Quick navigation
Data Masking
Introduction
Field level data masking interceptor masks sensitive fields within messages as they are consumed.
Configuration
Policies will be actioned and applied when consuming messages.
| key | type | default | description |
|---|---|---|---|
| topic | String | .* | Topics that match this regex will have the interceptor applied |
| policies | List[Policy] | List of your masking policies |
Policy
| key | type | description |
|---|---|---|
| name | String | Unique name for identifying your policy |
| fields | list | List of fields that should be obfuscated with the masking rule. Fields can be nested structure with dot . such as education.account.username, banks[0].accountNo or banks[*].accountNo |
| rule | Rule | Rule |
| schemaRegistryConfig | SchemaRegistry | Schema Registry |
Rule
| key | type | default | description |
|---|---|---|---|
| type | Masking Type | MASK_ALL | Masking type |
| maskingChar | char | * | Character that the data masked |
| numberOfChars | number | number of masked characters, required if type != MASK_ALL |
Masking Type
MASK_ALL: data will be masked,MASK_FIRST_N: The firstncharacters will be maskedMASK_LAST_N: The lastncharacters will be masked
Schema Registry
| Key | Type | Default | Description |
|---|---|---|---|
type | string | CONFLUENT | The type of schema registry to use: choose CONFLUENT (for Confluent-like schema registries including OSS Kafka) or AWS for AWS Glue schema registries. |
additionalConfigs | map | Additional properties maps to specific security-related parameters. For enhanced security, you can hide the sensitive values using environment variables as secrets. | |
| Confluent Like | Configuration for Confluent-like schema registries | ||
host | string | URL of your schema registry. | |
cacheSize | string | 50 | Number of schemas that can be cached locally by this interceptor so that it doesn't have to query the schema registry every time. |
| AWS Glue | Configuration for AWS Glue schema registries | ||
region | string | The AWS region for the schema registry, e.g. us-east-1 | |
registryName | string | The name of the schema registry in AWS (leave blank for the AWS default of default-registry) | |
basicCredentials | string | Access credentials for AWS (see below section for structure) | |
| AWS Credentials | AWS Credentials Configuration | ||
accessKey | string | The access key for the connection to the schema registry. | |
secretKey | string | The secret key for the connection to the schema registry. | |
validateCredentials | bool | true | true / false flag to determine whether the credentials provided should be validated when set. |
accountId | string | The Id for the AWS account to use. |
If you do not supply a basicCredentials section for the AWS Glue schema registry, the client we use to connect will instead attempt to find the connection information is needs from the environment, and the credentials required can be passed this way to the Gateway as part of its core configuration. More information on the setup for this is found in the AWS documentation.
See more about schema registry here
Example
{
"name": "myFieldLevelDataMaskingPlugin",
"pluginClass": "io.conduktor.gateway.interceptor.FieldLevelDataMaskingPlugin",
"priority": 100,
"config": {
"schemaRegistryConfig": {
"host": "http://schema-registry:8081"
},
"policies": [
{
"name": "Mask password",
"rule": {
"type": "MASK_ALL"
},
"fields": [
"password"
]
},
{
"name": "Mask visa",
"rule": {
"type": "MASK_LAST_N",
"maskingChar": "X",
"numberOfChars": 4
},
"fields": [
"visa"
]
}
]
}
}
Secured Schema Registry
{
"name": "myFieldLevelDataMaskingPlugin",
"pluginClass": "io.conduktor.gateway.interceptor.FieldLevelDataMaskingPlugin",
"priority": 100,
"config": {
"schemaRegistryConfig": {
"host": "http://schema-registry:8081",
"additionalConfigs": {
"schema.registry.url": "${SR_URL}",
"basic.auth.credentials.source": "${SR_BASIC_AUTH_CRED_SRC}",
"basic.auth.user.info": "${SR_BASIC_AUTH_USER_INFO}"
}
},
"policies": [
{
"name": "Mask password",
"rule": {
"type": "MASK_ALL"
},
"fields": [
"password"
]
},
{
"name": "Mask visa",
"rule": {
"type": "MASK_LAST_N",
"maskingChar": "X",
"numberOfChars": 4
},
"fields": [
"visa"
]
}
]
}
}