Skip to content

Dynamic Masking Support for anon v2 #11733

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 58 commits into
base: main
Choose a base branch
from
Open

Dynamic Masking Support for anon v2 #11733

wants to merge 58 commits into from

Conversation

thesuhas
Copy link
Contributor

@thesuhas thesuhas commented Apr 25, 2025
edited
Loading

Problem

This PR works on adding dynamic masking support for anon v2. It currently only supports static masking.

Summary of changes

Added a security definer function that sets the dynamic masking guc to true with superuser permissions.
Added a security definer function that adds anon to session_preload_libraries if it's not already present.

Related to: https://github.com/neondatabase/cloud/issues/20456

@thesuhas
fix: removed pg_anon setup from compute dockerfile
00bbc5e
@thesuhas
added anon v2 installation to docker file
d626aac
@thesuhas
split anon installation into two stages, one for downloading source f…
e54d42f 
…iles, one for installation
@thesuhas
fixed incorrect stage name
b26d7a1
@thesuhas
added missing workdir
e69aae3
@thesuhas
syntax issues
1696f6f
@thesuhas
more syntax issues
17001ed
@thesuhas
removed directory exist check for anon
c3ae4f3
@thesuhas
added patch to give execute permission on pg_config to neon_superuser
06af705
@thesuhas
added patch to fix COPY error
63e0639
@thesuhas
Merge branch 'main' into thesuhas/add_anon_v2_docker
d6b466e
@thesuhas
removed argument name change, changed location of variable declarations
ab14a42
@thesuhas
reverted change in function signature of anon.init
83f1bd8
@thesuhas
added missing fake email data
da86a99
@thesuhas
changed copy statement to \copy
7d5fe85
@thesuhas
trying to give read access to all users
4b4c602
@thesuhas
converted copy statements to inserts
2580f5b
@thesuhas
updated function name in patch
47b9450
@thesuhas
fixed to not use array_map in insert
2201946
@thesuhas
added raise notice for if table exists
de2fd04
@thesuhas
added func to set dyn masking in patch
cf16a7b
@thesuhas
added check for creation/insertion for identifiers and identifiers_ca…
db7e15c 
…tegory
@thesuhas
wrong function name fixed
3ce32ef
@thesuhas
removed create statements as tables are created in fake_data_tables.s…
ecb6701 
…ql. Added column names from that
@thesuhas
fixed issue with dest_table being converted to oid in comparison
71fe853
@thesuhas
patched dynamic masking guc, granted all permissions on all tables in…
39f0b30 
… anon
@thesuhas
removed function that attempts to set dynamic_masking guc
fbd62eb
@thesuhas
added postgres log statements for backtrace
a18f2b0
@thesuhas
Merge branch 'main' into thesuhas/add_anon_v2_docker
dca8687
@thesuhas
added backtrace to aclcheck
e7b66cf
@thesuhas thesuhas requested a review from a team as a code owner April 25, 2025 15:20
@thesuhas thesuhas requested review from iddm and lubennikovaav and removed request for a team April 25, 2025 15:20
@thesuhas thesuhas marked this pull request as draft April 25, 2025 15:20
@github-actions GitHub Actions
Copy link

github-actions bot commented Apr 25, 2025
edited
Loading

8349 tests run: 7844 passed, 0 failed, 505 skipped (full report)

Flaky tests (3)

Postgres 16

Postgres 15

Postgres 14

Code coverage* (full report)

  • functions: 32.7% (8970 of 27405 functions)
  • lines: 48.9% (78277 of 160115 lines)

* collected from Rust tests only

The comment gets automatically updated with the latest test results
2620485 at 2025-05-01T22:53:11.504Z :recycle:

MMeent
MMeent reviewed Apr 29, 2025
View reviewed changes
Copy link
Contributor

@MMeent MMeent left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As mentioned before, there are IMO too many places where anon is added by default. I'd rather not add these moving parts by default; AFAIK it is going to be an opt-in feature, and not forced on all users.

@thesuhas thesuhas marked this pull request as ready for review April 29, 2025 18:30
Base automatically changed from thesuhas/add_anon_v2_docker to main May 1, 2025 15:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ololobus ololobus ololobus left review comments

@MMeent MMeent MMeent left review comments

@iddm iddm Awaiting requested review from iddm iddm is a code owner automatically assigned from neondatabase/compute

@lubennikovaav lubennikovaav Awaiting requested review from lubennikovaav lubennikovaav is a code owner automatically assigned from neondatabase/compute

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@thesuhas @ololobus @MMeent