Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/ankane/hypershield
Shield sensitive data in Postgres and MySQL
https://github.com/ankane/hypershield
Last synced: 23 days ago
JSON representation
Shield sensitive data in Postgres and MySQL
- Host: GitHub
- URL: https://github.com/ankane/hypershield
- Owner: ankane
- License: mit
- Created: 2018-04-02T03:42:03.000Z (over 6 years ago)
- Default Branch: master
- Last Pushed: 2024-09-27T02:04:37.000Z (about 2 months ago)
- Last Synced: 2024-10-04T10:22:34.128Z (about 1 month ago)
- Language: Ruby
- Size: 43 KB
- Stars: 288
- Watchers: 5
- Forks: 13
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE.txt
Awesome Lists containing this project
README
# Hypershield
:zap: Shield sensitive data in Postgres and MySQL
Great for business intelligence tools like [Blazer](https://github.com/ankane/blazer)
[](https://github.com/ankane/hypershield/actions)
## How It Works
Hypershield creates *shielded views* (in the `hypershield` schema by default) that hide sensitive tables and columns. The advantage of this approach over column-level privileges is you can use `SELECT *`.
By default, it hides columns with:
- `encrypted`
- `password`
- `token`
- `secret`
Give database users access to these views instead of the original tables.
## Installation
Add this line to your application’s Gemfile:
```ruby
gem "hypershield"
```
And run:
```sh
rails generate hypershield:install
```
Hypershield is disabled in non-production environments by default. You can do a dry run with:
```sh
rake hypershield:refresh:dry_run
```
Next, set up your production database.
- [Postgres](#postgres)
- [MySQL](#mysql)
When that’s done, deploy to production and run:
```sh
rails db:migrate
```
The schema will automatically refresh.
## Database Setup
### Postgres
Create a new schema in your database
```sql
CREATE SCHEMA hypershield;
```
Grant privileges
```sql
GRANT USAGE ON SCHEMA hypershield TO myuser;
-- replace migrations with the user who manages your schema
ALTER DEFAULT PRIVILEGES FOR ROLE migrations IN SCHEMA hypershield
GRANT SELECT ON TABLES TO myuser;
-- keep public in search path for functions
ALTER ROLE myuser SET search_path TO hypershield, public;
```
And connect as the user and make sure there’s no access the original tables
```sql
SELECT * FROM public.users LIMIT 1;
```
### MySQL
Create a new schema in your database
```sql
CREATE SCHEMA hypershield;
```
Grant privileges
```sql
GRANT SELECT, SHOW VIEW ON hypershield.* TO myuser;
FLUSH PRIVILEGES;
```
And connect as the user and make sure there’s no access the original tables
```sql
SELECT * FROM mydb.users LIMIT 1;
```
## Configuration
Set configuration in `config/initializers/hypershield.rb`.
Specify the schema to use and columns to show and hide
```ruby
Hypershield.schemas = {
hypershield: {
hide: ["encrypted", "password", "token", "secret"],
show: ["ahoy_visits.visitor_token", "ahoy_visits.visit_token"]
}
}
```
Log Hypershield SQL statements
```ruby
Hypershield.log_sql = true
```
Enable or disable Hypershield in an environment
```ruby
Hypershield.enabled = Rails.env.production?
```
## History
View the [changelog](CHANGELOG.md)
## Contributing
Everyone is encouraged to help improve this project. Here are a few ways you can help:
- [Report bugs](https://github.com/ankane/hypershield/issues)
- Fix bugs and [submit pull requests](https://github.com/ankane/hypershield/pulls)
- Write, clarify, or fix documentation
- Suggest or add new features
To get started with development:
```sh
git clone https://github.com/ankane/hypershield.git
cd hypershield
bundle install
# Postgres
createdb hypershield_test
bundle exec rake test
# MySQL
mysqladmin create hypershield_test
ADAPTER=mysql2 bundle exec rake test
```