admin管理员组文章数量:1345310
I know that in BigQuery I can set a policy tag with a UDF masking rule, i.e. a user-defined function to alter the values of the columns where I apply the tag. In this way, other users might not see the original value of that field, but just the altered one. The UDF is stored in BigQuery in a dataset of the same project where I want to apply the data masking rule. An example: a nice UDF would sha256(concat(field;"123456")), where 123456 might be replaced by a more complex "encryption" parameter.
If I want to guarantee that the field is still usable in some way (i.e., allow to make joins), I need the algorithm of alteration to be deterministic, so that the same original-value in different columns has the same masked-value.
However, this approach has a drawback: if the final user knows the original-value and the alteration rule (for example, because they can read the actual UDF used for data-masking, since they belong to a group that have enough roles to create tables, datasets, etc), they can compute the masked-value, so this approach is useless.
From this loop it is clear that the possible solutions are:
- Using a deterministic algorythm, but keeping it unkown from the final user
- Prevent users with admin roles on that project to read the UDF
- Find a totally different approach
本文标签:
版权声明:本文标题:google cloud platform - Can I mask columns of BigQuery tables using a deterministic algorythm but keeping it unknown to users wi 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1743758466a2533935.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论