Masking in Couchbase

Debasis_Mallick · December 5, 2022, 6:55am

Hi Team,

Is there any way we can mask key, value attributes in Couchbase.

Thanks,
Debasis

dh · December 5, 2022, 7:36am

Do you mean like returning “**** **** **** 1234” for a credit card number? If so:
https://docs.couchbase.com/server/current/n1ql/n1ql-language-reference/stringfun.html#fn-str-mask

If you mean SELECT * but then don’t return certain fields then no, though a future release will have EXCLUDE to exclude specific fields. (https://issues.couchbase.com/browse/MB-53937) For now you’d have to list the fields instead.

There is no plan for field-level security where RBAC would be used to determine for whom a field is visible.

HTH.

Debasis_Mallick · December 5, 2022, 8:13am

Thanks @dh but the team want to mask both key and values in the CB document.

Thanks,
Debasis

dh · December 5, 2022, 8:27am

By that do you mean have something like:

{
  "abc****": "***123"
}

appear in the document?

Field names reported are the aliases, so you can always select a field with a pseudo mask as its alias, e.g.

cbq> select mask(now_str(),{"mask":"*****     ****     *****"}) as `ti**`;
{
    "requestID": "f6aa7b07-0e39-4f85-a064-5d1d25993bc7",
    "signature": {
        "ti**": "string"
    },
    "results": [
    {
        "ti**": "*****12-05****26:23*****"

HTH.

Debasis_Mallick · December 5, 2022, 10:28am

Thanks. Is there any such functionality available in 6.x version of CB.

Thanks,
Debasis

dh · December 5, 2022, 10:37am

The aliasing is, but the mask function is in 7 only.

dh · December 5, 2022, 10:48am

You could simulate it with string functions, e.g.

cbq> select "*****"||substr(t,5,5)||"****"||substr(t,14,5)||"*****" as `ti**` let t = now_str();
{
    "requestID": "6904cc38-44d1-45c1-a333-29fe9125730d",
    "signature": {
        "ti**": "string"
    },
    "results": [
    {
        "ti**": "*****12-05****47:51*****"

HTH.

Debasis_Mallick · December 12, 2022, 7:00am

Thanks @dh for your input. These options available in NQL query level. Is there any API available in SDK level to achieve the masking in key, value attributes.

Thanks,
Debasis

dh · December 12, 2022, 7:42am

There isn’t that I’m aware of. Not sure why you’d need it though as most SDKs will submit an SQL++ query (so same as above) or be doing direct key-value operations. In either case your code would be responsible for extracting fields and displaying them so field names are largely irrelevant (outside of your code) and values can easily be manipulated by your code.

What is the use case you’re looking to solve with this?

Debasis_Mallick · December 12, 2022, 9:36am

Thanks @dh . Let me check with application team .

Debasis_Mallick · April 4, 2023, 6:52am

@dh We need encryption while data at rest like TDE feature in oracle.

Thanks,
Debasis

dh · April 4, 2023, 7:11am

I can only direct you to https://docs.couchbase.com/server/current/learn/security/encryption-overview.html for supported means of encryption.

HTH.