Skip to content

ankane/hypershield

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

67 Commits

.github/workflows

.github/workflows

 
 

gemfiles

gemfiles

 
 

lib

lib

 
 

test

test

 
 

.gitignore

.gitignore

 
 

CHANGELOG.md

CHANGELOG.md

 
 

Gemfile

Gemfile

 
 

LICENSE.txt

LICENSE.txt

 
 

README.md

README.md

 
 

Rakefile

Rakefile

 
 

hypershield.gemspec

hypershield.gemspec

 
 

Repository files navigation

Hypershield

⚡ Shield sensitive data in Postgres and MySQL

Great for business intelligence tools like Blazer

Build Status

How It Works

Hypershield creates shielded views (in the hypershield schema by default) that hide sensitive tables and columns. The advantage of this approach over column-level privileges is you can use SELECT *.

By default, it hides columns with:

  • encrypted
  • password
  • token
  • secret

Give database users access to these views instead of the original tables.

Installation

Add this line to your application’s Gemfile:

gem "hypershield"

And run:

rails generate hypershield:install

Hypershield is disabled in non-production environments by default. You can do a dry run with:

rake hypershield:refresh:dry_run

Next, set up your production database.

When that’s done, deploy to production and run:

rails db:migrate

The schema will automatically refresh.

Database Setup

Postgres

Create a new schema in your database

CREATE SCHEMA hypershield;

Grant privileges

GRANT USAGE ON SCHEMA hypershield TO myuser;

-- replace migrations with the user who manages your schema
ALTER DEFAULT PRIVILEGES FOR ROLE migrations IN SCHEMA hypershield
    GRANT SELECT ON TABLES TO myuser;

-- keep public in search path for functions
ALTER ROLE myuser SET search_path TO hypershield, public;

And connect as the user and make sure there’s no access the original tables

SELECT * FROM public.users LIMIT 1;

MySQL

Create a new schema in your database

CREATE SCHEMA hypershield;

Grant privileges

GRANT SELECT, SHOW VIEW ON hypershield.* TO myuser;
FLUSH PRIVILEGES;

And connect as the user and make sure there’s no access the original tables

SELECT * FROM mydb.users LIMIT 1;

Configuration

Set configuration in config/initializers/hypershield.rb.

Specify the schema to use and columns to show and hide

Hypershield.schemas = {
  hypershield: {
    hide: ["encrypted", "password", "token", "secret"],
    show: ["ahoy_visits.visitor_token", "ahoy_visits.visit_token"]
  }
}

Log Hypershield SQL statements

Hypershield.log_sql = true

Enable or disable Hypershield in an environment

Hypershield.enabled = Rails.env.production?

History

View the changelog

Contributing

Everyone is encouraged to help improve this project. Here are a few ways you can help:

To get started with development:

git clone https://github.com/ankane/hypershield.git
cd hypershield
bundle install

# Postgres
createdb hypershield_test
bundle exec rake test

# MySQL
mysqladmin create hypershield_test
ADAPTER=mysql2 bundle exec rake test

About

Shield sensitive data in Postgres and MySQL

Resources

Readme

License

MIT license
Activity

Stars

281 stars

Watchers

5 watching

Forks

12 forks
Report repository

Releases

7 tags

Packages

No packages published

Used by 123

  • @ziolmar
  • @chetantete
  • @0932167501
  • @Shy
  • @realstorypro
  • @rgrabowski
  • @shtakai
+ 115

Contributors 3

  •  
  •  
  •  

Languages