRANT ALTER ROUTINE ON <db_name>.* TO 'user_name'@'localhost';
GRANT CREATE ROUTINE ON <db_name>.* TO 'user_name'@'localhost';
GRANT CREATE ON <db_name>.* TO 'user_name'@'localhost';
GRANT CREATE TEMPORARY TABLES ON <db_name>.* TO 'user_name'@'localhost';
GRANT DELETE ON <db_name>.* TO 'user_name'@'localhost';
GRANT DROP ON <db_name>.* TO 'user_name'@'localhost';
GRANT EXECUTE ON <db_name>.* TO 'user_name'@'localhost';
GRANT INDEX ON <db_name>.* TO 'user_name'@'localhost';
GRANT INSERT ON <db_name>.* TO 'user_name'@'localhost';
GRANT UPDATE ON <db_name>.* TO 'user_name'@'localhost';
GRANT LOCK TABLES ON <db_name>.* TO 'user_name'@'localhost';
GRANT SELECT ON <db_name>.* TO 'user_name'@'localhost';
GRANT SHOW VIEW ON <db_name>.* TO 'user_name'@'localhost';
GRANT SHOW DATABASES ON <db_name>.* TO 'user_name'@'localhost';
GRANT TRIGGER ON <db_name>.* TO 'user_name'@'localhost';
-- 2. <target_db_name> - Name of target database;
GRANT CREATE ON <target_db_name>.* TO 'user_name'@'localhost';
GRANT UPDATE ON <target_db_name>.* TO 'user_name'@'localhost';
DgSecure OnDemand – Installation and Configuration| Copyright © 2020
16
2.5.2 PostgreSQL
i. Prerequisites
Connect to the database on which masking has to be performed, using an existing user or an
admin user, to execute the grant script.
ii. Variables
Set the following variables before executing the script:
user_schema : Comma separated values of all schema to be masked
test_user : Postgres user name to be used for masking.
user_db_name : Database name to be masked.
NOTE: Information_schema and pg_catalog schema are required for masking. Please don’t
exclude these from the schema list.
iii. Script
----------------------------------------------------------------------------
CREATE USER test_user WITH PASSWORD '12345678'; --Execute if the user has
not been created
GRANT SELECT, INSERT, UPDATE, DELETE, REFERENCES, TRIGGER ON ALL TABLES IN
SCHEMA information_schema, pg_catalog, user_schema TO test_user;
GRANT USAGE, SELECT, UPDATE ON ALL SEQUENCES IN SCHEMA information_schema,
pg_catalog, user_schema TO test_user;
GRANT CREATE, CONNECT, TEMPORARY, TEMP ON DATABASE user_db_name TO
test_user;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA information_schema, pg_catalog,
user_schema TO test_user;
GRANT CREATE, USAGE ON SCHEMA information_schema, pg_catalog, user_schema TO
test_user;
----------------------------------------------------------------------------
GRANT postgres TO test_user;
CREATE EXTENSION pgcrypto;
----------------------------------------------------------------------------
--------------------------------------------------------------------------
GRANT INSERT ON <target_db_name>.* TO 'user_name'@'localhost';
GRANT SELECT ON <target_db_name>.* TO 'user_name'@'localhost';
GRANT TRIGGER ON <target_db_name>.* TO 'user_name'@'localhost';
GRANT INDEX ON <target_db_name>.* TO 'user_name'@'localhost';
GRANT LOCK TABLES ON <target_db_name>.* TO 'user_name'@'localhost';
--uncomment if all databases need to be viewed on "create masker task"
screen; but masking on a DB will succeed only if grants(as in #2 above) on
that particular DB are given
--GRANT SHOW DATABASES ON *.* TO 'user_name'@'localhost';
----------------------------------------------------------------------------------------------------------------------------- ------
DgSecure OnDemand – Installation and Configuration| Copyright © 2020
17
2.5.3 AWS
i. Variables
Set the following variables before executing the script:
@DB_NAMES_TO_MASK = 'Target_Database': Specify all the databases on which
masking has to be performed, with comma separation. Masking will only be performed on
these databases.
For instance, if you want to perform masking on the databases SQL_CUSTS and
SQLFIN, set @DB_NAMES_TO_MASK = 'SQL_CUSTS, SQL_FIN'.
@DG_USER_TYPE = 'S': To authenticate login from the server, set this property to ‘S’.
To authenticate using Windows or Windows Impersonation, set this property to ‘W’.
@DG_USER = 'User_Name': Enter the name of the user using which you will login to run
the masking tasks on DgSecure. If no such user exists, enter a user name for instance,
@DG_USER = 'Masker'. A new user ‘Masker’ will automatically get created.
@DG_DB = 'DG': This is the database to which DgSecure’s masker will connect
(‘Target_Name’). All the tables required for masking will automatically be created by this
script. Set @DG_DB = 'DG,' signifies that you should connect to DG database in the
DgSecure Connection Manager.
@DG_Collation='SQL_Latin1_General_CP1_CI_AS or Latin1_General_CI_AI': This will
set the collation of the database with which DgSecure will connect. Collation must be the
same as the target database collation. By default, collation is set to
'SQL_Latin1_General_CP1_CI_AS or Latin1_General_CI_AI'.
You can change this to the language that your database uses. For instance,
Set @DG_Collation='Modern_Spanish_100_CI_AS' for Spanish.
@DBFilePath = null: Keep it null, if you want to use the default path for data files or
provide the path where you want to create the data files. For instance, 'd:\Database Files'
@DG_USER_PASS = null: If password is set to null, the password will be the same as
the username for the newly created user.
DgSecure OnDemand – Installation and Configuration| Copyright © 2020
18
ii. Script
----------------------------------------------------------------------------
if UPPER(@DG_USER_TYPE) = 'W'
Begin
Print 'Creating DG User With WINDOWS_LOGIN'
IF NOT EXISTS (select name from sys.server_principals where
upper(name) = upper(@DG_USER))
Begin
Set @sql = 'CREATE LOGIN ['+@DG_USER+'] FROM WINDOWS WITH
DEFAULT_DATABASE=[master], DEFAULT_LANGUAGE=[us_english]'
EXECUTE (@sql)
print ' Windows User '+@DG_USER+ ' created'
End
else
Begin
print ' Windows User '+@DG_USER+ ' already
exists'
End
End
Else
Begin
Print 'Creating DG User With SQL_LOGIN'
IF NOT EXISTS (select name from sys.sql_logins where upper(name)
= upper(@DG_USER))
Begin
Set @sql = 'CREATE LOGIN ['+@DG_USER+'] WITH PASSWORD=N'''
+ (case when @DG_USER_PASS is null then @DG_USER else @DG_USER_PASS end) +
''', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF'
EXECUTE (@sql)
print ' SQL User '+@DG_USER+ ' created'
End
else
Begin
print ' SQL User '+@DG_USER+ ' already exists'
End
End
----------------------------------------------------------------------------
--------------------------------------------------------------
DgSecure OnDemand – Installation and Configuration| Copyright © 2020
19
SQL for Azure
2.5.4 Oracle
i. Prerequisites
There are two scripts to perform the masking configuration, i.e., create_user script and
create_user_individual_grants script:
1. create_user: This script provides the complete privileges to mask all the tables. Before
running this script, ensure that:
The user running the script is either a system user or has the appropriate permissions
to provide grants.
The table spaces should match your setup. Defaults have been used for testing.
2. create_user_indivisual_grants: This script provides the permissions to mask the specified
tables. Before running the script, ensure that:
A masking user exists. If the user does not exist, use the create_user script to create
the user.
ii. Variables
. Set the following variables before running the script:
CREATE USER &&<USER_NAME>: Provide the username.
IDENTIFIED BY &&<PASS_WORD>: Provide the password.
DEFAULT TABLESPACE &&<DEFAULT_TABLESPACE>: You can change the table
space settings to match your setup.
TEMPORARY TABLESPACE &&<TEMPORARY_TABLESPACE>: You can change the
table space settings to match your setup.
NOTE: To execute masking on oracle, we require certain grants for all trigger, index and
table objects (this is achieved using the “ANY” keyword in the create_user script)
iii. Script
The Oracle Masking script includes the grants required for the oracle user that will perform the
masking task. You can change the password after running the script. There are two scripts to
----------------------------------------------------------------------------
Print 'Creating DG User With SQL_LOGIN'
Begin
Set @sql = 'CREATE USER ['+@DG_USER+'] WITH PASSWORD=N''' +
(case when @DG_USER_PASS is null then @DG_USER else @DG_USER_PASS end) +
''''
EXECUTE (@sql)
Set @sql = 'ALTER ROLE db_owner ADD MEMBER ['+@DG_USER+']'
EXECUTE (@sql)
print ' SQL User '+@DG_USER+ ' created'
End
----------------------------------------------------------------------------
DgSecure OnDemand – Installation and Configuration| Copyright © 2020
20
perform the masking configuration, i.e., create_user script and create_user_individual_grants
script.
create_user: The create user script grants permissions to all the tables.
----------------------------------------------------------------------------
--This is a sample script of the set up needed for the Oracle user needed to
run the DG_Masker code.
-- Create a basic user, if user already exists, skip this step
-- Change the table spaces to match your setup, we used the defaults for
testing.
-- Reset the password accordingly after running this
-- &&DEFAULT_TABLESPACE -- USERS
-- &&TEMPORARY_TABLESPACE -- TEMP
CREATE USER &&USER_NAME
IDENTIFIED BY &&PASS_WORD
DEFAULT TABLESPACE &&DEFAULT_TABLESPACE
TEMPORARY TABLESPACE &&TEMPORARY_TABLESPACE
PROFILE DEFAULT
ACCOUNT UNLOCK;
----------------------------------------------------------------------------
DgSecure OnDemand – Installation and Configuration| Copyright © 2020
21
GRANT EXECUTE ON DBMS_LOCK TO &&USER_NAME;
GRANT CREATE JOB TO &&USER_NAME; -- we need this to run the
job schedule
GRANT CONNECT TO &&USER_NAME; -- basic access needed to
function
GRANT RESOURCE TO &&USER_NAME; -- basic access needed to
function
GRANT CREATE PROCEDURE TO &&USER_NAME; -- access to program for
creating objects
GRANT CREATE SEQUENCE TO &&USER_NAME; -- access to program for
creating objects
GRANT CREATE SESSION TO &&USER_NAME; -- access to program for
creating objects
GRANT CREATE SYNONYM TO &&USER_NAME; -- access to program for
creating objects
GRANT CREATE TABLE TO &&USER_NAME; -- access to program for
creating objects
GRANT CREATE TRIGGER TO &&USER_NAME; -- access to program for
creating objects
GRANT CREATE TYPE TO &&USER_NAME; -- access to program for
creating objects
GRANT CREATE VIEW TO &&USER_NAME; -- access to program for
creating objects
GRANT SELECT ANY DICTIONARY TO &&USER_NAME;--access to sys objects for
table references
-- The below permission (Alter System) is to grant the user, the privilege
to kill a query/session and is not required for Cloud databases. Can be
ignored if the user does not want to kill the query through 'CANCEL' on task
screen
GRANT ALTER SYSTEM TO &&USER_NAME;
--GRANT SELECT ANY TRANSACTION TO &&USER_NAME;
-- for hashing which we use for CUPS
GRANT EXECUTE ON DBMS_CRYPTO TO &&USER_NAME;
-- check grants
GRANT EXECUTE ON DBMS_METADATA TO &&USER_NAME;
GRANT SELECT_CATALOG_ROLE TO &&USER_NAME;
--GRANT EXECUTE_CATALOG_ROLE TO &&USER_NAME;
-- THERE IS NO WAY TO REMOVE ANY FROM THE FOLLOWING GRANTS
--GRANT LOCK ANY TABLE TO &&USER_NAME; -- needed to lock the tables under
masking
GRANT ALTER ANY TRIGGER TO &&USER_NAME; --needed if the user wishes to apply
masking on columns having triggers
GRANT ALTER ANY INDEX TO &&USER_NAME; --needed if the user wishes to
apply masking on columns having indexes
DgSecure OnDemand – Installation and Configuration| Copyright © 2020
22
-- Some indexes will block processing on primary keys even if disabled, so
they have to be dropped and recreated.
GRANT DROP ANY INDEX TO &&USER_NAME;
GRANT CREATE ANY INDEX TO &&USER_NAME;
-- We need the below grants to create and insert data in the DG_WATERMARK
table in every schema on which masking is applied.
GRANT INSERT ANY TABLE TO &&USER_NAME;
GRANT CREATE ANY TABLE TO &&USER_NAME;
GRANT SELECT ANY TABLE TO &&USER_NAME;
-- We need the following permissions if the user wants to execute a task
using multithreading option
GRANT CREATE JOB TO &&USER_NAME;
GRANT SCHEDULER_ADMIN TO &&USER_NAME;
GRANT MANAGE SCHEDULER TO &&USER_NAME;
GRANT ADM_PARALLEL_EXECUTE_TASK TO &&USER_NAME;
----------------------------------------------------------------------------
DgSecure OnDemand – Installation and Configuration| Copyright © 2020
23
create_user_individual_grants: This script will create a procedure -
GRANT_TABLE_RIGHTS. To provide grants to update, create and alter specific tables in
the databases instead of ‘ANY’ table, this script can be used.
After executing the script execute the following command to call the procedure:
call GRANT_TABLE_RIGHTS('user_name', 'schema1, schema2, schema3');
----------------------------------------------------------------------------
CREATE OR REPLACE PROCEDURE GRANT_TABLE_RIGHTS (USER_NAME VARCHAR2,
DB_TO_MASK1 VARCHAR2) AS
cmd varchar2(2000);
cmd2 varchar2(2000);
Cursor c_users is select username from all_users where username
in (UPPER(USER_NAME));
cursor c1 is select table_name, owner from all_tables where
OWNER in (
select regexp_substr(UPPER(DB_TO_MASK1),'[^,]+', 1, level)
from dual
connect by regexp_substr(UPPER(DB_TO_MASK1), '[^,]+', 1,
level) is not null )
BEGIN
for c in c1 loop
for u in c_users loop
cmd := 'GRANT SELECT,ALTER, UPDATE ON '|| c.owner
||'.'||c.table_name|| ' TO ' || u.username;
execute immediate cmd;
end loop;
end loop;
END;
/
---------------------------------------------------------------------------
DgSecure OnDemand – Installation and Configuration| Copyright © 2020
24
2.5.5 Aurora DB Please refer to Masking Scripts for MySQL
2.5.6 Maria DB Please refer to Masking Scripts for MySQL