Query rewrite
Query rewrite functionality provides fine-grained access control for databases by intercepting database queries and rewriting them based on criteria defined in security policies.
The modification of queries happens transparently and on-the-fly, such that a user issuing queries seamlessly receives results based on rewritten SQL statements.
Query rewrite functionality is implemented through a combination of query rewrite definitions indicating how queries should be changed or augmented and a run-time context indicating the specific circumstances where the query rewrite definitions should be applied.
Rewriting database queries on the fly allows administrators to implement several types of access control, as illustrated by the following examples.
Access control | Original SQL | Rewritten SQL |
---|---|---|
Limiting access to rows by adding a WHERE clause | SELECT C from T |
SELECT C from T WHERE [values] |
Limiting access to columns by modifying the SELECT list | SELECT C1 from T |
SELECT C2 from T |
SELECT C1,C2 from T |
SELECT C2 from T |
|
Restricting database activities by rewriting SQL statements to do nothing. | SELECT EMAIL from T |
SELECT++ EMAIL from T |
Restricting what users can do by modifying query verbs (SELECT, INSERT, UPDATE, etc.) | DROP TABLE T |
UPDATE T SET [values] |
Restricting what users can do by modifying query objects (TABLE, VIEW, COLUMN, etc.) | SELECT C from T1 |
SELECT C from T2 |
- Enforcing security in multi-tenancy scenarios where multiple users and applications share a single database, but where not all users and applications should have access to all data.
- Exposing a database to a production environment for testing purposes without exposing the entire database.
- Rapidly correcting critical security vulnerabilities while permanent solutions are developed at the database or application level.
Review the following sections to learn more about how query rewrite works and how to configure it for use within your Guardium® environment.