This document describes how to use parameterized secure views in Cloud SQL for MySQL, which let you limit data access based on application-specific named parameters, like application user credentials. Parameterized secure views improve security and access control by extending the functionality of MySQL views. These views also mitigate the risks of running untrusted queries from applications by enforcing a number of restrictions automatically on any query that is executed.
For more information, see Parameterized secure views in Cloud SQL.
Before you begin
This document assumes that you've already created a Cloud SQL for MySQL instance.
Make sure that your Cloud SQL instance is running MySQL 8.0.43 or later. If your MySQL 8.0 instance is running an earlier minor version, then you can perform a minor version upgrade.
Enable the
cloudsql_parameterized_secure_viewdatabase flag for your instance.This flag change doesn't require a database restart. For more information, see Configure database flags.
Create a parameterized secure view
To create a parameterized secure view, run the CREATE VIEW DDL command.
For example:
CREATE VIEW v_orders
AS SELECT * FROM orders
WHERE customer_id = @local_customer_id;
Use the following syntax:
-- Create a view with a parameter using the WHERE clause CREATE VIEW VIEW_NAME AS SELECT * FROM TABLE_NAME WHERE CONDITION;
-- Create a view with a parameter using the HAVING clause CREATE VIEW VIEW_NAME AS SELECT * FROM TABLE_NAME WHERE CONDITION_1 -- row level security GROUP BY COLUMN_NAME HAVING CONDITION_2; -- grouping
-- Create a view with a parameter using the ON clause CREATE VIEW VIEW_NAME AS SELECT * FROM TABLE_NAME_1 JOIN TABLE_NAME_2 ON CONDITION_1 -- join criteria WHERE CONDITION_2; -- row level security
Replace the following:
VIEW_NAME: the name of the parameterized secure viewTABLE_NAMEorTABLE_NAME_N: the name of the table or tables to use in the parameterized viewCOLUMN_NAMEorCOLUMN_NAME_N: the name of the table column or columns to use in the parameterized viewCONDITIONorCONDITION_N: the condition statement or statements to evaluate as part of aWHERE,ON, orHAVINGclause. You can specify the session variable that is used as the parameter when you later perform a query on the view. A condition resembles the following:WHERE customer_id = @local_customer_id
Session variables,
@variable_name, are permitted only within theWHERE,ON, orHAVINGclauses of aCREATE VIEWstatement.
Query a parameterized secure view
To query a parameterized secure view in Cloud SQL for MySQL, you have two options:
Assign values to variables by using the
SET_VIEW_VARShint while querying the parameterized secure view. If any of the variables that are referenced by the view aren't set, or if any unrelated variables appear in theSET_VIEW_VARShint, then the query against the parameterized secure view fails.Call the
mysql.execute_parameterized_queryprocedure to query the parameterized secure view. If you use themysql.execute_parameterized_queryprocedure, then you provide two arguments to the procedure. The first argument is a query against the parameterized secure view without any hints about the session variable. The second argument provides all the needed session variables and the values that you want to provide.
Use hint values
To query the parameterized secure view by using the SET_VIEW_VARS hint,
do the following:
-- Set the parameter and query SELECT /*+ SET_VIEW_VARS(SESSION_VARIABLE = VALUE) */ * FROM VIEW_NAME;
Replace the following:
SESSION_VARIABLE: the named parameter of the parameterized secure view that you can provide different values for. You define the session variable name when you create the view by using the@variable_namenotation in the view condition clause.VALUE: a value for this named parameterVIEW_NAME: name of the parameterized secure view
For example:
SELECT /*+ SET_VIEW_VARS(local_customer_id = 12345) */ *
FROM v_orders;
Use the parameterized query procedure
To query the parameterized secure view by using the
mysql.execute_parameterized_query procedure,
use the following syntax:
CALL mysql.execute_parameterized_query( 'SELECT * FROM DATABASE_NAME.VIEW_NAME', 'SESSION_VARIABLE=VALUE');
Replace the following:
SESSION_VARIABLE: the named parameter of the parameterized secure view that you can provide different values for. You define the session variable name when you create the view by using the@variable_namenotation in the view condition clause.VALUE: a value for this named parameterDATABASE_NAME: name of the database of the viewVIEW_NAME: name of the parameterized secure view
For example:
CALL mysql.execute_parameterized_query(
'SELECT * FROM db.v_orders',
'local_customer_id = 5, earliest_year = 2021');
Restrictions on queries
The following lists the set of restricted operations for queries that you run using the options described in Query a parameterized secure view:
- The query can only be a
SELECTstatement. - The query can't include invocations to user-defined functions or stored procedures.
- The query can't assign variables.
- If you use the
CALL mysql.execute_parameterized_querymethod, then the query can't be multiple statements concatenated into a single statement. For example, the query statementSELECT * FROM a; DROP TABLE a;isn't valid.
View parameterized secure views in logs
When Cloud SQL for MySQL database users try to create a parameterized secure view, an information-level message is logged in the MySQL error log similar to the following:
User variables permitted in %s.%s through Parameterized Secure View feature
Troubleshoot parameterized secure views
| Issue | Troubleshooting |
|---|---|
cloud_parameterized_secure_view flag isn't set for the instance
|
If the cloudsql_parameterized_secure_view flag is set to
OFF, then any attempt to query an existing parameterized secure view
will result in the following error:
If you attempt to create a parameterized secure view without the flag set, then you receive the following error:
You can verify whether the parameterized secure views is enabled for a Cloud SQL instance by checking the global variable: SHOW VARIABLES LIKE 'cloudsql_parameterized_secure_view'; |
Query fails with the error View's SELECT contains a variable or
parameter. |
Variables aren't allowed outside of WHERE, HAVING,
or ON clauses. Using a variable outside of these clauses
results in an error. |
Query fails with User variable `%s` used in Parameterized Secure View %s
must be set in the query before using SET_VIEW_VARS hint error
|
Set the session variable before you run the query. |
| Query fails with a MySQL version error | If you try to query an existing parameterized secure view from a MySQL version
earlier than 8.0.43, then you can encounter the following error:
|