DlpPolicy
DlpPolicy API reference.
Proto: dlp_policy.proto
Package: security.policy.gloo.solo.io
DLPPolicyReport
Field | Description |
---|---|
workspaces | (repeated DLPPolicyReport.WorkspacesEntry )The status of the resource in each workspace that it exists in. |
selectedRoutes | (repeated common.gloo.solo.io.RouteReference )A list of references to all routes selected by the policy. |
DLPPolicyReport.WorkspacesEntry
Field | Description |
---|---|
key | (string ) |
value | (common.gloo.solo.io.Report ) |
DLPPolicySpec
Use a DLPPolicy (data loss prevention policy) to prevent sensitive data from being exposed. Gloo Gateway completes a series of regex replacements on the body or headers of responses that it processes. DLPPolicies are applied at the Route level.
Field | Description |
---|---|
applyToRoutes | (repeated common.gloo.solo.io.RouteSelector )Select the routes that the policy applies to. If empty, the policy applies to all routes in the workspace. |
config | (DLPPolicySpec.Config )The details of the DLP policy to apply to the selected routes. |
DLPPolicySpec.Config
Whether actions apply to responses, access logs, or both. If empty, masking is enabled for responses bodies only.
Field | Description |
---|---|
actions | (repeated DlpAction )List of data loss prevention actions to be applied. These actions are applied in order, one at a time. |
sanitize | (DLPPolicySpec.Config.Sanitize )Whether actions apply to responses, access logs, or both. If empty, masking is enabled for responses bodies only. |
DLPPolicyStatus
The status of the DLPPolicy.
Field | Description |
---|---|
common | (common.gloo.solo.io.Status )The state and workspace conditions of the applied resource. |
numSelectedRoutes | (uint32 )A count of references to all routes selected by the policy. |
DlpAction
A single DLP action to mask sensitive data. You can apply preconfigured actions, create custom actions, and write key-value (header) actions. These actions can also be shadowed. A shadowed action is recorded in the statistics and debug logs, but is not committed in the response body.
To use a predefined action, set the predefinedAction
to one of the predefined actions.
- predefinedAction: VISA
To create a custom action, specify the configuration in the customAction
field. The default enum value
is custom, so that can be left empty.
- customAction:
name: test
regexActions:
- regex: "hello"
- regex: "world"
maskChar: Y
percent: 60
To create a key-value action, specify the configuration in the keyValueAction
field. The default enum value
is custom, so that can be left empty.
- keyValueAction:
keysToMask:
- x-my-header-01
maskChar: _
name: kv-action-1
percent: 100
Field | Description |
---|---|
predefinedAction | (DlpAction.PredefinedAction )The predefined action to apply. |
customAction | (DlpCustomAction )The custom action to apply. |
keyValueAction | (DlpKeyValueAction )The key-value action to apply. Key-values actions affect access logs and response headers, but not response bodies. |
shadow | (google.protobuf.BoolValue )If enabled, the action is recorded in debug logs, but not applied to response bodies or headers. |
DlpCustomAction
A custom action that you define to apply to the response body.
The list of regex strings are applied in order. For instance, if the response body contains hello world
,
and you define the following custom action:
customAction:
name: test
regexActions:
- regex: "hello"
- regex: "world"
maskChar: Y
percent: 60
The result is masked in this way:
YYYlo YYYld
If mask_char
and percent
are not defined, the result is masked in this way:
XXXXo XXXXd
Field | Description |
---|---|
name | (string )The name of the custom action. This name is used for logging and debugging purposes. |
maskChar | (google.protobuf.StringValue )The masking character to replace the sensitive data. Default: X |
percent | (google.protobuf.FloatValue )The percent of the string to mask with the mask_char . Rounds the ratio (percent/100) by using std::round. Default: 75% |
regexActions | (repeated envoy.config.filter.http.transformation_ee.v2.RegexAction )List of regexes to apply to the response body. Data that matches the regexes is masked. Regexes are applied iteratively in the order that they are specified. |
DlpKeyValueAction
A key-value action to apply to response headers.
Field | Description |
---|---|
name | (string )The name of the key-value action. This name is used for logging and debugging purposes. |
maskChar | (google.protobuf.StringValue )The masking character to replace the sensitive data. Default: X |
percent | (google.protobuf.FloatValue )The percent of the string to mask with the mask_char . Rounds the ratio (percent/100) by using std::round. Default: 75% |
keysToMask | (repeated string )Required: The keys for which corresponding header names or dynamic metadata values are masked. |
DLPPolicySpec.Config.Sanitize
Name | Number | Description |
---|---|---|
ALL | 0 | Enable DLP masking for both responses bodies and access logs. Default value. |
ACCESS_LOGS | 1 | Enable DLP masking for access logs only. |
RESPONSE_BODY | 2 | Enable DLP masking for response bodies only. |
DlpAction.PredefinedAction
The following pre-defined actions map to subgroup 1 of the listed regex patterns:
SSN:
- ‘(?:^|\D)([0-9]{9})(?:\D|$)’
- ‘(?:^|\D)([0-9]{3}-[0-9]{2}-[0-9]{4})(?:\D|$)’
- ‘(?:^|\D)([0-9]{3}\ [0-9]{2}\ [0-9]{4})(?:\D|$)’
MASTERCARD:
- ‘(?:^|\D)(5[1-5][0-9]{2}(?:\ |-|)[0-9]{4}(?:\ |-|)[0-9]{4}(?:\ |-|)[0-9]{4})(?:\D|$)’
VISA:
- ‘(?:^|\D)(4[0-9]{3}(?:\ |-|)[0-9]{4}(?:\ |-|)[0-9]{4}(?:\ |-|)[0-9]{4})(?:\D|$)’
AMEX:
- ‘(?:^|\D)((?:34|37)[0-9]{2}(?:\ |-|)[0-9]{6}(?:\ |-|)[0-9]{5})(?:\D|$)’
DISCOVER:
- ‘(?:^|\D)(6011(?:\ |-|)[0-9]{4}(?:\ |-|)[0-9]{4}(?:\ |-|)[0-9]{4})(?:\D|$)’
JCB:
- ‘(?:^|\D)(3[0-9]{3}(?:\ |-|)[0-9]{4}(?:\ |-|)[0-9]{4}(?:\ |-|)[0-9]{4})(?:\D|$)’
- ‘(?:^|\D)((?:2131|1800)[0-9]{11})(?:\D|$)’
DINERS_CLUB:
- ‘(?:^|\D)(30[0-5][0-9](?:\ |-|)[0-9]{6}(?:\ |-|)[0-9]{4})(?:\D|$)’
- ‘(?:^|\D)((?:36|38)[0-9]{2}(?:\ |-|)[0-9]{6}(?:\ |-|)[0-9]{4})(?:\D|$)’
CREDIT_CARD_TRACKERS:
- ‘([1-9][0-9]{2}-[0-9]{2}-[0-9]{4}^\d)’
- ‘(?:^|\D)(%?[Bb]\d{13,19}^[-/.\w\s]{2,26}^[0-9][0-9][01][0-9][0-9]{3})’
- ‘(?:^|\D)(;\d{13,19}=(?:\d{3}|)(?:\d{4}|=))’
ALL_CREDIT_CARDS:
- (All credit card related regexes from above)
Name | Number | Description |
---|---|---|
ALL_CREDIT_CARDS | 0 | |
SSN | 1 | |
MASTERCARD | 2 | |
VISA | 3 | |
AMEX | 4 | |
DISCOVER | 5 | |
JCB | 6 | |
DINERS_CLUB | 7 | |
CREDIT_CARD_TRACKERS | 8 |