User Guide
Also available as:
PDF

Property-Based Anonymization Rules

Property-based rules anonymize structured content. The supported formats are: XML, property, ini, and YAML files.

Required and Optional Fields

  • name

  • description (optional)

  • rule_id (should be set to PROPERTY)

  • properties

  • parentNode (optional, applicable only for XML, default value is "property")

  • include_files

  • exclude_files (optional)

  • action (optional, default value is ANONYMIZE)

  • replace_value (optional, applicable only when action=REPLACE)

  • shared (optional, default value is true)

  • enabled (optional, default value is true)

For more information on each field, refer to Fields Used for Defining Anonymization Rules.

Rule Definition Example

    {
      "name": "PASSWORDS",
      "rule_id": "Property",
      "properties": [".*password.*", ".*awsAccessKeyId.*"],
      "include_files": ["*.xml", "*.properties", "*.yaml", "*.ini"],
      "exclude_files" : ["capacity-scheduler.xml"],
      "action" : "REPLACE",
      "replace_value": "Hidden"
    }

The following examples show how the rule defined above anonymizes specific password-related properties in XML, property, ini, and YAML files.

  • XML file content:

    <property>
      <name>fs.s3a.proxy.password</name>
      <value>Abc7j*4$aTh</value>
      <description>Password for authenticating with proxy server.</description>
    </property>

    The XML file content, with password value anonymized:

    <property>
      <name>fs.s3a.proxy.password</name>
      <value>Hidden</value>
      <description>Password for authenticating with proxy server.</description>
    </property>
  • Property file content:

    javax.jdo.option.ConnectionPassword=pswd

    The property file content, with password value anonymized:

    javax.jdo.option.ConnectionPassword=Hidden
  • Ini file content:

    connection_password=pswd

    The ini file content, with password value anonymized:

    connection_password=Hidden
  • YAML file content:

    "metrics_collector:\n" +
                    "  truststore.path : \"/etc/security/clientKeys/all.jks\"\n" +
                    "  truststore.type : \"jks\"\n" +
                    "  truststore.password : \"bigdata\"\n"

    The YAML file content, with password value anonymized:

    "metrics_collector:\n" +
                    "  truststore.path : \"/etc/security/clientKeys/all.jks\"\n" +
                    "  truststore.type : \"jks\"\n" +
                    "  truststore.password : Hidden\n"

For more examples, refer to Examples of Property-Based Anonymization Rules.

Examples of Property-Based Anonymization Rules

This section includes examples of commonly used property-based anonymization rules.

Example 1: Mask one configuration parameter in multiple files

Rule definition example:

{
  "name": "JPA_PASSWORD",
  "rule_id": "Property",
  "properties": ["oozie.service.JPAService.jdbc.password"],
  "include_files": ["oozie-site.xml", "sqoop-site.xml"],
  "action" : "REPLACE",
  "replace_value": "Hidden"
}

This rule anonymizes the value of oozie.service.JPAService.jdbc.password in oozie-site.xml and sqoop-site.xml:

Input data, sqoop-site.xml:

    <property>
      <name>oozie.service.JPAService.jdbc.px</name>
      <value>at@!_*rue</value>
    </property>

Output data, sqoop-site.xml, with anonymized oozie.service.JPAService.jdbc.px parameter value:

    <property>
      <name>oozie.service.JPAService.jdbc.px</name>
      <value>Hidden</value>
    </property>

Example 2: Mask multiple configuration parameters in multiple files

Rule definition example:

{
  "name": "JDBC_JPA_PASSWORDS",
  "rule_id": "Property",
  "properties": ["oozie.service.JPAService.jdbc.password", "javax.jdo.option.ConnectionPassword"],
  "include_files": ["oozie-site.xml", "sqoop-site.xml", "hive-site.xml"],
  "action" : "REPLACE",
  "replace_value": "Hidden"
}

Example 3: Mask a configuration that matches a pattern

Rule definition example:

{
  "name": "GLOBAL_JDBC_PASSWORDS",
  "rule_id": "Property",
  "properties": [".*password"],
  "include_files": ["*.xml"],
  "action" : "REPLACE",
  "replace_value": "Hidden"
}

Input data:

ssl-server.xml

    <property>
      <name>ssl.server.keystore.keypassword</name>
      <value>big123!*</value>
    </property>

ssl-client.xml

    <property>
      <name>ssl.client.keystore.password</name>
      <value>NBg7j*4$aTh</value>
    </property>

Output data:

Anonymized ssl-server.xml

    <property>
      <name>ssl.server.keystore.keypassword</name>
      <value>Hidden</value>
    </property>

Anonymized ssl-client.xml

    <property>
      <name>ssl.client.keystore.password</name>
      <value>Hidden</value>
    </property>