[jira] [Commented] (CASSANDRA-18316) Add feature flag for dynamic data masking

Thu, 09 Mar 2023 10:11:12 -0800 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-18316?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17698557#comment-17698557
 ] 

Andres de la Peña commented on CASSANDRA-18316:
-----------------------------------------------

Here is the patch adding the feature flag, on top of the other DDM patches:
||Patch||CI||
|[trunk|https://github.com/apache/cassandra/compare/trunk...adelapena:18316-trunk]|[j8|https://app.circleci.com/pipelines/github/adelapena/cassandra/2707/workflows/87f8fae7-8d4b-4838-9280-a9b3ee67f026]
 
[j11|https://app.circleci.com/pipelines/github/adelapena/cassandra/2707/workflows/78c1d6e0-aa96-4775-b6ff-771768940809]|

It forbids creating new masks if the yaml property 
{{dynamic_data_masking_enabled}} is disabled. If DDM is disabled but there are 
previously existing masks, those masks will be kept but they won't be applied.

Any existing masks can be dropped even if DDM is disabled, so users have a way 
to get rid of the masks if they have disabled them due to some problem. This is 
the same we do with, for example, {{{}user_defined_functions_enabled{}}}.

I'm intentionally not exposing the feature flag through JMX, so a malicious 
user can’t disable it and expose the clear values.

[~Bereng] / [~blerer] would any of you have cycles to take a look? This should 
be the last bit on DDM.

> Add feature flag for dynamic data masking
> -----------------------------------------
>
>                 Key: CASSANDRA-18316
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-18316
>             Project: Cassandra
>          Issue Type: New Feature
>          Components: Feature/Dynamic Data Masking
>            Reporter: Andres de la Peña
>            Assignee: Andres de la Peña
>            Priority: Normal
>             Fix For: 5.x
>
>
> Dynamic data masking 
> ([CEP-20|https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-20%3A+Dynamic+Data+Masking])
>  is a new feature, so it will need a feature flag in {{cassandra.yaml}}. 
> Something like:
> {code}
> # If enabled, dynamic data masking allows to attach CQL masking functions to 
> the columns of a table.
> # Users without the UNMASK permission will see an obscured version of the 
> values of the columns with an attached mask.
> # If dynamic data masking is disabled it won't be allowed to create new 
> column masks, although it will still be possible
> # to drop any previously existing masks. Also, any existing mask will be 
> ignored at query time, so all users will see
> # the clear values of the masked columns.
> dynamic_data_masking_enabled: false
> {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to