How to mask data with ksqlDB
How to mask data with ksqlDB
Suppose you have a topic that contains personally identifiable information (PII), and you want to mask those fields. In this tutorial, we'll write a program that persists the events in the original topic to a new Kafka topic with the PII obfuscated.
Setup
First, create a stream over the topic containing the PII data:
CREATE STREAM purchases (order_id INT, customer_name VARCHAR, date_of_birth VARCHAR,
product VARCHAR, order_total_usd DOUBLE, town VARCHAR, country VARCHAR)
WITH (KAFKA_TOPIC='purchases',
PARTITIONS=1,
VALUE_FORMAT='JSON');Then create a stream that will mask the PII columns using the ksqlDB MASK function:
CREATE STREAM purchases_pii_obfuscated
WITH (KAFKA_TOPIC='purchases_pii_obfuscated', VALUE_FORMAT='JSON', PARTITIONS=1) AS
SELECT MASK(customer_name) AS customer_name,
MASK(date_of_birth) AS date_of_birth,
order_id, product, order_total_usd, town, country
FROM purchases;Running the example
You can run the example backing this tutorial in one of two ways: locally with the ksql CLI against Kafka and ksqlDB running in Docker, or with Confluent Cloud.
Local With Docker
Prerequisites
- Docker running via Docker Desktop or Docker Engine
- Docker Compose. Ensure that the command docker compose version succeeds.
Run the commands
Clone the confluentinc/tutorials GitHub repository (if you haven't already) and navigate to the tutorials directory:
git clone git@github.com:confluentinc/tutorials.git
cd tutorialsStart ksqlDB and Kafka:
docker compose -f ./docker/docker-compose-ksqldb.yml up -dNext, open the ksqlDB CLI:
docker exec -it ksqldb-cli ksql http://ksqldb-server:8088Run the following SQL statements to create the purchases stream backed by Kafka running in Docker and populate it with test data.
CREATE STREAM purchases (order_id INT, customer_name VARCHAR, date_of_birth VARCHAR,
product VARCHAR, order_total_usd DOUBLE, town VARCHAR, country VARCHAR)
WITH (KAFKA_TOPIC='purchases',
PARTITIONS=1,
VALUE_FORMAT='JSON');INSERT INTO purchases (order_id, customer_name, date_of_birth, product, order_total_usd, town, country)
VALUES (1, 'Britney', '02/29/2000', 'Heart Rate Monitor', 119.93, 'Denver', 'USA');
INSERT INTO purchases (order_id, customer_name, date_of_birth, product, order_total_usd, town, country)
VALUES (2, 'Michael', '06/08/1981', 'Foam Roller', 34.95, 'Los Angeles', 'USA');
INSERT INTO purchases (order_id, customer_name, date_of_birth, product, order_total_usd, town, country)
VALUES (3, 'Kimmy', '05/19/1978', 'Hydration Belt', 50.00, 'Tuscan', 'USA');
INSERT INTO purchases (order_id, customer_name, date_of_birth, product, order_total_usd, town, country)
VALUES (4, 'Samantha', '08/05/1983', 'Wireless Headphones', 175.93, 'Tulsa', 'USA');Next, create a new stream from the purchases stream with PII data masked. Note that we first tell ksqlDB to consume from the beginning of the stream.
SET 'auto.offset.reset'='earliest';
CREATE STREAM purchases_pii_obfuscated
WITH (KAFKA_TOPIC='purchases_pii_obfuscated', VALUE_FORMAT='JSON', PARTITIONS=1) AS
SELECT MASK(customer_name) AS customer_name,
MASK(date_of_birth) AS date_of_birth,
order_id, product, order_total_usd, town, country
FROM purchases;Query the new stream:
SELECT * FROM purchases_pii_obfuscated;The query output should look like this:
+-------------------------+-------------------------+-------------------------+-------------------------+-------------------------+-------------------------+-------------------------+
|CUSTOMER_NAME |DATE_OF_BIRTH |ORDER_ID |PRODUCT |ORDER_TOTAL_USD |TOWN |COUNTRY |
+-------------------------+-------------------------+-------------------------+-------------------------+-------------------------+-------------------------+-------------------------+
|Xxxxxxx |nn-nn-nnnn |1 |Heart Rate Monitor |119.93 |Denver |USA |
|Xxxxxxx |nn-nn-nnnn |2 |Foam Roller |34.95 |Los Angeles |USA |
|Xxxxx |nn-nn-nnnn |3 |Hydration Belt |50.0 |Tuscan |USA |
|Xxxxxxxx |nn-nn-nnnn |4 |Wireless Headphones |175.93 |Tulsa |USA |
+-------------------------+-------------------------+-------------------------+-------------------------+-------------------------+-------------------------+-------------------------+When you are finished, exit the ksqlDB CLI by entering CTRL-D and clean up the containers used for this tutorial by running:
docker compose -f ./docker/docker-compose-ksqldb.yml downConfluent Cloud
Prerequisites
- A Confluent Cloud account
- The Confluent CLI installed on your machine
Create Confluent Cloud resources
Login to your Confluent Cloud account:
confluent login --prompt --saveInstall a CLI plugin that will streamline the creation of resources in Confluent Cloud:
confluent plugin install confluent-cloud_kickstartRun the following command to create a Confluent Cloud environment and Kafka cluster. This will create resources in AWS region us-west-2 by default, but you may override these choices by passing the --cloud argument with a value of aws, gcp, or azure, and the --region argument that is one of the cloud provider's supported regions, which you can list by running confluent kafka region list --cloud <CLOUD PROVIDER>
confluent cloud-kickstart --name ksqldb-tutorial \
--environment-name ksqldb-tutorial \
--output-format stdoutNow, create a ksqlDB cluster by first getting your user ID of the form u-123456 when you run this command:
confluent iam user listAnd then create a ksqlDB cluster called ksqldb-tutorial with access linked to your user account:
confluent ksql cluster create ksqldb-tutorial \
--credential-identity <USER ID>Run the commands
Login to the Confluent Cloud Console. Select Environments in the lefthand navigation, and then click the ksqldb-tutorial environment tile. Click the ksqldb-tutorial Kafka cluster tile, and then select ksqlDB in the lefthand navigation.
The cluster may take a few minutes to be provisioned. Once its status is Up, click the cluster name and scroll down to the editor.
In the query properties section at the bottom, change the value for auto.offset.reset to Earliest so that ksqlDB will consume from the beginning of the stream we create.
Enter the following statements in the editor and click Run query. This creates the purchases stream and populates it with test data.
CREATE STREAM purchases (order_id INT, customer_name VARCHAR, date_of_birth VARCHAR,
product VARCHAR, order_total_usd DOUBLE, town VARCHAR, country VARCHAR)
WITH (KAFKA_TOPIC='purchases',
PARTITIONS=1,
VALUE_FORMAT='JSON');
INSERT INTO purchases (order_id, customer_name, date_of_birth, product, order_total_usd, town, country)
VALUES (1, 'Britney', '02/29/2000', 'Heart Rate Monitor', 119.93, 'Denver', 'USA');
INSERT INTO purchases (order_id, customer_name, date_of_birth, product, order_total_usd, town, country)
VALUES (2, 'Michael', '06/08/1981', 'Foam Roller', 34.95, 'Los Angeles', 'USA');
INSERT INTO purchases (order_id, customer_name, date_of_birth, product, order_total_usd, town, country)
VALUES (3, 'Kimmy', '05/19/1978', 'Hydration Belt', 50.00, 'Tuscan', 'USA');
INSERT INTO purchases (order_id, customer_name, date_of_birth, product, order_total_usd, town, country)
VALUES (4, 'Samantha', '08/05/1983', 'Wireless Headphones', 175.93, 'Tulsa', 'USA');Next, create a new stream from the purchases stream with PII data masked. Paste this query in the editor and click Run query.
CREATE STREAM purchases_pii_obfuscated
WITH (KAFKA_TOPIC='purchases_pii_obfuscated', VALUE_FORMAT='JSON', PARTITIONS=1) AS
SELECT MASK(customer_name) AS customer_name,
MASK(date_of_birth) AS date_of_birth,
order_id, product, order_total_usd, town, country
FROM purchases;Query the new stream:
SELECT * FROM purchases_pii_obfuscated;The query output should look like this:
+-------------------------+-------------------------+-------------------------+-------------------------+-------------------------+-------------------------+-------------------------+
|CUSTOMER_NAME |DATE_OF_BIRTH |ORDER_ID |PRODUCT |ORDER_TOTAL_USD |TOWN |COUNTRY |
+-------------------------+-------------------------+-------------------------+-------------------------+-------------------------+-------------------------+-------------------------+
|Xxxxxxx |nn-nn-nnnn |1 |Heart Rate Monitor |119.93 |Denver |USA |
|Xxxxxxx |nn-nn-nnnn |2 |Foam Roller |34.95 |Los Angeles |USA |
|Xxxxx |nn-nn-nnnn |3 |Hydration Belt |50.0 |Tuscan |USA |
|Xxxxxxxx |nn-nn-nnnn |4 |Wireless Headphones |175.93 |Tulsa |USA |
+-------------------------+-------------------------+-------------------------+-------------------------+-------------------------+-------------------------+-------------------------+Clean up
When you are finished, delete the ksqldb-tutorial environment by first getting the environment ID of the form env-123456 corresponding to it:
confluent environment listDelete the environment, including all resources created for this tutorial:
confluent environment delete <ENVIRONMENT ID>