Skip to main content
Quick navigation

Data Masking

Introduction

Field level data masking interceptor masks sensitive fields within messages as they are consumed.

Configuration

Policies will be actioned and applied when consuming messages.

keytypedefaultdescription
topicString.*Topics that match this regex will have the interceptor applied
policiesList[Policy]List of your masking policies

Policy

keytypedescription
nameStringUnique name for identifying your policy
fieldslistList of fields that should be obfuscated with the masking rule. Fields can be nested structure with dot . such as education.account.username, banks[0].accountNo or banks[*].accountNo
ruleRuleRule
schemaRegistryConfigSchemaRegistrySchema Registry

Rule

keytypedefaultdescription
typeMasking TypeMASK_ALLMasking type
maskingCharchar*Character that the data masked
numberOfCharsnumbernumber of masked characters, required if type != MASK_ALL

Masking Type

  • MASK_ALL: data will be masked,
  • MASK_FIRST_N: The first n characters will be masked
  • MASK_LAST_N: The last n characters will be masked

Schema Registry

keytypedefaultdescription
hostStringUrl of schema registry
cacheSizeString50This interceptor caches schemas locally so that it doesn't have to query the schema registry
additionalConfigsmapAdditional properties maps to specific security related parameters. For enhanced security, you can use the template ${MY_ENV_VAR} in map values, then define their actual values in the environmental config variables of Gateway. (eg: -e MY_ENV_VAR=someValue)

See more about schema registry here

Example

{
"name": "myFieldLevelDataMaskingPlugin",
"pluginClass": "io.conduktor.gateway.interceptor.FieldLevelDataMaskingPlugin",
"priority": 100,
"config": {
"schemaRegistryConfig": {
"host": "http://schema-registry:8081"
},
"policies": [
{
"name": "Mask password",
"rule": {
"type": "MASK_ALL"
},
"fields": [
"password"
]
},
{
"name": "Mask visa",
"rule": {
"type": "MASK_LAST_N",
"maskingChar": "X",
"numberOfChars": 4
},
"fields": [
"visa"
]
}
]
}
}

Secured Schema Registry

{
"name": "myFieldLevelDataMaskingPlugin",
"pluginClass": "io.conduktor.gateway.interceptor.FieldLevelDataMaskingPlugin",
"priority": 100,
"config": {
"schemaRegistryConfig": {
"host": "http://schema-registry:8081",
"additionalConfigs": {
"schema.registry.url": "${SR_URL}",
"basic.auth.credentials.source": "${SR_BASIC_AUTH_CRED_SRC}",
"basic.auth.user.info": "${SR_BASIC_AUTH_USER_INFO}"
}
},
"policies": [
{
"name": "Mask password",
"rule": {
"type": "MASK_ALL"
},
"fields": [
"password"
]
},
{
"name": "Mask visa",
"rule": {
"type": "MASK_LAST_N",
"maskingChar": "X",
"numberOfChars": 4
},
"fields": [
"visa"
]
}
]
}
}