Skip to main content

Decision Masking

Decision masking allows you to remove information from each decision before it gets logged by OPA in DAS. This is useful for removing sensitive information, such as an Authorization header, from the decision's input or result before it is added to the decision log. The system.log and stacks.<stack-id>.system.log packages define OPA's decision masking rules at the system-level and stack-level, respectively.

All DAS system and stack types support OPA decision masking. Additionally, the Kubernetes and Envoy system and stack types automatically include a default decision masking policy upon creation which can be customized to your use case:

For more information on decision masking, see the OPA masking sensitive data documentation.

Create a Decision Masking Policy

For system and stack types other than Kubernetes and Envoy, you can manually create a decision masking policy via the DAS UI or a git integration by placing a rego policy file under /systems/log/ in the system or stack.

To create the decision masking policy in the DAS UI, follow the steps below:

  1. In your DAS workspace, use the left-side file tree and select your system or stack.

  2. Click the ( ⫶ ) options icon on your system or stack and select Add Policy.

  3. Add a policy with the following details:

    • Path: system.log
    • Module name: mask.rego
  4. Click Add

Now you can add input or result decision masking rules specific to your system or stack to this policy.

Decision Masking Example

As an example, if your decision input object includes an access_token field which should be removed from the decision log, you would add the following rule to your decision masking policy:

mask["/input/access_token"]

This will remove the field and value entirely from the input object and the removed path will be recorded in the erased array on the decision.

Alternatively, you can leave the access_token field in the input object and instead modify the field's value to remove the sensitive information:

mask[{"op": "upsert", "path": "/input/access_token", "value": x}] {
x := "**REDACTED**"
}

With the upsert masking operation, the input object will contain "access_token": "**REDACTED**" and the masked path will be recorded in the masked array on the decision.