Query control with a smart database proxy

Introduction

Most applications that talk to a database use a well-defined set of queries.

Given this, it might be worthwhile to capture those queries while the application is being tested, and use that knowledge in production to make sure that no other queries are being run, to "lock down" the application and make sure it is behaving as expected.

This is easily done with a smart database proxy, using Redis to record the queries.

This tutorial will show you how to set this up, how to create the filters, and how to see them in action. This tutorial should take about 15 minutes.

Important: we'll assume that you have run one of the basic Gallium Data tutorials before you run this tutorial. If you haven't, we recommend you do that first, as we'll assume a minimum of familiarity with Gallium Data.

It may be a good idea to verify that they are all up and running: 

Step 2: Make sure Postgres and Gallium Data are up and running:

If you can open the database, everything is fine. If not, you'll need to fix the problem before you can continue.

Step 3: Start Redis

Next, we need to start a Redis instance, and a RedisInsight client to browse its contents.

The code creates a connection to Redis if it hasn't already, and puts that connection in the filter context, which is available to all invocations of this filter.

Then, it records the query by incrementing its count in Redis. As a bonus, we get to see how many times each query has been run. 

⇨ Click Publish (at the top) to put this filter into Gallium Data

Once you have run a few queries in pgAdmin, and you see them in Redis, you are ready for the last stage.

⇨ Go back to Gallium Data (if you closed the tab, it's at http://localhost:8089)

⇨ Deactivate this filter, since it should not run at the same time as the filter we're going to create next.

Step 6: Create the enforcement filter

⇨ Create a new request filter of type Query filter - Postgres. Name it Reject unknown queries

⇨ Set the code to :

The code connects to Redis if necessary, and then does a synchronous lookup of the SQL command. If the SQL is not found in Redis, then the filter rejects the request.

⇨ Click Publish to put this filter into Gallium Data.

You're done

Congratulations: you have created a query restriction system. It consists of two filters:

• one filter that records incoming SQL requests in a Redis database

• one filter that looks up incoming requests in Redis and rejects them if they are not found

In a few steps, using off-the-shelf components and 15 lines of code, you have created a small but useful system that would be (at best) very difficult to create using any other solution. And that's just for starters!

Next steps

There is a lot more you could do at this point:

• You don't have to reject unknown queries. You could log them, modify them, or record them in a separate database in Redis.

• This tutorial is for Postgres, but it would work equally well with any other supported database (MySQL, SQL Server, MongoDB).

• You may notice that pgAdmin sends a lot of queries to Postgres that you don't really care about. You can filter them out by using the Query Pattern parameter of the filters -- hint: a possible value is regex:.*[^']gallium_demo[^'].* - see the documentation on regular expressions for more details.

• You could use a database other than Redis to record the queries, but Redis is a really good match here.

• With a bit of extra JavaScript code, you could reject only certain types of unknown queries, like inserts or deletes. Again, regular expressions can be very useful for this.

• Everything you've done in this tutorial is temporary (nothing is persisted), but you can make it more permanent by running Redis with persistent storage.

• What else can you do when you've got complete control over all traffic between database clients and database servers? Let your imagination roam wild.

Cleanup

To stop everything started during this tutorial, run the following commands: