Query Whitelist
The Query Whitelist feature allows administrators to define trusted SQL queries that can bypass protected field rules under specific conditions.
This feature is useful when certain application queries need to access protected fields for valid business or technical reasons, such as authentication, login validation, or system integration queries.
For example, an application may need to execute a query that checks a username and password during login. If the password field is protected, the query may need to be explicitly whitelisted so the application can continue to work correctly.
Accessing Query Whitelist
To access the Query Whitelist menu:
- Open the OneDB Administration Console.
- Go to Security Policy.
- Select Query Whitelist.
The Query Whitelist page displays the list of configured whitelisted queries.
Query Whitelist List
The Query Whitelist list shows all registered whitelist rules.
Each record contains the following information:
| Field | Description |
|---|---|
| Connection | The database connection assigned to the whitelist rule. |
| Database Type | The database type, such as PostgreSQL, MySQL, Oracle, or MSSQL. |
| SQL Text | The SQL query pattern that is allowed to bypass protection rules. |
| Client Address | Optional client IP address restriction. |
| Connection Username | Optional database username restriction. |
| Status | Indicates whether the whitelist rule is active or inactive. |
Each whitelist record also provides action buttons to view, edit, or delete the rule.
View Query Whitelist Detail
To view the detail of a whitelisted query, click the detail icon on the selected record.
The detail page displays complete information about the whitelist rule, including:
| Field | Description |
|---|---|
| Connection ID | The unique ID of the selected database connection. |
| Connection Name | The name of the database connection. |
| Database or Schema | The database or schema assigned to the connection. |
| Database Type | The type of database connection. |
| IP/Hostname | The database server IP address or hostname. |
| Port | The database server port. |
| Client Address | Optional client IP address restriction. |
| Connection Username | Optional database username restriction. |
| Description | Additional notes or explanation for the whitelist rule. |
| SQL Text | The whitelisted SQL query. |
| Status | Indicates whether the whitelist rule is active or inactive. |
The SQL Text field is displayed in a readable format and includes a copy button for easier review or troubleshooting.
Add Whitelisted Query
To add a new whitelisted query:
- Click Add Whitelisted Query.
- Select the target Connection.
- Enter the SQL query in the SQL Text field.
- Optionally enter a Client Address.
- Optionally enter a Connection Username.
- Optionally add a Description.
- Set the Status.
- Click Submit.
Field Description
Connection
Select the database connection where the whitelist rule will be applied.
The available connections are displayed in the dropdown list. Each connection represents a database server configuration already registered in OneDB.
SQL Text
Enter the SQL query that should be whitelisted.
Example:
SELECT * FROM public.USERS WHERE username = ? AND password = ?The SQL Text should match the application query that needs to bypass protected field rules.
Use this carefully. Only trusted and required queries should be added to the whitelist.
Client Address
The Client Address field is optional.
When filled, the whitelist rule will only apply to requests coming from the specified client IP address.
If left empty, the whitelist rule may apply regardless of client address, depending on the matching logic configured in OneDB.
Example:
192.168.1.10Connection Username
The Connection Username field is optional.
When filled, the whitelist rule will only apply when the database connection uses the specified username.
This helps restrict the whitelist rule to a specific application or database user.
Example:
app_userDescription
The Description field is optional.
Use this field to explain why the query is whitelisted, such as:
Required for application login validation.Adding a clear description is recommended for audit and operational review.
Status
The status determines whether the whitelist rule is active.
| Status | Description |
|---|---|
| Active | The whitelist rule is enabled and can be applied. |
| Inactive | The whitelist rule is disabled and will not be applied. |
Edit Whitelisted Query
To edit an existing whitelist rule:
- Click the edit icon on the selected record.
- Update the required fields.
- Click Submit.
Administrators can update the connection, SQL text, client address, connection username, description, or status.
Delete Whitelisted Query
To delete a whitelist rule, click the delete icon on the selected record.
Use delete carefully because removing a whitelist rule may cause related application queries to be processed by normal protection rules again.
Recommended Usage
Query Whitelist should be used only for trusted queries that are required for application functionality.
Recommended use cases include:
| Use Case | Example |
|---|---|
| Login or authentication query | Query that checks username and password. |
| Internal system query | Query used by trusted backend services. |
| Application compatibility | Query that must access protected fields without masking. |
| Controlled exception | Specific query approved to bypass protected field rules. |
Security Considerations
Query Whitelist can bypass protected field rules, so it should be managed carefully.
Recommended practices:
- Whitelist only specific SQL queries that are truly required.
- Use Client Address when the query should only come from a known application server.
- Use Connection Username when the query should only apply to a specific database user.
- Add a clear description for audit and review purposes.
- Review whitelist rules regularly.
- Disable or delete unused whitelist rules.
Example
A typical login query may look like this:
SELECT * FROM public.USERS WHERE username = ? AND password = ?If the password field is protected, this query may need to be whitelisted so the application can validate login credentials correctly.
Once added as an active whitelist rule, OneDB can identify the trusted query and allow it to bypass protected field rules based on the configured connection and optional restrictions.
Notes
Query Whitelist is designed to provide controlled flexibility when protected field rules may affect valid application behavior.
It should not be used as a general bypass mechanism. Each whitelist rule should have a clear business or technical justification.
