diff --git a/Documentation/Changelog.md b/Documentation/Changelog.md index 4c3ef8453..a52e5f01b 100644 --- a/Documentation/Changelog.md +++ b/Documentation/Changelog.md @@ -10,6 +10,7 @@ * MaxCtrl commands `list sessions`, `show sessions` and `show session ` support reverse DNS lookup of client addresses. The conversion is activated by adding the `--rdns`-option to the command. +* The database firewall filter and the masking filter have been deprecated. For more details, please refer to: diff --git a/Documentation/Filters/Database-Firewall-Filter.md b/Documentation/Filters/Database-Firewall-Filter.md index 6929318fd..60e15c099 100644 --- a/Documentation/Filters/Database-Firewall-Filter.md +++ b/Documentation/Filters/Database-Firewall-Filter.md @@ -3,54 +3,24 @@ Table of Contents ================= -* [Overview](#overview) -* [Configuration](#configuration) - * [Filter Parameters](#filter-parameters) - * [rules](#rules) - * [action](#action) - * [log_match](#log_match) - * [log_no_match](#log_no_match) -* [Rule syntax](#rule-syntax) - * [Mandatory rule parameters](#mandatory-rule-parameters) - * [wildcard](#wildcard) - * [Example](#example) - * [columns](#columns) - * [Example](#example-1) - * [function](#function) - * [Example](#example-2) - * [not_function](#not_function) - * [Example](#example-3) - * [uses_function](#uses_function) - * [Example](#example-4) - * [function and columns](#function-and-columns) - * [Example](#example-5) - * [not_function and columns](#not_function-and-columns) - * [Example](#example-6) - * [regex](#regex) - * [Example](#example-7) - * [limit_queries](#limit_queries) - * [Example](#example-8) - * [no_where_clause](#no_where_clause) - * [Example](#example-9) - * [Optional rule parameters](#optional-rule-parameters) - * [at_times](#at_times) - * [on_queries](#on_queries) - * [Applying rules to users](#applying-rules-to-users) -* [Module commands](#module-commands) - * [dbfwfilter::rules/reload [FILE]](#dbfwfilterrulesreload-file) - * [dbfwfilter::rules](#dbfwfilterrules) -* [Use Cases](#use-cases) - * [Use Case 1 - Prevent rapid execution of specific queries](#use-case-1---prevent-rapid-execution-of-specific-queries) - * [Use Case 2 - Only allow deletes with a where clause](#use-case-2---only-allow-deletes-with-a-where-clause) +[TOC] ## Overview +The database firewall filter has been deprecated in MaxScale 2.4 and +it will be removed in a future version of MaxScale. We advise against +using it. + The Database Firewall filter is used to block queries that match a set of rules. It can be used to prevent harmful queries from reaching the backend database instances or to limit access to the database based on a more flexible set of rules compared to the traditional GRANT-based privilege system. Currently the filter does not support multi-statements. +Note that the firewall filter should be viewed as a best-effort solution +intended for protecting against accidental misuse rather than malicious +attacks. + ## Configuration The Database Firewall filter only requires minimal configuration in the diff --git a/Documentation/Filters/Masking.md b/Documentation/Filters/Masking.md index dbeb2dbaf..50284fd49 100644 --- a/Documentation/Filters/Masking.md +++ b/Documentation/Filters/Masking.md @@ -9,6 +9,10 @@ Table of Contents ## Overview +The masking filter has been deprecated in MaxScale 2.4 and +it will be removed in a future version of MaxScale. We advise against +using it. + With the _masking_ filter it is possible to obfuscate the returned value of a particular column. @@ -41,6 +45,10 @@ the _ssn_ would be masked, as in ... ``` +Note that the masking filter should be viewed as a best-effort solution +intended for protecting against accidental misuse rather than malicious +attacks. + ## Security From MaxScale 2.3 onwards, the masking filter will reject statements diff --git a/Documentation/Release-Notes/MaxScale-2.4.0-Release-Notes.md b/Documentation/Release-Notes/MaxScale-2.4.0-Release-Notes.md index e3f5c1fc4..220dcbddf 100644 --- a/Documentation/Release-Notes/MaxScale-2.4.0-Release-Notes.md +++ b/Documentation/Release-Notes/MaxScale-2.4.0-Release-Notes.md @@ -81,6 +81,22 @@ The `ndbclustermon` module has been removed. The `mmmon` module has been removed as the `mariadbmon` monitor largely does what it used to do. +## Deprecated Features + +### `dbfwfilter` + +The database firewall filter has been deprecated and it will be removed in a +future version of MaxScale. + +We advise against using it. + +### `masking` + +The masking filter has been deprecated and it will be removed in a +future version of MaxScale. + +We advise against using it. + ## New Features ### Servers can be drained diff --git a/server/modules/filter/dbfwfilter/dbfwfilter.cc b/server/modules/filter/dbfwfilter/dbfwfilter.cc index 0e2e36b30..317db80d4 100644 --- a/server/modules/filter/dbfwfilter/dbfwfilter.cc +++ b/server/modules/filter/dbfwfilter/dbfwfilter.cc @@ -1272,6 +1272,9 @@ Dbfw::~Dbfw() Dbfw* Dbfw::create(const char* zName, MXS_CONFIG_PARAMETER* pParams) { + MXS_WARNING("The database firewall filter has been DEPRECATED in MaxScale 2.4 " + "and it will be removed in a future release of MaxScale."); + Dbfw* rval = NULL; RuleList rules; UserMap users; diff --git a/server/modules/filter/masking/maskingfilter.cc b/server/modules/filter/masking/maskingfilter.cc index c0c639eab..955be0f2b 100644 --- a/server/modules/filter/masking/maskingfilter.cc +++ b/server/modules/filter/masking/maskingfilter.cc @@ -77,8 +77,6 @@ extern "C" MXS_MODULE* MXS_CREATE_MODULE() reload_argv, "Reload masking filter rules"); - MXS_NOTICE("Masking module %s initialized.", VERSION_STRING); - typedef MaskingFilter::Config Config; static MXS_MODULE info = @@ -176,6 +174,9 @@ MaskingFilter::~MaskingFilter() // static MaskingFilter* MaskingFilter::create(const char* zName, MXS_CONFIG_PARAMETER* pParams) { + MXS_WARNING("The masking filter has been DEPRECATED in MaxScale 2.4 and " + "it will be removed in a future release of MaxScale."); + MaskingFilter* pFilter = NULL; Config config(zName, pParams);