uptimejp / sql_firewall Goto Github PK

Hi,

When I compiled this module on MacOS, I got the following compiler warning.

sql_firewall.c:232:39: warning: unused variable 'track_options' [-Wunused-const-variable]
static const struct config_enum_entry track_options[] =
^
1 warning generated.

Regards,

Remove unused code and clean up to improve maintainability.

Hi,

When I ran the following steps, I got unexpected warning messages.
Is this a bug? Or am I missing something?

1. Set sql_firewall.firewall to learning
2. Run pgbench -i
3. Set sql_firewall.firewall to permissive
4. Run pgbench -i

The last call of pgbench -i caused the following warning messages.

WARNING: Prohibited SQL statement

BTW, I performend the above steps by executing the following
shell script.

bin/pg_ctl -D data stop -m f
rm -rf data

bin/initdb -D data --no-locale --encoding=UTF8
echo "shared_preload_libraries = 'sql_firewall'" >> data/postgresql.conf
echo "sql_firewall.firewall = 'disabled'" >> data/postgresql.conf

bin/pg_ctl -D data start -w
bin/psql <<EOF
CREATE EXTENSION sql_firewall;
ALTER SYSTEM SET sql_firewall.firewall = 'learning';
EOF

bin/pg_ctl -D data restart -w
bin/pgbench -i

bin/psql <<EOF
SELECT * FROM sql_firewall.sql_firewall_statements;
ALTER SYSTEM SET sql_firewall.firewall = 'permissive';
EOF

bin/pg_ctl -D data restart -w
bin/pgbench -i

Regards,

QueryId would be different between different PostgreSQL major versions, so the rule file produced by sql_firewall_export_rule() is not compatible between different PostgreSQL versions.

Hi!
Is there any plan for adding support for the newer releases of PostgreSQL database?

Best regards,
Jakub

Hello :)

Here is an ebuild for gentoo based systems uu/ubuilds@c94a485

But I'm not sure about the license you use.

Thanks!

QueryId depends on relation oid instead of relation name, because jumbling query use relation oid.

https://github.com/uptimejp/sql_firewall/blob/develop/sql_firewall.c#L2784

So, queryid would be different in different locations or different timing (c.f. after dump & restore)
even if the table name and query are exact the same ones.

Needs to be fixed to improve portability of the rule file.

It seems like having per-user permissions would be needed to make this usable in production

How (can) does one add rules to a system without putting it into learning mode and thus expose the database during changes?

A use case seems to be training during testing/staging and then moving that training data to the production system. Is this possible?

Add feature for ALTER ROLE ... SET ... to enable/disable the firewall feature for each PostgreSQL user/role.

sql_firewall_import_rule() does not report any error when a directory is passed.

Reported by Noriyoshi Shinoda

In first I want to thank you for this amazing tool !

This is a feature request issue, to protect our postgresql clusters against bad queries (like sorting billions of tuples when only some parts are needed) have you plan to add a blacklist feature ?