DlpPolicy

Proto: dlp_policy.proto

Package: security.policy.gloo.solo.io

Types:

DLPPolicyReport

Field Description
workspaces (repeated DLPPolicyReport.WorkspacesEntry)

The status of the resource in each workspace that it exists in.
selectedRoutes (repeated common.gloo.solo.io.RouteReference)

A list of references to all routes selected by the policy.

DLPPolicyReport.WorkspacesEntry

Field Description
key (string)

value (common.gloo.solo.io.Report)

DLPPolicySpec

Use a DLPPolicy (data loss prevention policy) to prevent sensitive data from being exposed. Gloo Gateway completes a series of regex replacements on the body or headers of responses that it processes. DLPPolicies are applied at the Route level.

Field Description
applyToRoutes (repeated common.gloo.solo.io.RouteSelector)

Select the routes that the policy applies to. If empty, the policy applies to all routes in the workspace.
config (DLPPolicySpec.Config)

The details of the DLP policy to apply to the selected routes.

DLPPolicySpec.Config

Whether actions apply to responses, access logs, or both. If empty, masking is enabled for responses bodies only.

Field Description
actions (repeated DlpAction)

List of data loss prevention actions to be applied. These actions are applied in order, one at a time.
sanitize (DLPPolicySpec.Config.Sanitize)

Whether actions apply to responses, access logs, or both. If empty, masking is enabled for responses bodies only.

DLPPolicyStatus

The status of the DLPPolicy.

Field Description
common (common.gloo.solo.io.Status)

The state and workspace conditions of the applied resource.
numSelectedRoutes (uint32)

A count of references to all routes selected by the policy.

DlpAction

A single DLP action to mask sensitive data. You can apply preconfigured actions, create custom actions, and write key-value (header) actions. These actions can also be shadowed. A shadowed action is recorded in the statistics and debug logs, but is not committed in the response body.

To use a predefined action, set the predefinedAction to one of the predefined actions.

- predefinedAction: VISA

To create a custom action, specify the configuration in the customAction field. The default enum value is custom, so that can be left empty.

- customAction:
name: test
regexActions:
- regex: "hello"
- regex: "world"
maskChar: Y
percent: 60

To create a key-value action, specify the configuration in the keyValueAction field. The default enum value is custom, so that can be left empty.

- keyValueAction:
keysToMask:
- x-my-header-01
maskChar: _
name: kv-action-1
percent: 100
Field Description
predefinedAction (DlpAction.PredefinedAction)

The predefined action to apply.
customAction (DlpCustomAction)

The custom action to apply.
keyValueAction (DlpKeyValueAction)

The key-value action to apply. Key-values actions affect access logs and response headers, but not response bodies.
shadow (google.protobuf.BoolValue)

If enabled, the action is recorded in debug logs, but not applied to response bodies or headers.

DlpCustomAction

A custom action that you define to apply to the response body.

The list of regex strings are applied in order. For instance, if the response body contains hello world, and you define the following custom action:

customAction:
name: test
regexActions:
- regex: "hello"
- regex: "world"
maskChar: Y
percent: 60

The result is masked in this way: YYYlo YYYld

If mask_char and percent are not defined, the result is masked in this way: XXXXo XXXXd

Field Description
name (string)

The name of the custom action. This name is used for logging and debugging purposes.
maskChar (google.protobuf.StringValue)

The masking character to replace the sensitive data. Default: X
percent (google.protobuf.FloatValue)

The percent of the string to mask with the mask_char. Rounds the ratio (percent/100) by using std::round. Default: 75%
regexActions (repeated envoy.config.filter.http.transformation_ee.v2.RegexAction)

List of regexes to apply to the response body. Data that matches the regexes is masked. Regexes are applied iteratively in the order that they are specified.

DlpKeyValueAction

A key-value action to apply to response headers.

Field Description
name (string)

The name of the key-value action. This name is used for logging and debugging purposes.
maskChar (google.protobuf.StringValue)

The masking character to replace the sensitive data. Default: X
percent (google.protobuf.FloatValue)

The percent of the string to mask with the mask_char. Rounds the ratio (percent/100) by using std::round. Default: 75%
keysToMask (repeated string)

Required: The keys for which corresponding header names or dynamic metadata values are masked.

DLPPolicySpec.Config.Sanitize

Name Number Description
ALL 0 Enable DLP masking for both responses bodies and access logs. Default value.
ACCESS_LOGS 1 Enable DLP masking for access logs only.
RESPONSE_BODY 2 Enable DLP masking for response bodies only.

DlpAction.PredefinedAction

The following pre-defined actions map to subgroup 1 of the listed regex patterns:

SSN:

MASTERCARD:

VISA:

AMEX:

DISCOVER:

JCB:

DINERS_CLUB:

CREDIT_CARD_TRACKERS:

ALL_CREDIT_CARDS:

Name Number Description
ALL_CREDIT_CARDS 0
SSN 1
MASTERCARD 2
VISA 3
AMEX 4
DISCOVER 5
JCB 6
DINERS_CLUB 7
CREDIT_CARD_TRACKERS 8