应用数据安全保护(字段脱敏)使用¶
最后更新:2022-12-22
1. 实现功能¶
可灵活配置应用是否开启数据安全保护功能,以及对某些字段进行相关保护设置;配置后下游通过scim接口获取的数据为脱敏后的数据;
cas / oauth2 /jwt /oidc 用户信息相关的接口,如果该应用配置了脱敏字段,相关数据也是脱敏后的数据;
2. IDP配置数据安全保护¶
IDP登录IT管理控制台;找到应用-应用列表-详细-数据安全保护
进行字段设置:字段包括内置的字段,以及添加的数据字典字段
对需要进行脱敏的字段进行勾选保存;
脱敏规则(针对字符串数据):
手机号,显示前三位和后四位,如183****8888
电子邮件,显示@后的字符,如****@test.com
名称,显示最后2个字符,如果只有两个字符显示最后1个字符
数据字典,显示最后2个字符,如果只有两个字符显示最后1个字符
3. 脱敏数据范围以及效果¶
scim相关获取账户、组、组织相关信息的接口,如果配置了相应的字段将会看到脱敏效果,如下账户详情接口脱敏效果
/api/bff/v1.2/developer/scim/account/detail
{
"success": true,
"code": "200",
"message": null,
"requestId": "1673255892135$9e16b0ce-00f5-e6ce-e055-32eb986b72ab",
"data": {
"externalId": "2905899713642989274",
"username": "***in",
"displayName": "*理员",
"phoneNumber": "188****8888",
"phoneRegion": "86",
"email": "*****@qq.com",
"locked": false,
"enabled": true,
"archived": false,
"description": null,
"extendFields": {
"ex_en": "aaab",
"def_uni001": "",
"ddd_mm": "DDDD"
},
"effectiveTime": null,
"expireTime": null,
"createTime": "2022-06-09 15:05:13",
"updateTime": "2023-01-09 17:18:08",
"avatarUuid": null,
"belongs": [
"main"
],
"organzationsOrderList": [
{
"externalId": "main",
"displayOrder": 0
}
],
"userBelongs": [
{
"belong": "main",
"extendFields": {
"ruzhishijian": ""
},
"mainOu": true,
"belongOuUuid": "main"
}
],
"applicationUsers": []
}
}
JWT标准应用,门户/SSO跳转下游携带的id_token数据里的相关用户信息也是脱敏后的数据,token解密后如下
{
"email": "*****@qq.com",
"name": "*理员",
"mobile": "188****8888",
"externalId": "2905899713642989274",
"udAccountUuid": "bfd44848bddc062c1e53da4ef380af0aJA5RGZSiJOf",
"ouId": "main",
"ouName": "**组织",
"openId": null,
"idpUsername": "***in",
"username": "***in",
"applicationName": "JWT-Hook",
"enterpriseId": "xxx",
"instanceId": "xxx",
"aliyunDomain": "",
"extendFields": {
"themeColor": "green",
"appName": "JWT-Hook"
},
"exp": 1673256780,
"jti": "Pg50MWOrgLPiRpux6qkZ0A",
"iat": 1673256180,
"nbf": 1673256120,
"sub": "admin",
"iss": "https://xxx.idp4.idsmanager.com/",
"aud": "lycplugin_jwt2"
}
OAUTH2标准应用,获取用户信息接口将返回脱敏信息 /api/bff/v1.2/oauth2/userinfo
{
"success": true,
"code": "200",
"message": null,
"requestId": "1673256779258$075950c2-1707-0abf-d58a-bb0cbced7aa9",
"data": {
"sub": "2905899713642989274",
"ou_id": "main",
"nickname": "*理员",
"admin": true,
"phone_number": "86 188****8888",
"ou_name": "**组织",
"email": "*****@qq.com",
"username": "***in"
}
}
OIDC标准协议,获取用户信息接口/public/api/application/plugin_oidc/oidc/user_info,将会是脱敏数据
{
"sub": "admin",
"iss": "https://xxx.idp4.idsmanager.com/public/api/application/plugin_oidc/oidc",
"aud": "VGYBj3Kdwawi1uRptlYabttI",
"uuid": "bfd44848bddc062c1e53da4ef380af0aJA5RGZSiJOf",
"username": "***in",
"displayname": "*理员",
"email": "*****@qq.com",
"enterpriseuuid": "3e9dc4cb8a03b08d9e7a6f6e48d3b0ceCrDbD9peTG0",
"ouid": "main",
"enterprisename": "xxx测试",
"ouname": "**组织",
"externalId": "2905899713642989274",
"extendFields": null
}
CAS标准应用,以下验票接口,成功后,返回的用户数据,也是脱敏数据
/public/api/application/plugin_cas_apereo/lycplugin_cas_apereo/serviceValidate?ticket=ST-3-BuVV0OZf4bckRn6CEDLtTbKIqYcsoL2kfaJ-cas.aliyun.com&service=http://www.baidu.com
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>admin</cas:user>
<cas:attributes>
<cas:displayName>*理员</cas:displayName>
<cas:enterpriseId>xxx</cas:enterpriseId>
<cas:externalId>2905899713642989274</cas:externalId>
<cas:enterpriseName>xxx测试</cas:enterpriseName>
<cas:isAdministrator>true</cas:isAdministrator>
</cas:attributes>
</cas:authenticationSuccess>
</cas:serviceResponse>
注:若开启了数据安全保护,并且设置了脱敏字段,以上标准应用jwt/oauth/oidc的sub字段,以及cas的user域是没有脱敏的,sso时下游需要账户关联的可以考虑未脱敏的这些字段;若要使用其他字段可创建另外一个应用只应用于sso,不开启数据安全保护,数据不进行脱敏