description |
---|
This page provides the technical details of the Data Logging Masking policy |
{% hint style="warning" %} This feature requires Gravitee's Enterprise Edition. {% endhint %}
If you enable logging on APIs, you can use the data-logging-masking
policy to configure rules to conceal sensitive data. You can use json-path
, xml-path
or a regular expression to identify the information to hide.
{% hint style="info" %}
The data-logging-masking
policy must be the last to run. Don’t forget to add it in final position on both the request and the response.
{% endhint %}
Functional and implementation information for the data-logging-masking
policy is organized into the following sections:
{% hint style="warning" %} This policy can be applied to v2 APIs. It cannot be applied to v4 proxy APIs or v4 message APIs. {% endhint %}
{% tabs %} {% tab title="Proxy API example" %} Sample policy configuration:
{
"name": "Data Logging Masking",
"description": "Data Logging Masking configured for RAW or JSON",
"enabled": true,
"policy": "policy-data-logging-masking",
"configuration": {
"scope": "REQUEST_CONTENT",
"headerRules": [
{
"path": "reqHeaderToHide",
"replacer": "*"
}
],
"bodyRules": [
{
"path": "$.field",
"replacer": "-"
},
{
"type": "EMAIL",
"replacer": "@"
},
{
"type": "URI",
"replacer": "U"
},
{
"type": "IP",
"replacer": "IP"
},
{
"type": "CREDIT_CARD",
"replacer": "$"
},
{
"regex": "(proto?:/.w*)(:\\d*)?\\/?(.*?)",
"replacer": "S"
}
]
}
}
{% endtab %} {% endtabs %}
When configuring the data-logging-masking
policy, note the following:
- If you use the
path
property in a rule without regex, all the data corresponding to this path will be hidden. - If you use a
MaskPattern
type property or a custom regular expression without apath
, the transformation will apply to all the raw data. - We provide some patterns that you can use and adapt as required:
CUSTOM
: Use to write your own regular expressionCREDIT_CARD
: Use to catch and hide credit card numbers (supports Visa, Mastercard and American Express)EMAIL
: Use to pick up and hide email addresses (doesn’t support Unicode)IP
: Use to pick up and hide IP addresses (supports IPv4 and IPv6 format)Uri
: Use to catch and hide sensitive addresses (supports HTTP, HTTPS, FTP, mailto and file)
You can enable or disable the policy with policy identifier policy-data-logging-masking
.
The phases checked below are supported by the data-logging-masking
policy:
v2 Phases | Compatible? | v4 Phases | Compatible? |
---|---|---|---|
onRequest | false | onRequest | false |
onResponse | false | onResponse | false |
onRequestContent | true | onMessageRequest | false |
onResponseContent | true | onMessageResponse | false |
You can configure the data-logging-masking
policy with the following options:
Property | Required | Description | Type | Default |
---|---|---|---|---|
scope | true | Scope where the policy is executed | Policy scope | REQUEST_CONTENT |
headerRules | false | List of mask rules to apply on client and proxy headers | List<MaskHeaderRule> | |
bodyRules | false | List of mask rules to apply on client and proxy body | List<MaskBodyRule> |
Property | Required | Description | Type | Default |
---|---|---|---|---|
path | false | Header name to transform | String | |
replacer | false | Replacement character | String | * |
Property | Required | Description | Type | Default |
---|---|---|---|---|
path | false | Context-dependent. If "Content-type" is application / json you must use json-path , if it is "application / xml" you must use xml-path , otherwise not used. | String | |
type | false | Value selector type | MaskPattern | |
regex | false | Custom value selector (use regular expression) | String | |
replacer | false | Replacement character | String | * |
The following is the compatibility matrix for APIM and the data-logging-masking
policy:
Plugin Version | Supported APIM versions |
---|---|
Up to 1.x | Up to 3.17.x |
2.0 to 2.x | 3.18.x to 3.20.x |
3.0+ | 4.0+ |