Merge pull request flike#121 from flike/feature-blacklist-sql

Feature blacklist sql

Author: Chen Fei

README_ZH.md

@@ -36,7 +36,7 @@ kingshard是一个由Go开发高性能MySQL Proxy项目，kingshard在满足基
 
 [5.管理端命令介绍](./doc/KingDoc/admin_command_introduce.md)
 
-[6.kingshard性能测试报告](./doc/KingDoc/kingshard_performance_test.md)
+[6.kingshard SQL黑名单功能介绍](./doc/KingDoc/sql_blacklist_introduce.md)
 
 [7.kingshard的FAQ](./doc/KingDoc/function_FAQ.md)
 
@@ -46,6 +46,7 @@ kingshard是一个由Go开发高性能MySQL Proxy项目，kingshard在满足基
 
 [2.kingshard性能优化之网络篇](./doc/KingDoc/kingshard_performance_profiling.md)
 
+[3.kingshard性能测试报告](./doc/KingDoc/kingshard_performance_test.md)
 ## 鸣谢
 - 感谢[mixer](https://github.com/siddontang/mixer)作者siddontang, kingshard最初的版本正是基于mixer开发而来的。
 - 感谢[bigpyer](https://github.com/bigpyer)，他对kingshard做了详细的性能测试，并撰写了一份非常详细的测试报告。

config/config.go

@@ -30,6 +30,7 @@ type Config struct {
 	LogSql      string       `yaml:"log_sql"`
 	SlowLogTime int          `yaml:"slow_log_time"`
 	AllowIps    string       `yaml:"allow_ips"`
+	BlsFile     string       `yaml:"blacklist_sql_file"`
 	Nodes       []NodeConfig `yaml:"nodes"`
 
 	Schema SchemaConfig `yaml:"schema"`

doc/KingDoc/how_to_use_kingshard.md

@@ -36,6 +36,9 @@ log_sql : on
 slow_log_time : 100
 #日志文件路径，如果不配置则会输出到终端。
 log_path : /Users/flike/log
+# sql黑名单文件路径
+# 所有在该文件中的sql都会被kingshard拒绝转发
+#blacklist_sql_file: /Users/flike/blacklist
 # 只允许下面的IP列表连接kingshard，如果不配置则对连接kingshard的IP不做限制。
 allow_ips: 127.0.0.1
 
@@ -422,3 +425,5 @@ kingshard的管理接口，目前还是命令行的方式。后续有时间打
 
 ## 7. 总结
 kingshard开源两个月以来，得到了很多开发者的关注。这足以证明，大家对数据库中间件是有需求的，希望出现一款简单好用的MySQL Proxy。kingshard经过这两个月的迭代开发，也比较稳定了。据了解，有几个公司正在对其进行尝试。后续作者的主要精力会放在优化kingshard的性能上，同时完善kingshard已有的功能。如果大家对kingshard有什么想法或建议，可以发邮件联系我（flikecn#126.com)，非常乐意和大家交流。
+
+

doc/KingDoc/how_to_use_kingshard_EN.md

@@ -35,6 +35,9 @@ log_level : debug
 #log_sql: off 
 #only log the query that take more than slow_log_time ms
 #slow_log_time : 100
+# the path of blacklist sql file
+# all these sqls in the file will been forbidden by kingshard
+#blacklist_sql_file: /Users/flike/blacklist
 # only allow this ip list ip to connect kingshard
 #allow_ips: 127.0.0.1
 
@@ -461,3 +464,5 @@ mysql> admin server(opt,k,v) values('show','schema','config');
 ## 6.Requirement and feedback
 
 If You have new functional requirements about kingshard in the production environment, or find a bug in the process of using kingshard. Welcome to send a mail to `flikecn#126.com`, I will reply you as soon as possible.
+
+

doc/KingDoc/kingshard_install_document.md

@@ -27,6 +27,9 @@ log_sql : on
 slow_log_time : 100
 #日志文件路径，如果不配置则会输出到终端。
 log_path : /Users/flike/log
+# sql黑名单文件路径
+# 所有在该文件中的sql都会被kingshard拒绝转发
+#blacklist_sql_file: /Users/flike/blacklist
 # 只允许下面的IP列表连接kingshard，如果不配置则对连接kingshard的IP不做限制。
 allow_ips: 127.0.0.1
 
@@ -107,3 +110,5 @@ schema :
 **2. kingshard采用的是yaml方式解析配置文件，需要注意的是yaml配置文件不允许出现tab键，且冒号后面需要跟一个空格。配置文件编写完成后，可以在[yaml lint](http://www.yamllint.com/)网站验证是否有格式错误。**
 
 **3. windows下安装kingshard，参考[文档](https://github.com/flike/kingshard/wiki/%E5%9C%A8window%E4%B8%8B%E5%AE%89%E8%A3%85kingshard)**
+
+

doc/KingDoc/sql_blacklist_introduce.md

@@ -0,0 +1,110 @@
+# kingshard SQL黑名单功能介绍
+
+## 1. 应用场景介绍
+在kingshard开源之后，有用户多次提到能不能在kingshard中加入SQL黑名单机制，让kingshard能够根据特定的规则来拦截在黑名单中的SQL。有几个比较典型的应用场景：
+
+1. DBA定义一些比较危险的SQL，放在SQL黑名单文件中。可以避免前端应用发过来的SQL对数据库造成危害。这种SQL有可能是开发者粗心编写的，也有可能是被SQL注入生成的SQL。例如：`delete from mytable`，这种不带where条件的SQL，会把整个表删除。
+2. 在kingshard项目上线后，通过log发现存在大量某条SQL给DB造成了很大的压力。这时候可以动态地将这条SQL加入黑名单，阻止该SQL的执行，从而使数据库压力降低。例如:`select count(*) from mytable where xxxx`,这类SQL如果没有优化得当，是很容易造成系统的IO过高的。
+
+## 2. 功能介绍
+在kingshard如果想使用SQL黑名单功能，只需要在配置中添加：
+```
+blacklist_sql_file: /Users/flike/blacklist
+```
+然后我们在blacklist定义SQL黑名单，这样kingshard在转发的时候，就会阻止黑名单中SQL的转发。
+
+黑名单SQL以正则表达式的形式定义。对于SQL中的值用`?`或`?+`代替。为保证黑名单有效，最好手动验证一下，kingshard是否正确拦截了黑名单中的SQL。定义规则（上一条是原SQL，对应的下一条是黑名单形式的SQL）可以参考下列例子：
+
+```
+SELECT c FROM t WHERE id=1
+select c from t where id=?
+
+SELECT * FROM prices.rt_5min where id=1
+select * from prices.rt_5min where id=?
+
+select null, 5.001, 5001. from foo
+select ?, ?, ? from foo
+
+select 'hello', '\nhello\n', \"hello\", '\\'' from foo
+select ?, ?, ?, ? from foo
+
+select 'hello'\n
+select ?
+
+select * from t where (base.nid IN  ('1412', '1410', '1411'))
+select * from t where (base.nid in(?+))
+
+select * from foo where a in (5) and b in (5, 8,9 ,9 , 10)
+select * from foo where a in(?+) and b in(?+)
+
+select * from foo limit 5
+select * from foo limit ?
+
+select * from foo limit 5, 10
+select * from foo limit ?, ?
+
+select * from foo limit 5 offset 10
+select * from foo limit ? offset ?
+
+INSERT INTO t (ts) VALUES (NOW())
+insert into t (ts) values(?+)
+
+insert into foo(a, b, c) values(2, 4, 5)
+insert into foo(a, b, c) values(?+)
+
+CALL foo(1, 2, 3)
+call foo
+
+LOAD DATA INFILE '/tmp/foo.txt' INTO db.tbl
+load data infile ? into db.tbl
+
+administrator command: Init DB
+administrator command: Init DB
+
+use `foo`
+use ?
+
+```
+
+## 3.功能演示
+在blacklist加入如下SQL:
+
+```
+select count(*) from test_shard_hash where id > ?
+select count(*) from test_shard_range
+SELECT * FROM WORLD
+DELETE FROM WORLD
+```
+
+连接kingshard，执行SQL显示如下：
+
+```
+mysql> select * from world;
+ERROR 1105 (HY000): sql in blacklist.
+mysql> select * from world where a > 0;
++------+------+
+| a    | b    |
++------+------+
+|   10 |   23 |
+|   45 |  565 |
++------+------+
+2 rows in set (0.00 sec)
+
+mysql> delete from world;
+ERROR 1105 (HY000): sql in blacklist.
+mysql> delete from world where a =10;
+Query OK, 1 row affected (0.00 sec)
+#注意在SQL黑名单中该SQL是大于后面有个空格，必须要严格匹配，否则#kingshard不会认为是黑名单SQL
+mysql> select count(*) from test_shard_hash where id >1;
++----------+
+| count(*) |
++----------+
+|       24 |
++----------+
+1 row in set (0.02 sec)
+
+mysql> select count(*) from test_shard_hash where id > 1;
+ERROR 1105 (HY000): sql in blacklist.
+```
+
+用sysbench测试了一下存在blacklist时kingshad的性能，发现性能并没有明显下降，所以可以放心使用该功能。

etc/ks.yaml

@@ -5,16 +5,23 @@ addr : 0.0.0.0:9696
 user :  kingshard
 password : kingshard
 
-#if set log_path, the sql log will write into log_path/sql.log,the system log
-#will write into log_path/sys.log
+# if set log_path, the sql log will write into log_path/sql.log,the system log
+# will write into log_path/sys.log
 #log_path : /Users/flike/log
 
 # log level[debug|info|warn|error],default error
 log_level : debug
-#if set log_sql(on|off) off,the sql log will not output
-#log_sql: off 
-#only log the query that take more than slow_log_time ms
+
+# if set log_sql(on|off) off,the sql log will not output
+log_sql: off
+ 
+# only log the query that take more than slow_log_time ms
 #slow_log_time : 100
+
+# the path of blacklist sql file
+# all these sqls in the file will been forbidden by kingshard
+blacklist_sql_file: /Users/flike/blacklist
+
 # only allow this ip list ip to connect kingshard
 #allow_ips: 127.0.0.1
 

etc/unshard.yaml

@@ -5,16 +5,23 @@ addr : 0.0.0.0:9696
 user :  kingshard
 password : kingshard
 
-#if set log_path, the sql log will write into log_path/sql.log,the system log
-#will write into log_path/sys.log
+# if set log_path, the sql log will write into log_path/sql.log,the system log
+# will write into log_path/sys.log
 #log_path : /Users/flike/log
 
 # log level[debug|info|warn|error],default error
 log_level : debug
-#if set log_sql(on|off) off,the sql log will not output
-log_sql: off
-#only log the query that take more than slow_log_time ms
+
+# if set log_sql(on|off) off,the sql log will not output
+#log_sql: off
+
+# only log the query that take more than slow_log_time ms
 #slow_log_time : 100
+
+# blacklist sql file path
+# all these sqls in this file will been forbidden by kingshard
+#blacklist_sql_file: /Users/flike/blacklist
+
 # only allow this ip list ip to connect kingshard
 #allow_ips: 127.0.0.1
 
@@ -38,7 +45,8 @@ nodes :
     slave :
     down_after_noalive : 32
 
-# schema defines which db can be used by client and this db's sql will be executed in which nodes, the db is also the default database
+# schema defines which db can be used by client and this db's sql will be executed in which nodes, 
+# the db is also the default database
 schema :
     db : kingshard
     nodes: [node1]