Property-based anonymization rules
Property-based rules anonymize structured content. The supported formats are: XML, property, ini, and YAML files.
Required and Optional Fields
-
name
-
description (optional)
-
rule_id (should be set to PROPERTY)
-
properties
-
parentNode (optional, applicable only for XML, default value is "property")
-
include_files
-
exclude_files (optional)
-
action (optional, default value is ANONYMIZE)
-
replace_value (optional, applicable only when action=REPLACE)
-
shared (optional, default value is true)
-
enabled (optional, default value is true)
Rule Definition Example
{
"name": "PASSWORDS",
"rule_id": "Property",
"properties": [".*password.*", ".*awsAccessKeyId.*"],
"include_files": ["*.xml", "*.properties", "*.yaml", "*.ini"],
"exclude_files" : ["capacity-scheduler.xml"],
"action" : "REPLACE",
"replace_value": "Hidden"
}The following examples show how the rule defined above anonymizes specific password-related properties in XML, property, ini, and YAML files.
-
XML file content:
<property> <name>fs.s3a.proxy.password</name> <value>Abc7j*4$aTh</value> <description>Password for authenticating with proxy server.</description> </property>The XML file content, with password value anonymized:
<property> <name>fs.s3a.proxy.password</name> <value>Hidden</value> <description>Password for authenticating with proxy server.</description> </property> -
Property file content:
javax.jdo.option.ConnectionPassword=pswdThe property file content, with password value anonymized:
javax.jdo.option.ConnectionPassword=Hidden -
Ini file content:
connection_password=pswdThe ini file content, with password value anonymized:
connection_password=Hidden -
YAML file content:
"metrics_collector:\n" + " truststore.path : \"/etc/security/clientKeys/all.jks\"\n" + " truststore.type : \"jks\"\n" + " truststore.password : \"bigdata\"\n"The YAML file content, with password value anonymized:
"metrics_collector:\n" + " truststore.path : \"/etc/security/clientKeys/all.jks\"\n" + " truststore.type : \"jks\"\n" + " truststore.password : Hidden\n"
More Examples
Example 1: Mask one configuration parameter in multiple files
Rule definition example:
{
"name": "JPA_PASSWORD",
"rule_id": "Property",
"properties": ["oozie.service.JPAService.jdbc.password"],
"include_files": ["oozie-site.xml", "sqoop-site.xml"],
"action" : "REPLACE",
"replace_value": "Hidden"
}This rule anonymizes the value of
oozie.service.JPAService.jdbc.password in oozie-site.xml and
sqoop-site.xml:
Input data, sqoop-site.xml:
<property>
<name>oozie.service.JPAService.jdbc.px</name>
<value>at@!_*rue</value>
</property>Output data, sqoop-site.xml, with anonymized
oozie.service.JPAService.jdbc.px parameter value:
<property>
<name>oozie.service.JPAService.jdbc.px</name>
<value>Hidden</value>
</property>Example 2: Mask multiple configuration parameters in multiple files
Rule definition example:
{
"name": "JDBC_JPA_PASSWORDS",
"rule_id": "Property",
"properties": ["oozie.service.JPAService.jdbc.password", "javax.jdo.option.ConnectionPassword"],
"include_files": ["oozie-site.xml", "sqoop-site.xml", "hive-site.xml"],
"action" : "REPLACE",
"replace_value": "Hidden"
}Example 3: Mask a configuration that matches a pattern
Rule definition example:
{
"name": "GLOBAL_JDBC_PASSWORDS",
"rule_id": "Property",
"properties": [".*password"],
"include_files": ["*.xml"],
"action" : "REPLACE",
"replace_value": "Hidden"
}Input data:
ssl-server.xml
<property>
<name>ssl.server.keystore.keypassword</name>
<value>big123!*</value>
</property>ssl-client.xml
<property>
<name>ssl.client.keystore.password</name>
<value>NBg7j*4$aTh</value>
</property>Output data:
Anonymized ssl-server.xml
<property>
<name>ssl.server.keystore.keypassword</name>
<value>Hidden</value>
</property>Anonymized ssl-client.xml
<property>
<name>ssl.client.keystore.password</name>
<value>Hidden</value>
</property>