DBZ-29 Changed MySQL connector to be able to hide, truncate, and mask specific columns #38
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… specific columns
Changed the MySQL connector to use comma-separated lists of regular expressions for the database
and table whitelist/blacklists. Literals are still accepted and will match fully-qualified table names,
although the '.' character used as a delimiter is also a special character in regular expressions and
therefore may need to be escaped with a double backslash ('\\') to more carefully match fully-qualified
table names.
Added several new configuration properties for the MySQL connector that instruct it to hide,
truncate, and/or mask certain columns. The properties' values are all lists of regular expressions
or literal fully-qualified column names. For example, the following configuration property:
column.blacklist=server.users.picture,server.users.other
will cause the connector to leave out of change event messages for the `server.users` table those
fields that correspond to the `picture` and `others` columns. This capability can be used to
This capability can be used to prevent dissemination of sensitive information in the change event
stream.
An alternative to blacklisting is masking. The following configuration property:
column.mask.with.10.chars=server\\.users\\.(\\w*email)
will cause the connector to mask in the change event messages for the `server.users` table
all values for columns whose name ends in `email`. The values will be replaced in this case with
a constant string of 10 asterisk ('*') characters, even when the email value is null.
This capability can also be used to prevent dissemination of sensitive information in the change event
stream.
Another option is to truncate string values for specific columns. The following configuration
property:
column.truncate.to.120.chars=server[.]users[.](description|biography)
will cause the connector to truncate to at most 120 characters the values of the `description` and
`biography` columns in the change event messages for the `server.users` table. Although this example
used a limit of 120 characters, any positive length can be specified; separate properties should
be used when different lengths are required. Note how the '.' delimiter in the fully-qualified names
is escaped since that same character is a special character in regular expressions. This capability
can be used to reduce the size of change event messages.
xinbinhuang
pushed a commit
to xinbinhuang/debezium
that referenced
this pull request
Feb 4, 2023
Follow up of https://git.corp.stripe.com/stripe-private-oss-forks/debezium/pull/37 -- make the data available in the parser r? shichao (Squashed by Merge Queue - Original PR: https://git.corp.stripe.com/stripe-private-oss-forks/debezium/pull/38)
This was referenced Feb 4, 2023
bdbene
pushed a commit
to bdbene/debezium
that referenced
this pull request
Jun 23, 2023
bdbene
pushed a commit
to bdbene/debezium
that referenced
this pull request
Jun 23, 2023
Closed
methodmissing
pushed a commit
to methodmissing/debezium
that referenced
this pull request
Apr 6, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes the MySQL connector to use regular expressions in the database and table blacklist/whitelists, and adds support for excluding, truncating, and masking certain columns.
Using regular expression patterns
Changed the MySQL connector to use comma-separated lists of regular expressions for the database and table whitelist/blacklists. Literals are still accepted and will match fully-qualified table names, although the
.character used as a delimiter is also a special character in regular expressions and therefore may need to be escaped (e.g., preceded by a double backslash (\\) or surrounded by square brackets) to more carefully match fully-qualified table names.Excluding columns
Added several new configuration properties for the MySQL connector that instruct it to hide, truncate, and/or mask certain columns. The properties' values are all lists of regular expressions or literal fully-qualified column names. For example, the following configuration property:
will cause the connector to leave out of change event messages for the
server.userstable those fields that correspond to thepictureandotherscolumns.Excluding columns in change events can help prevent dissemination of sensitive information.
Masking columns
An alternative to excluding/blacklisting columns is masking them. The following configuration property:
will cause the connector to mask in the change event messages for the
server.userstable all values for columns whose name ends inemail. The values will be replaced in this case with a constant string of 10 asterisk (*) characters, even when the email value is null. Although this example used a mask of 10 characters, any positive length can be specified; separate properties should be used when different mask lengths are required.Masking columns in change events can help prevent dissemination of sensitive information.
Truncating columns
It is also possible to truncate string values of specific columns to reduce the potential size of change events. The following configuration property:
is an example that shows how to configure the connector to truncate to at most 120 characters the values of the
descriptionandbiographycolumns in the change event messages for theserver.userstable. Although this example used a limit of 120 characters, any positive length can be specified; separate properties should be used when different lengths are required. Note how the.delimiter in the fully-qualified names is escaped since that same character is a special character in regular expressions; this escaping of the.characters may not be required in all cases, but it is recommended.