Send Docs Feedback

Data masking

Overview

When you capture message content to debug APIs calls, the content can sometimes contain sensitive data, such credit cards or personally identifiable health information (PHI) that needs to be masked.

Edge lets you define 'mask configurations' to mask specific data in trace and debug sessions. Masking configurations can be set globally (at the organization-level) or locally (at the API proxy level). Role-based capabilities govern which users have access to the data that is defined as sensitive.

When data is masked, it is replaced with asterisks in the trace output. For example:

<description>**********</description>
Data masking is enabled only when a trace session or debug session is enabled for an API proxy. If no trace or debug sessions are enabled on an API proxy, the data will not be masked.

Using Mask Configurations

Mask configurations enable you to identify sensitive data in these sources:
  • XML payloads: Using XPath, you identify XML elements to be filtered from request or response message payloads.
  • JSON payloads: Using JSONPath, you identify JSON properties to be filtered from request or response message payloads.
  • Flow variables: You can specify a list of variables that should be masked in debug output. When you specify the request.content, response.content, or message.content flow variables, the request/response body is also masked.

The basic structure of a mask configuration is shown by the following XML representation:

The name of the mask must be default.

<MaskDataConfiguration name="default">
  <XPathsRequest>
	<XPathRequest>/apigee:Greeting/apigee:User</XPathRequest>
  </XPathsRequest>
  <XPathsResponse>
    <XPathResponse>/apigee:Greeting/apigee:User</XPathResponse>
  </XPathsResponse>
  <JSONPathsRequest>
    <JSONPathRequest>$.store.book[*].author</JSONPathRequest>
  </JSONPathsRequest>
  <JSONPathsResponse>
	<JSONPathResponse>$.store.book[*].author</JSONPathResponse>
  </JSONPathsResponse>
  <XPathsFault>
	<XPathFault>/apigee:Greeting/apigee:User</XPathFault>
  </XPathsFault>
  <JSONPathsFault>
	<JSONPathFault>$.store.book[*].author</JSONPathFault>
  </JSONPathsFault>
  <Variables>
	<Variable>request.header.user-agent</Variable>
    <Variable>request.formparam.password</Variable>
  </Variables>
</MaskDataConfiguration>

Configuring a mask configuration resource

Define a mask configuration using the following elements.

If you use ServiceCallout to make a request, the information in that request is not masked with the normal mask configuration. If you wish to mask ServiceCallout request information, add the flow variable ServiceCallout.request to the <Variables> element of the <MaskDataConfiguration> configuration. 

Field Name Description Default Required?
XPathsRequest A list of XPath expressions that will be evaluated against XML payloads (if any) in the request path. Any XPaths that successfully resolve will result in the value of the XML element being masked. N/A No
XPathsResponse A list of XPath expressions that will be evaluated against XML payloads (if any) in the response path. Any XPaths that successfully resolve will result in the value of the XML element being masked. N/A No
JSONPathsRequest A list of JSONPath expressions that will be evaluated against JSON payloads (if any) in the request path. Any JSONPaths that successfully resolve will result in the value of the JSON property being masked. N/A No
JSONPathsResponse A list of JSONPath expressions that will be evaluated against JSON payloads (if any) in the response path. Any JSONPaths that successfully resolve will result in the value of the JSON property being masked. N/A No
XPathsFault A list of XPath expressions that will be evaluated against XML payloads (if any) in the error flow (which executes if a fault is thrown at any point in the flow). Any XPaths that successfully resolve will result in the value of the XML element being masked. N/A No
JSONPathsFault A list of JSON expressions that will be evaluated against JSON payloads (if any) in the error flow (which executes if a fault is thrown at any point in the flow). Any JSONPaths that successfully resolve will result in the value of the JSON property being masked. N/A No
Variables

A list of variables (either pre-defined or custom) who values will be masked. For a list of default variables, see Variables reference.

When you specify the request.contentresponse.content, or message.content flow variables, the request/response body is also masked.

N/A No

Mask configuration API

Mask configurations are defined as XML- or JSON-formatted files that you upload and download using the RESTful management API. For a complete list of data masking APIs, see Data Masks.

To see existing mask configurations, you can simply call the API resource /maskconfigs in your organization:

$ curl https://api.enterprise.apigee.com/v1/o/{org_name}/maskconfigs \
-u email:password

To see mask configurations defined for specific API proxies, you can call the /maskconfigs API:

$ curl https://api.enterprise.apigee.com/v1/o/{org_name}/apis/{api_name}/maskconfigs \
-u email:password

To see a specific mask configuration, specify the name of the mask:

$ curl https://api.enterprise.apigee.com/v1/o/{org_name}/maskconfigs/default \
-u email:password
$ curl https://api.enterprise.apigee.com/v1/o/{org_name}/apis/{api_name}/maskconfigs/default \
-u email:password

To create a mask configuration, use the POST verb to submit a payload that defines the mask configuration:

$ curl -H "Content-type:text/xml" -X POST -d \
'<MaskDataConfiguration name="default">
  <XPathsRequest>
	<XPathRequest>/apigee:Greeting/apigee:User</XPathRequest>
  </XPathsRequest>
  <XPathsResponse>
    <XPathResponse>/apigee:Greeting/apigee:User</XPathResponse>
  </XPathsResponse>
  <JSONPathsRequest>
    <JSONPathRequest>$.store.book[*].author</JSONPathRequest>
  </JSONPathsRequest>
  <JSONPathsResponse>
	<JSONPathResponse>$.store.book[*].author</JSONPathResponse>
  </JSONPathsResponse>
  <XPathsFault>
	<XPathFault>/apigee:Greeting/apigee:User</XPathFault>
  </XPathsFault>
  <JSONPathsFault>
	<JSONPathFault>$.store.book[*].author</JSONPathFault>
  </JSONPathsFault>
  <Variables>
	<Variable>request.header.user-agent</Variable>
    <Variable>request.formparam.password</Variable>
  </Variables>
</MaskDataConfiguration>' \
https://api.enterprise.apigee.com/v1/o/{org_name}/maskconfigs \
-u email:password
To create a mask configuration that is scoped to a specific API proxy:
$ curl -H "Content-type:text/xml" -X POST -d \
'<MaskDataConfiguration name="default">
  <XPathsRequest>
	<XPathRequest>/apigee:Greeting/apigee:User</XPathRequest>
  </XPathsRequest>
  <XPathsResponse>
    <XPathResponse>/apigee:Greeting/apigee:User</XPathResponse>
  </XPathsResponse>
  <JSONPathsRequest>
    <JSONPathRequest>$.store.book[*].author</JSONPathRequest>
  </JSONPathsRequest>
  <JSONPathsResponse>
	<JSONPathResponse>$.store.book[*].author</JSONPathResponse>
  </JSONPathsResponse>
  <XPathsFault>
	<XPathFault>/apigee:Greeting/apigee:User</XPathFault>
  </XPathsFault>
  <JSONPathsFault>
	<JSONPathFault>$.store.book[*].author</JSONPathFault>
  </JSONPathsFault>
  <Variables>
	<Variable>request.header.user-agent</Variable>
    <Variable>request.formparam.password</Variable>
  </Variables>
</MaskDataConfiguration>' \
https://api.enterprise.apigee.com/v1/o/{org_name}/apis/{api_name}/maskconfigs \
-u email:password

You can delete a mask configuration using the DELETE verb:

$ curl -X DELETE \
https://api.enterprise.apigee.com/v1/o/{org_name}/apis/{api_name}/maskconfigs/{maskconfig_name} \
-u email:password

The response to a DELETE operation is an HTTP code 204 with no message content.

Masking for XML namespaces

A mask configuration doesn't require the <Namespace> element in an XPATH definition unless a namespace is defined in the XML payload. This is also true if the XML payload uses a default namespace.

For example, the XML payload does not define a namespace:

<employee>
   <name>abc</name>
   <age>50</age>
​</employee>

Therefore, the mask configuration doesn't require the <Namespace> element:

<MaskDataConfiguration>
    <XPathsRequest>
        <XPathRequest>/employee/name</XPathRequest>
    <XPathsRequest>
</MaskDataConfiguration>

If the XML payload contains a namespace and prefix:

<employee xmlns:emp="http://emp.com">
    <emp:name>xyz</emp:name>
    <emp:age>50</emp:age>
</emp:employee>

Then the mask configuration definition should contain the <Namespace> element:

<MaskDataConfiguration>
    <Namespaces>
        <Namespace prefix="emp">http://emp.com</Namespace>
    </Namespaces>
    <XPathsRequest>
        <XPathRequest>/emp:employee/emp:name</XPathRequest>
    <XPathsRequest>
</MaskDataConfiguration>    

If the XML Payload has a namespace but no prefix, meaning the default namespace:

<employee xmlns="http://emp.com">
    <name>xyz</name>
    <age>50</age>
</employee>

Then the mask configuration should contain the <Namespace> element:

<MaskDataConfiguration>
    <Namespaces>
        <Namespace prefix="emp">http://emp.com</Namespace>
    </Namespaces>
    <XPathsRequest>
        <XPathRequest>/emp:employee/emp:name</XPathRequest>
    <XPathsRequest>
</MaskDataConfiguration>

Help or comments?