Masking data

Question:

How can I mask fields in my Kafka topic?

Edit this page

Example use case:

Suppose you have a topic that contains personally identifiable information (PII), we'll write a program to persist the events in the original topic to a new Kafka topic with the PII removed or obfuscated.

Code example:





Short Answer

Use the ksqlDB MASK function to obfuscate fields.

CREATE STREAM purchases_pii_obfuscated
    WITH (kafka_topic='purchases_pii_obfuscated', value_format='json', partitions=1) AS
    SELECT MASK(CUSTOMER_NAME) AS CUSTOMER_NAME,
           MASK(DATE_OF_BIRTH) AS DATE_OF_BIRTH,
           ORDER_ID, PRODUCT, ORDER_TOTAL_USD, TOWN, COUNTRY
    FROM PURCHASES;

Try it

1
Initialize the project

To get started, make a new directory anywhere you’d like for this project:

mkdir masking-data && cd masking-data

Then make the following directories to set up its structure:

mkdir src test

2
Get Confluent Platform

Next, create the following docker-compose.yml file to obtain Confluent Platform:

---
version: '2'

services:
  zookeeper:
    image: confluentinc/cp-zookeeper:6.0.0
    hostname: zookeeper
    container_name: zookeeper
    ports:
      - "2181:2181"
    environment:
      ZOOKEEPER_CLIENT_PORT: 2181
      ZOOKEEPER_TICK_TIME: 2000

  broker:
    image: confluentinc/cp-kafka:6.0.0
    hostname: broker
    container_name: broker
    depends_on:
      - zookeeper
    ports:
      - "29092:29092"
    environment:
      KAFKA_BROKER_ID: 1
      KAFKA_ZOOKEEPER_CONNECT: 'zookeeper:2181'
      KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: PLAINTEXT:PLAINTEXT,PLAINTEXT_HOST:PLAINTEXT
      KAFKA_ADVERTISED_LISTENERS: PLAINTEXT://broker:9092,PLAINTEXT_HOST://localhost:29092
      KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1
      KAFKA_TRANSACTION_STATE_LOG_MIN_ISR: 1
      KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR: 1
      KAFKA_GROUP_INITIAL_REBALANCE_DELAY_MS: 0

  schema-registry:
    image: confluentinc/cp-schema-registry:6.0.0
    hostname: schema-registry
    container_name: schema-registry
    depends_on:
      - broker
    ports:
      - "8081:8081"
    environment:
      SCHEMA_REGISTRY_HOST_NAME: schema-registry
      SCHEMA_REGISTRY_KAFKASTORE_BOOTSTRAP_SERVERS: 'broker:9092'

  ksqldb-server:
    image: confluentinc/ksqldb-server:0.11.0
    hostname: ksqldb-server
    container_name: ksqldb-server
    depends_on:
      - broker
      - schema-registry
    ports:
      - "8088:8088"
    environment:
      KSQL_CONFIG_DIR: "/etc/ksqldb"
      KSQL_LOG4J_OPTS: "-Dlog4j.configuration=file:/etc/ksqldb/log4j.properties"
      KSQL_BOOTSTRAP_SERVERS: "broker:9092"
      KSQL_HOST_NAME: ksqldb-server
      KSQL_LISTENERS: "http://0.0.0.0:8088"
      KSQL_CACHE_MAX_BYTES_BUFFERING: 0
      KSQL_KSQL_SCHEMA_REGISTRY_URL: "http://schema-registry:8081"

  ksqldb-cli:
    image: confluentinc/ksqldb-cli:0.11.0
    container_name: ksqldb-cli
    depends_on:
      - broker
      - ksqldb-server
    entrypoint: /bin/sh
    environment:
      KSQL_CONFIG_DIR: "/etc/ksqldb"
    tty: true
    volumes:
      - ./src:/opt/app/src
      - ./test:/opt/app/test

And launch it by running:

docker-compose up -d

3
Write the program interactively using the CLI

To begin developing interactively, open up the ksqlDB CLI:

docker exec -it ksqldb-cli ksql http://ksqldb-server:8088

First, you’ll need to create a Kafka topic and stream to represent the purchases data. The following creates both in one shot.

CREATE STREAM purchases (order_id INT, customer_name VARCHAR, date_of_birth VARCHAR,
                         product VARCHAR, order_total_usd DOUBLE, town VARCHAR, country VARCHAR)
    WITH (kafka_topic='purchases', value_format='json', partitions=1);

Then insert the purchase data using the following commands:

INSERT INTO purchases (order_id, customer_name, date_of_birth, product, order_total_usd, town, country) VALUES (1, 'Britney', '02/29/2000', 'Heart Rate Monitor', 119.93, 'Denver', 'USA');
INSERT INTO purchases (order_id, customer_name, date_of_birth, product, order_total_usd, town, country) VALUES (2, 'Michael', '06/08/1981', 'Foam Roller', 34.95, 'Los Angeles', 'USA');
INSERT INTO purchases (order_id, customer_name, date_of_birth, product, order_total_usd, town, country) VALUES (3, 'Kimmy', '05/19/1978', 'Hydration Belt', 50.00, 'Tuscan', 'USA');
INSERT INTO purchases (order_id, customer_name, date_of_birth, product, order_total_usd, town, country) VALUES (4, 'Samantha', '08/05/1983', 'Wireless Headphones', 175.93, 'Tulsa', 'USA');
INSERT INTO purchases (order_id, customer_name, date_of_birth, product, order_total_usd, town, country) VALUES (5, 'Jonathon', '01/31/1981', 'Comfort Insoles', 49.95, 'Portland', 'USA');
INSERT INTO purchases (order_id, customer_name, date_of_birth, product, order_total_usd, town, country) VALUES (6, 'Raymond', '07/29/2001', 'Running Beanie', 13.73, 'Omaha', 'USA');

Our purchases stream is created and should be populated with data. Prior to querying the purchases data, let’s tell ksqlDB to query data from the beginning of the topic.

SET 'auto.offset.reset'='earliest';

Now we should be able to see all of the purchases data we just entered with the following command:

SELECT *
    FROM purchases
    EMIT CHANGES
    LIMIT 6;

This should yield roughly the following output. The order will be different depending on how the records were actually inserted. Note that PII like name, birthdate, city, and country are present.

+--------------------+--------------------+--------------------+--------------------+--------------------+--------------------+--------------------+
|ORDER_ID            |CUSTOMER_NAME       |DATE_OF_BIRTH       |PRODUCT             |ORDER_TOTAL_USD     |TOWN                |COUNTRY             |
+--------------------+--------------------+--------------------+--------------------+--------------------+--------------------+--------------------+
|1                   |Britney             |02/29/2000          |Heart Rate Monitor  |119.93              |Denver              |USA                 |
|2                   |Michael             |06/08/1981          |Foam Roller         |34.95               |Los Angeles         |USA                 |
|3                   |Kimmy               |05/19/1978          |Hydration Belt      |50.0                |Tuscan              |USA                 |
|4                   |Samantha            |08/05/1983          |Wireless Headphones |175.93              |Tulsa               |USA                 |
|5                   |Jonathon            |01/31/1981          |Comfort Insoles     |49.95               |Portland            |USA                 |
|6                   |Raymond             |07/29/2001          |Running Beanie      |13.73               |Omaha               |USA                 |
Limit Reached
Query terminated

Next we will highlight two ways to mask PII data, both methods will result in new streams.
Our first masking technique will be to create a derived topic in which all PII is excluded. This technique masks data by refraining from pulling in PII fields like CUSTOMER_NAME and DATE_OF_BIRTH.

CREATE STREAM purchases_pii_removed
    WITH (kafka_topic='purchases_pii_removed', value_format='json', partitions=1) AS
    SELECT ORDER_ID, PRODUCT, ORDER_TOTAL_USD, TOWN, COUNTRY
    FROM PURCHASES;

Let’s verify that the derived topic we just created does not have any PII related to CUSTOMER_NAME or DATE_OF_BIRTH. You can see the contents of the stream by executing the following:

SELECT *
    FROM purchases_pii_removed
    EMIT CHANGES
    LIMIT 6;

Your results should look like what is below. Take note of the lack of PII fields like CUSTOMER_NAME or DATE_OF_BIRTH.

+--------------------+--------------------+--------------------+--------------------+--------------------+
|ORDER_ID            |PRODUCT             |ORDER_TOTAL_USD     |TOWN                |COUNTRY             |
+--------------------+--------------------+--------------------+--------------------+--------------------+
|1                   |Heart Rate Monitor  |119.93              |Denver              |USA                 |
|2                   |Foam Roller         |34.95               |Los Angeles         |USA                 |
|3                   |Hydration Belt      |50.0                |Tuscan              |USA                 |
|4                   |Wireless Headphones |175.93              |Tulsa               |USA                 |
|5                   |Comfort Insoles     |49.95               |Portland            |USA                 |
|6                   |Running Beanie      |13.73               |Omaha               |USA                 |
Limit Reached
Query terminated

The second technique for masking data utilizes ksqlDB’s built in MASK functions. Here we retain the customer name and date of birth, but obfuscated.

CREATE STREAM purchases_pii_obfuscated
    WITH (kafka_topic='purchases_pii_obfuscated', value_format='json', partitions=1) AS
    SELECT MASK(CUSTOMER_NAME) AS CUSTOMER_NAME,
           MASK(DATE_OF_BIRTH) AS DATE_OF_BIRTH,
           ORDER_ID, PRODUCT, ORDER_TOTAL_USD, TOWN, COUNTRY
    FROM PURCHASES;

Use the command below to query the contents of the purchases_pii_obfuscated stream:

SELECT *
    FROM purchases_pii_obfuscated
    EMIT CHANGES
    LIMIT 6;

We can see that the sensitive data is masked with x’s or n’s.

+--------------------+--------------------+--------------------+--------------------+--------------------+--------------------+--------------------+
|CUSTOMER_NAME       |DATE_OF_BIRTH       |ORDER_ID            |PRODUCT             |ORDER_TOTAL_USD     |TOWN                |COUNTRY             |
+--------------------+--------------------+--------------------+--------------------+--------------------+--------------------+--------------------+
|Xxxxxxx             |nn-nn-nnnn          |1                   |Heart Rate Monitor  |119.93              |Denver              |USA                 |
|Xxxxxxx             |nn-nn-nnnn          |2                   |Foam Roller         |34.95               |Los Angeles         |USA                 |
|Xxxxx               |nn-nn-nnnn          |3                   |Hydration Belt      |50.0                |Tuscan              |USA                 |
|Xxxxxxxx            |nn-nn-nnnn          |4                   |Wireless Headphones |175.93              |Tulsa               |USA                 |
|Xxxxxxxx            |nn-nn-nnnn          |5                   |Comfort Insoles     |49.95               |Portland            |USA                 |
|Xxxxxxx             |nn-nn-nnnn          |6                   |Running Beanie      |13.73               |Omaha               |USA                 |
Limit Reached
Query terminated
MASK Function Options

There are a few types of masking functions and optional parameters that may be of use to you.

Optional arguments:
MASK(CUSTOMER_NAME, 'X', 'x', 'n', '-')
In the example above, the following types of characters in CUSTOMER_NAME would be masked: upper-case letters would become X, lower-case letters would become x, numbers would become n, and other characters would become -. This is the default setting if no mask characters are present. Set a given mask character to NULL to prevent any masking of that character type.

Other types of MASK Functions:
ksqlDB offers a variety of different masking functions that allow you to mask the farthest or nearest x number of characters on right or left. Check out the ksqlDB documentation for more information.

Type 'exit' and hit enter to shutdown the ksqlDB cli.

4
Write your statements to a file

Now that you have a series of statements that’s doing the right thing, the last step is to put them into a file so that they can be used outside the CLI session. Create a file at src/statements.sql with the following content:

CREATE STREAM purchases (order_id INT, customer_name VARCHAR, date_of_birth VARCHAR,
                         product VARCHAR, order_total_usd DOUBLE, town VARCHAR, country VARCHAR)
    WITH (kafka_topic='purchases', value_format='json', partitions=1);

CREATE STREAM purchases_pii_removed
    WITH (kafka_topic='purchases_pii_removed', value_format='json', partitions=1) AS
    SELECT ORDER_ID, PRODUCT, ORDER_TOTAL_USD, TOWN, COUNTRY
    FROM PURCHASES;

CREATE STREAM purchases_pii_obfuscated
    WITH (kafka_topic='purchases_pii_obfuscated', value_format='json', partitions=1) AS
    SELECT MASK(CUSTOMER_NAME) AS CUSTOMER_NAME,
           MASK(DATE_OF_BIRTH) AS DATE_OF_BIRTH,
           ORDER_ID, PRODUCT, ORDER_TOTAL_USD, TOWN, COUNTRY
    FROM PURCHASES;

Test it

1
Create the test data

Create a file at test/input.json with the inputs for testing:

{
  "inputs": [
    {
      "topic": "purchases",
      "value": {
        "order_id": 1,
        "customer_name": "Britney",
        "date_of_birth":  "02/29/2000",
        "product":  "Heart Rate Monitor",
        "order_total_usd":  119.93,
        "town": "Denver",
        "country": "USA"
      }
    },
    {
      "topic": "purchases",
      "value": {
        "order_id": 2,
        "customer_name": "Michael",
        "date_of_birth":  "06/08/1981",
        "product":  "Foam Roller",
        "order_total_usd":  34.95,
        "town": "Los Angeles",
        "country": "USA"
      }
    },
    {
      "topic": "purchases",
      "value": {
        "order_id": 3,
        "customer_name": "Kimmy",
        "date_of_birth": "05/19/1978",
        "product": "Hydration Belt",
        "order_total_usd": 50.00,
        "town": "Tuscan",
        "country": "USA"
      }
    },
    {
      "topic": "purchases",
      "value": {
        "order_id": 4,
        "customer_name": "Samantha",
        "date_of_birth":  "08/05/1983",
        "product": "Wireless Headphones",
        "order_total_usd": 175.93,
        "town": "Tulsa",
        "country": "USA"
      }
    },
    {
      "topic": "purchases",
      "value": {
        "order_id": 5,
        "customer_name": "Jonathon",
        "date_of_birth": "01/31/1981",
        "product": "Comfort Insoles",
        "order_total_usd": 49.95,
        "town": "Portland",
        "country": "USA"
      }
    },
    {
      "topic": "purchases",
      "value": {
        "order_id": 6,
        "customer_name": "Raymond",
        "date_of_birth": "07/29/2001",
        "product": "Running Beanie",
        "order_total_usd": 13.73,
        "town": "Omaha",
        "country": "USA"
      }
    }
  ]
}

Similarly, create a file at test/output.json with the expected outputs:

{
  "outputs": [
    {
      "topic": "purchases_pii_removed",
      "value": {
        "ORDER_ID": 1,
        "PRODUCT":  "Heart Rate Monitor",
        "ORDER_TOTAL_USD":  119.93,
        "TOWN": "Denver",
        "COUNTRY": "USA"
      }
    },
    {
      "topic": "purchases_pii_removed",
      "value": {
        "ORDER_ID": 2,
        "PRODUCT":  "Foam Roller",
        "ORDER_TOTAL_USD":  34.95,
        "TOWN": "Los Angeles",
        "COUNTRY": "USA"
      }
    },
    {
      "topic": "purchases_pii_removed",
      "value": {
        "ORDER_ID": 3,
        "PRODUCT": "Hydration Belt",
        "ORDER_TOTAL_USD": 50.0,
        "TOWN": "Tuscan",
        "COUNTRY": "USA"
      }
    },
    {
      "topic": "purchases_pii_removed",
      "value": {
        "ORDER_ID": 4,
        "PRODUCT": "Wireless Headphones",
        "ORDER_TOTAL_USD": 175.93,
        "TOWN": "Tulsa",
        "COUNTRY": "USA"
      }
    },
    {
      "topic": "purchases_pii_removed",
      "value": {
        "ORDER_ID": 5,
        "PRODUCT": "Comfort Insoles",
        "ORDER_TOTAL_USD": 49.95,
        "TOWN": "Portland",
        "COUNTRY": "USA"
      }
    },
    {
      "topic": "purchases_pii_removed",
      "value": {
        "ORDER_ID": 6,
        "PRODUCT": "Running Beanie",
        "ORDER_TOTAL_USD": 13.73,
        "TOWN": "Omaha",
        "COUNTRY": "USA"
      }
    },
    {
      "topic": "purchases_pii_obfuscated",
      "value": {
        "ORDER_ID": 1,
        "CUSTOMER_NAME": "Xxxxxxx",
        "DATE_OF_BIRTH":  "nn-nn-nnnn",
        "PRODUCT":  "Heart Rate Monitor",
        "ORDER_TOTAL_USD":  119.93,
        "TOWN": "Denver",
        "COUNTRY": "USA"
      }
    },
    {
      "topic": "purchases_pii_obfuscated",
      "value": {
        "ORDER_ID": 2,
        "CUSTOMER_NAME": "Xxxxxxx",
        "DATE_OF_BIRTH":  "nn-nn-nnnn",
        "PRODUCT":  "Foam Roller",
        "ORDER_TOTAL_USD":  34.95,
        "TOWN": "Los Angeles",
        "COUNTRY": "USA"
      }
    },
    {
      "topic": "purchases_pii_obfuscated",
      "value": {
        "ORDER_ID": 3,
        "CUSTOMER_NAME": "Xxxxx",
        "DATE_OF_BIRTH": "nn-nn-nnnn",
        "PRODUCT": "Hydration Belt",
        "ORDER_TOTAL_USD": 50.0,
        "TOWN": "Tuscan",
        "COUNTRY": "USA"
      }
    },
    {
      "topic": "purchases_pii_obfuscated",
      "value": {
        "ORDER_ID": 4,
        "CUSTOMER_NAME": "Xxxxxxxx",
        "DATE_OF_BIRTH":  "nn-nn-nnnn",
        "PRODUCT": "Wireless Headphones",
        "ORDER_TOTAL_USD": 175.93,
        "TOWN": "Tulsa",
        "COUNTRY": "USA"
      }
    },
    {
      "topic": "purchases_pii_obfuscated",
      "value": {
        "ORDER_ID": 5,
        "CUSTOMER_NAME": "Xxxxxxxx",
        "DATE_OF_BIRTH": "nn-nn-nnnn",
        "PRODUCT": "Comfort Insoles",
        "ORDER_TOTAL_USD": 49.95,
        "TOWN": "Portland",
        "COUNTRY": "USA"
      }
    },
    {
      "topic": "purchases_pii_obfuscated",
      "value": {
        "ORDER_ID": 6,
        "CUSTOMER_NAME": "Xxxxxxx",
        "DATE_OF_BIRTH": "nn-nn-nnnn",
        "PRODUCT": "Running Beanie",
        "ORDER_TOTAL_USD": 13.73,
        "TOWN": "Omaha",
        "COUNTRY": "USA"
      }
    }
  ]
}

2
Invoke the tests

Lastly, invoke the tests using the test runner and the statements file that you created earlier:

docker exec ksqldb-cli ksql-test-runner -i /opt/app/test/input.json -s /opt/app/src/statements.sql -o /opt/app/test/output.json

Which should pass:

	 >>> Test passed!

Take it to production

1
Send the statements to the REST endpoint

Launch your statements into production by sending them to the REST API with the following command:

tr '\n' ' ' < src/statements.sql | \
sed 's/;/;\'$'\n''/g' | \
while read stmt; do
    echo '{"ksql":"'$stmt'", "streamsProperties": {}}' | \
        curl -s -X "POST" "http://localhost:8088/ksql" \
             -H "Content-Type: application/vnd.ksql.v1+json; charset=utf-8" \
             -d @- | \
        jq
done

Deploy on Confluent Cloud

1
Run your app to Confluent Cloud

Instead of running a local Kafka cluster, you may use Confluent Cloud, a fully-managed Apache Kafka service.

First, create your Kafka cluster in Confluent Cloud. Use the promo code CC100KTS to receive an additional $100 free usage (details).

Next, from the Confluent Cloud UI, click on Tools & client config to get the cluster-specific configurations, e.g. Kafka cluster bootstrap servers and credentials, Confluent Cloud Schema Registry and credentials, etc., and set the appropriate parameters in your client application.

Now you’re all set to your run application locally while your Kafka topics and stream processing is backed to your Confluent Cloud instance.