Quick navigation
Data Masking
Introduction
Field level data masking interceptor masks sensitive fields within messages as they are consumed.
Configuration
Policies will be actioned and applied when consuming messages.
| key | type | default | description |
|---|---|---|---|
| topic | String | .* | Topics that match this regex will have the interceptor applied |
| policies | List[Policy] | List of your masking policies |
Policy
| key | type | description |
|---|---|---|
| name | String | Unique name for identifying your policy |
| fields | list | List of fields that should be obfuscated with the masking rule. Fields can be nested structure with dot . such as education.account.username, banks[0].accountNo or banks[*].accountNo |
| rule | Rule | Rule |
| schemaRegistryConfig | SchemaRegistry | Schema Registry |
Rule
| key | type | default | description |
|---|---|---|---|
| type | Masking Type | MASK_ALL | Masking type |
| maskingChar | char | * | Character that the data masked |
| numberOfChars | number | number of masked characters, required if type != MASK_ALL |
Masking Type
MASK_ALL: data will be masked,MASK_FIRST_N: The firstncharacters will be maskedMASK_LAST_N: The lastncharacters will be masked
Schema Registry
| key | type | default | description |
|---|---|---|---|
| host | String | Url of schema registry | |
| cacheSize | String | 50 | This interceptor caches schemas locally so that it doesn't have to query the schema registry |
| additionalConfigs | map | Additional properties maps to specific security related parameters. For enhanced security, you can use the template ${MY_ENV_VAR} in map values, then define their actual values in the environmental config variables of Gateway. (eg: -e MY_ENV_VAR=someValue) |
See more about schema registry here
Example
{
"name": "myFieldLevelDataMaskingPlugin",
"pluginClass": "io.conduktor.gateway.interceptor.FieldLevelDataMaskingPlugin",
"priority": 100,
"config": {
"schemaRegistryConfig": {
"host": "http://schema-registry:8081"
},
"policies": [
{
"name": "Mask password",
"rule": {
"type": "MASK_ALL"
},
"fields": [
"password"
]
},
{
"name": "Mask visa",
"rule": {
"type": "MASK_LAST_N",
"maskingChar": "X",
"numberOfChars": 4
},
"fields": [
"visa"
]
}
]
}
}
Secured Schema Registry
{
"name": "myFieldLevelDataMaskingPlugin",
"pluginClass": "io.conduktor.gateway.interceptor.FieldLevelDataMaskingPlugin",
"priority": 100,
"config": {
"schemaRegistryConfig": {
"host": "http://schema-registry:8081",
"additionalConfigs": {
"schema.registry.url": "${SR_URL}",
"basic.auth.credentials.source": "${SR_BASIC_AUTH_CRED_SRC}",
"basic.auth.user.info": "${SR_BASIC_AUTH_USER_INFO}"
}
},
"policies": [
{
"name": "Mask password",
"rule": {
"type": "MASK_ALL"
},
"fields": [
"password"
]
},
{
"name": "Mask visa",
"rule": {
"type": "MASK_LAST_N",
"maskingChar": "X",
"numberOfChars": 4
},
"fields": [
"visa"
]
}
]
}
}