From 68baf582c8ea7bf4a907f889f99bbbde26303f96 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Markus=20M=C3=A4kel=C3=A4?= Date: Tue, 5 Sep 2017 15:24:54 +0300 Subject: [PATCH] Deprecate `deny` and `allow` in dbfwfilter rules The `deny` and `allow` tokens are replaced with `match` which better describes the action. Use of the old tokens causes a warning to be logged. --- .../Filters/Database-Firewall-Filter.md | 33 ++++++++----------- .../MaxScale-2.2.0-Release-Notes.md | 6 ++++ server/modules/filter/dbfwfilter/ruleparser.y | 6 ++-- server/modules/filter/dbfwfilter/token.l | 4 +-- 4 files changed, 25 insertions(+), 24 deletions(-) diff --git a/Documentation/Filters/Database-Firewall-Filter.md b/Documentation/Filters/Database-Firewall-Filter.md index 4620e31dd..3b43160f3 100644 --- a/Documentation/Filters/Database-Firewall-Filter.md +++ b/Documentation/Filters/Database-Firewall-Filter.md @@ -104,7 +104,7 @@ logged. The log messages are logged at the notice level. The rules are defined by using the following syntax: ``` -rule NAME deny RULE [at_times VALUE...] [on_queries {select|update|insert|delete|grant|revoke|drop|create|alter|use|load}] +rule NAME match RULE [at_times VALUE...] [on_queries {select|update|insert|delete|grant|revoke|drop|create|alter|use|load}] ``` Where _NAME_ is the identifier for this rule and _RULE_ is the mandatory rule definition. @@ -115,17 +115,12 @@ the beginning of the line. Trailing comments are not supported. The first step of defining a rule is to start with the keyword `rule` which identifies this line of text as a rule. The second token is identified as -the name of the rule. After that the mandatory action token `deny` is required +the name of the rule. After that the mandatory token `match` is required to mark the start of the actual rule definition. The rule definition must contain exactly one mandatory rule parameter. It can also contain one of each type of optional rule parameter. -**NOTE** -Even though the rules use the `deny` token, the action taken by the filter when -a query matches a rule is controlled _solely_ by the value of the `action` -parameter (_allow_, _block_ or _ignore_). - ### Mandatory rule parameters The Database Firewall filter's rules expect a single mandatory parameter for a @@ -141,7 +136,7 @@ This rule blocks all queries that use the wildcard character `*`. Use of the wildcard is not allowed: ``` -rule examplerule deny wildcard +rule examplerule match wildcard ``` #### `columns` @@ -154,7 +149,7 @@ interpreted as column names and if a query targets any of these, it is matched. Deny name and salary columns: ``` -rule examplerule deny columns name salary +rule examplerule match columns name salary ``` #### `function` @@ -180,7 +175,7 @@ that do not use functions will be allowed through a function type rule. Deny SUM and COUNT functions: ``` -rule examplerule deny function sum count +rule examplerule match function sum count ``` #### `uses_function` @@ -194,7 +189,7 @@ used to prevent the use of a column with a function. Deny function usage with _name_ and _address_ columns: ``` -rule examplerule deny uses_function name address +rule examplerule match uses_function name address ``` #### `function` and `columns` @@ -208,7 +203,7 @@ the `function` and `columns` keywords both followed by a list of values. Deny use of the _sum_ function with _name_ or _address_ columns: ``` -rule examplerule deny function sum columns name address +rule examplerule match function sum columns name address ``` #### `regex` @@ -223,7 +218,7 @@ documentation](http://www.pcre.org/current/doc/html/pcre2syntax.html). Block selects to accounts: ``` -rule examplerule deny regex '.*select.*from.*accounts.*' +rule examplerule match regex '.*select.*from.*accounts.*' ``` #### `limit_queries` @@ -240,7 +235,7 @@ considered active and blocking. Over 50 queries within a window of 5 seconds will block for 100 seconds: ``` -rule examplerule deny limit_queries 50 5 100 +rule examplerule match limit_queries 50 5 100 ``` #### `no_where_clause` @@ -255,7 +250,7 @@ FROM ... WHERE 1=1`. Queries must have a where clause: ``` -rule examplerule deny no_where_clause +rule examplerule match no_where_clause ``` ### Optional rule parameters @@ -355,8 +350,8 @@ this, any further queries that match the regular expression are blocked for 60 seconds. ``` -rule limit_rate_of_queries deny limit_queries 10 5 60 -rule query_regex deny regex '.*select.*from.*user_data.*' +rule limit_rate_of_queries match limit_queries 10 5 60 +rule query_regex match regex '.*select.*from.*user_data.*' ``` To apply these rules we combine them into a single rule by adding a `users` line @@ -380,8 +375,8 @@ a second one. The second rule blocks all queries that match a regular expression. ``` -rule safe_delete deny no_where_clause on_queries delete -rule managers_table deny regex '.*from.*managers.*' +rule safe_delete match no_where_clause on_queries delete +rule managers_table match regex '.*from.*managers.*' ``` When we combine these two rules we get the result we want. To combine these two diff --git a/Documentation/Release-Notes/MaxScale-2.2.0-Release-Notes.md b/Documentation/Release-Notes/MaxScale-2.2.0-Release-Notes.md index 3bf6fc50e..386b0a2b9 100644 --- a/Documentation/Release-Notes/MaxScale-2.2.0-Release-Notes.md +++ b/Documentation/Release-Notes/MaxScale-2.2.0-Release-Notes.md @@ -94,6 +94,12 @@ that don't use functions are allowed though in whitelist mode. Rule names can no longer use punctuation in them and can consist only of alphanumeric characters, underscores and hyphens. +#### Keywords `deny` and `allow` + +The `deny` and `allow` keywords are deprecated in favor of the more descriptive +`match` keyword. All instances of `deny` and `allow` can be replaced with +`match` with no functional changes. + ### Logging When known, the session id will be included in all logged messages. This allows diff --git a/server/modules/filter/dbfwfilter/ruleparser.y b/server/modules/filter/dbfwfilter/ruleparser.y index e81f77a84..489050973 100644 --- a/server/modules/filter/dbfwfilter/ruleparser.y +++ b/server/modules/filter/dbfwfilter/ruleparser.y @@ -34,8 +34,8 @@ %lex-param {void* scanner} /** Terminal symbols */ -%token FWTOK_RULE FWTOK_USERS FWTOK_RULES FWTOK_MATCH FWTOK_ANY FWTOK_ALL -%token FWTOK_STRICT_ALL FWTOK_DENY FWTOK_WILDCARD FWTOK_COLUMNS FWTOK_REGEX +%token FWTOK_RULE FWTOK_USERS FWTOK_RULES FWTOK_ANY FWTOK_ALL +%token FWTOK_STRICT_ALL FWTOK_MATCH FWTOK_WILDCARD FWTOK_COLUMNS FWTOK_REGEX %token FWTOK_LIMIT_QUERIES FWTOK_WHERE_CLAUSE FWTOK_AT_TIMES FWTOK_ON_QUERIES %token FWTOK_FUNCTION FWTOK_USES_FUNCTION FWTOK_COMMENT FWTOK_PIPE @@ -73,7 +73,7 @@ command ; rule - : FWTOK_RULE rulename {if (!set_rule_name(scanner, $2)){YYERROR;}} FWTOK_DENY ruleparams + : FWTOK_RULE rulename {if (!set_rule_name(scanner, $2)){YYERROR;}} FWTOK_MATCH ruleparams ; ruleparams diff --git a/server/modules/filter/dbfwfilter/token.l b/server/modules/filter/dbfwfilter/token.l index 4e3ad6078..cada1606f 100644 --- a/server/modules/filter/dbfwfilter/token.l +++ b/server/modules/filter/dbfwfilter/token.l @@ -13,7 +13,7 @@ %{ #include - +#include %} %option reentrant noyywrap bison-bridge prefix="dbfw_yy" @@ -37,7 +37,7 @@ CMP [=<>!]+ %% "\n"+ return '\n'; {COMMENT} return FWTOK_COMMENT; -deny|allow return FWTOK_DENY; /** This should be removed at some point */ +deny|allow MXS_WARNING("Use of '%s' is deprecated, use 'match' instead", yytext);return FWTOK_MATCH; rule return FWTOK_RULE; function return FWTOK_FUNCTION; uses_function return FWTOK_USES_FUNCTION;