| description |
|---|
This page provides the technical details of the Data Logging Masking policy |
{% hint style="warning" %} This feature requires Gravitee's Enterprise Edition. {% endhint %}
If you enable logging on APIs, you can use the data-logging-masking policy to configure rules to conceal sensitive data. You can use json-path, xml-path or a regular expression to identify the information to hide.
{% hint style="info" %}
The data-logging-masking policy must be the last to run. Don’t forget to add it in final position on both the request and the response.
{% endhint %}
Functional and implementation information for the data-logging-masking policy is organized into the following sections:
{% hint style="warning" %} This policy can be applied to v2 APIs. It cannot be applied to v4 proxy APIs or v4 message APIs. {% endhint %}
{% tabs %} {% tab title="v2 API example" %} Sample policy configuration:
{
"name": "Data Logging Masking",
"description": "Data Logging Masking configured for RAW or JSON",
"enabled": true,
"policy": "policy-data-logging-masking",
"configuration": {
"scope": "REQUEST_CONTENT",
"headerRules": [
{
"path": "reqHeaderToHide",
"replacer": "*"
}
],
"bodyRules": [
{
"path": "$.field",
"replacer": "-"
},
{
"type": "EMAIL",
"replacer": "@"
},
{
"type": "URI",
"replacer": "U"
},
{
"type": "IP",
"replacer": "IP"
},
{
"type": "CREDIT_CARD",
"replacer": "$"
},
{
"regex": "(proto?:/.w*)(:\\d*)?\\/?(.*?)",
"replacer": "S"
}
]
}
}{% endtab %} {% endtabs %}
When configuring the data-logging-masking policy, note the following:
- If you use the
pathproperty in a rule without regex, all the data corresponding to this path will be hidden. - If you use a
MaskPatterntype property or a custom regular expression without apath, the transformation will apply to all the raw data. - We provide some patterns that you can use and adapt as required:
CUSTOM: Use to write your own regular expressionCREDIT_CARD: Use to catch and hide credit card numbers (supports Visa, Mastercard and American Express)EMAIL: Use to pick up and hide email addresses (doesn’t support Unicode)IP: Use to pick up and hide IP addresses (supports IPv4 and IPv6 format)Uri: Use to catch and hide sensitive addresses (supports HTTP, HTTPS, FTP, mailto and file)
You can enable or disable the policy with policy identifier policy-data-logging-masking.
The phases checked below are supported by the data-logging-masking policy:
| v2 Phases | Compatible? | v4 Phases | Compatible? |
|---|---|---|---|
| onRequest | false | onRequest | false |
| onResponse | false | onResponse | false |
| onRequestContent | true | onMessageRequest | false |
| onResponseContent | true | onMessageResponse | false |
You can configure the data-logging-masking policy with the following options:
| Property | Required | Description | Type | Default |
|---|---|---|---|---|
| scope | true | Scope where the policy is executed | Policy scope | REQUEST_CONTENT |
| headerRules | false | List of mask rules to apply on client and proxy headers | List<MaskHeaderRule> | |
| bodyRules | false | List of mask rules to apply on client and proxy body | List<MaskBodyRule> |
| Property | Required | Description | Type | Default |
|---|---|---|---|---|
| path | false | Header name to transform | String | |
| replacer | false | Replacement character | String | * |
| Property | Required | Description | Type | Default |
|---|---|---|---|---|
| path | false | Context-dependent. If "Content-type" is application / json you must use json-path, if it is "application / xml" you must use xml-path, otherwise not used. | String | |
| type | false | Value selector type | MaskPattern | |
| regex | false | Custom value selector (use regular expression) | String | |
| replacer | false | Replacement character | String | * |
The following is the compatibility matrix for APIM and the data-logging-masking policy:
| Plugin Version | Supported APIM versions |
|---|---|
| Up to 1.x | Up to 3.17.x |
| 2.0 to 2.x | 3.18.x to 3.20.x |
| 3.0+ | 4.0+ |