Background information
ODC V4.2.0 has a built-in SQL check process that implements database security control in team collaboration scenarios. The SQL check specifications are environment specific. That is, the data sources in the same environment are checked against the same set of SQL check specifications.
ODC V4.2.0 allows system administrators and users with external integration management permissions to configure integrations with external SQL review systems. You can reference the integration of an external SQL approval system on the SQL window specification tab. If the integration of the external SQL approval system is enabled on the SQL window specification tab, ODC calls APIs of the external SQL approval system for SQL statement check when SQL statements are executed in the SQL window.
This topic describes how to configure and manage SQL approval integration.
Execution process
The ODC system administrator enables SQL approval integration and sets the API information for accessing the external SQL approval system based on the configuration template provided by ODC, and creates the SQL approval integration configuration.
The ODC system administrator enables SQL approval integration on the SQL window specification tab.
An ODC user executes an SQL statement in the SQL window. ODC calls the API of the external SQL approval system to initiate an SQL check request.
Configuration
Configuration method
| Level-1 parameter | Level-2 parameter | Level-3 parameter | Level-4 parameter | Type | Default value | Description |
|---|---|---|---|---|---|---|
| http | connectTimeoutSeconds | - | - | Integer | 5 | The connection timeout period of the HTTP request. Unit: seconds. |
| http | socketTimeoutSeconds | - | - | Integer | 30 | The socket timeout period of the HTTP request. Unit: seconds. |
| api | check (used to initiate an SQL check request to the external SQL review system) | method | - | Enum | POST | The HTTP request method. Valid values: GET, POST, PUT, and PATCH. |
| api | check (used to initiate an SQL check request to the external SQL review system) | url | - | String | <NULL> | The HTTP request address. |
| api | check (used to initiate an SQL check request to the external SQL review system) | headers | - | Map<String, String> | <NULL> | The HTTP request header. |
| api | check (used to initiate an SQL check request to the external SQL review system) | queryParameters | - | Map<String, String> | <NULL> | The HTTP request parameter. |
| api | check (used to initiate an SQL check request to the external SQL review system) | body | type | ENUM | <NULL> | The format of the HTTP request body. Valid value: FORM_DATA. |
| api | check (used to initiate an SQL check request to the external SQL review system) | body | content | Object | <NULL> | The content of the HTTP request body. |
| api | check (used to initiate an SQL check request to the external SQL review system) | requestEncrypted | - | Boolean | false | Specifies whether the HTTP request body is encrypted. |
| api | check (used to initiate an SQL check request to the external SQL review system) | requestSuccessExpression | - | String | <NULL> | An expression that parses the response body and determines whether a request is successfully executed. The expression conforms to the SPEL syntax specification. |
| api | check (used to initiate an SQL check request to the external SQL review system) | inWhiteListExpression | - | String | <NULL> | An expression that parses the response body and determines whether the SQL statement to be executed is in the allowlist. The expression conforms to the Spring Expression Language (SPEL) syntax specification. |
| api | check (used to initiate an SQL check request to the external SQL review system) | inBlackListExpression | - | String | <NULL> | An expression that parses the response body and determines whether the SQL statement to be executed is in the blocklist. The expression conforms to the SpEL syntax specification. |
| api | check (used to initiate an SQL check request to the external SQL review system) | needReviewExpression | - | String | <NULL> | An expression that parses the response body and determines whether the SQL statement needs to be approved for execution. The expression conforms to the SpEL syntax specification. |
| api | check (used to initiate an SQL check request to the external SQL review system) | responseEncrypted | - | Boolean | false | Specifies whether the HTTP response body is encrypted. |
Configuration template
# This is a template for integrating a custom SQL interceptor system.
# You must fill in the required fields according to the requirements to adapt to your SQL interceptor system.
# HTTP configurations
http:
# HTTP connection timeout in seconds
connectTimeoutSeconds: 5
# HTTP socket timeout in seconds
socketTimeoutSeconds: 30
# API configurations
api:
# API configurations used to check the SQL content
check:
# The request method. Valid values: GET, POST, PUT, and PATCH.
method: ~
# Request URI
url: ~
# The request header in the <key: value> format.
headers:
# Sample of request headers
Content-Type: application/json;charset=UTF-8
Accept: application/json
# Request query parameters in the <key: value> format.
queryParameters: ~
# Request body
body:
# The type of request body. Valid values: FORM_DATA and RAW.
type: RAW
# The content of request body in the <String> or <key: value> format. <String> is supported for the RAW type and <key: value> is supported for the FORM_DATA type.
# Sample of request content in the RAW type
content: |-
{
"sqlStatement":"${sql.content}"
}
# Mark whether the request body is encrypted
requestEncrypted: false
# Expression to judge whether the request is successful based on the response body analysis, using the SPEL syntax
requestSuccessExpression: '[resultCode] == 0'
# Mark whether the response body is encrypted
responseEncrypted: false
# Expression to judge whether the SQL to be executed is in the allowlist based on the response body analysis, using the SPEL syntax
inWhiteListExpression: '[checkResult] == 1'
# Expression to judge whether the SQL to be executed is in the blocklist based on the response body analysis, using the SPEL syntax
inBlackListExpression: '[checkResult] == 2'
# Expression to judge whether the SQL to be executed need review based on the response body analysis, using the SPEL syntax
needReviewExpression: '[checkResult] == 3'
Prerequisites
You are the system administrator or have the external integration management permissions.
Create SQL approval integration
In the project collaboration window, choose
External Integration >SQL Approval Integration >Create SQL Approval Integration .In the Create Approval Integration panel, specify the following parameters.
Parameter Description Name The name of the SQL approval integration configuration. Status Specifies whether to enable the SQL approval integration configuration. Settings Edit the YAML file online to configure approval integration. For more information, see Configuration .Click
Save . The SQL approval integration configuration is created.In the SQL approval integration list, you can enable, view, edit, and delete the SQL approval integration settings.
Reference the SQL approval integration configuration on the SQL window specification tab.
Manage SQL approval integration configurations
In the SQL approval integration list, click