This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

mask data of AccessEntity policy in apigee edge

Posted on 10-20-2022 11:49 AM
prempalanisamy
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I am trying to mask all the data I read using the AccessEntity policy.

I followed this example https://docs.apigee.com/api-platform/security/data-masking and couldn't figure out how to mask the XML data i read using the AccessEntity policy

 

0 1 141
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

The data masking allows you to mask by JSONPath or XPath in the request or response message, OR on the name of the variable.

It just so happens that AccessEntity will return data in XML format, but the data masking for XPath won't work on that XML, because the XML is not a payload of a request or a response. So you need to mask on the variable names. The variable name will be different, depending on the name you use in the AccessEntity policy. Suppose you have something like this for your AccessEntity policy configuration:

 

<AccessEntity name='AE-Developer-By-Clientid'>
  <EntityType value='developer' />
  <EntityIdentifier type='consumerkey' ref='client_id' />
</AccessEntity>

 

In that case the name of the variable that gets the full XML of the data will be AccessEntity.AE-Developer-By-Clientid . That is, the AccessEntity keyword, followed by a dot, followed by the policy name. So you need to mask THAT. You must set your debug mask to refer to that variable name. For example, in Apigee Edge (for a proxy-scoped data mask):

 

# update

POST :mgmtserver/v1/o/:org/apis/:proxy/maskconfigs
Authorization: Bearer :token
content-type: application/json

{
  "name": "default",
  "variables": [
    "AccessEntity.AE-Developer-By-Clientid"
  ]
}

 

In Apigee X or hybrid, for an environment-scoped debug mask:

 

# update
PATCH :gaambo/v1/organizations/:org/environments/:env/debugmask
Authorization: Bearer :token

{
  "variables": [
    "AccessEntity.AE-Developer-By-Clientid"
  ]
}

 

(See documentation for data masking in X and hybrid here) But that's not quite enough, the Apigee runtime helpfully sets additional context variables for all the child nodes of that XML, so you will need to mask those as well. For example, if I specifically want to mask the developer's email, then I must mask three variables:

 

# update
PATCH :gaambo/v1/organizations/:org/environments/:env/debugmask
Authorization: Bearer :token

{
  "variables": [
    "request.header.apikey",
    "AccessEntity.AE-Developer-By-Clientid",
    "AccessEntity.ChildNodes.AE-Developer-By-Clientid.Developer",
    "AccessEntity.ChildNodes.AE-Developer-By-Clientid.Developer.Email"
  ]
}

 

And then when I redeploy the proxy into that environment, I see this in my trace:

screenshot-20221025-154231.png

As you can see, the developer email is not shown. It's masked out.

0 Likes
Top Solution Authors
View all