脱敏规则详解
保护敏感信息,确保数据合规安全
概述
脱敏规则(mask)用于保护敏感个人信息,在数据导出、共享、测试时隐藏真实数据。支持预设模板和自定义掩码方案。
规则参数结构
脱敏规则的通用结构:
{
"type": "mask",
"field": "字段名", // 或使用 "jsonPath" 处理嵌套结构
"preset": "脱敏策略", // phone, id, bank, email, name, address, hash, custom, amount_obfuscation 等
"keepFirst": 3, // 保留前 N 个字符(可选)
"keepLast": 4, // 保留后 N 个字符(可选)
"maskChar": "*" // 脱敏字符(可选,默认 "*")
}预设模板
手机号脱敏
{
"type": "mask",
"preset": "phone",
"field": "phone",
"keepFirst": 3,
"keepLast": 4,
"maskChar": "*"
}
// 示例:13812345678 → 138****5678身份证脱敏
{
"type": "mask",
"preset": "id",
"field": "id_number",
"keepFirst": 6,
"keepLast": 4,
"maskChar": "*"
}
// 示例:110101199003071234 → 110101****1234邮箱脱敏
{
"type": "mask",
"preset": "email",
"field": "email",
"keepFirst": 1,
"keepLast": 8,
"maskChar": "*"
}
// 示例:user@example.com → u*****@example.com
// 或使用 mode: "regex" 的高级方式姓名脱敏
{
"type": "mask",
"preset": "name",
"field": "name",
"keepFirst": 1,
"maskChar": "*",
"compoundSurnameAware": true
}
// 示例:
// 张三 → 张*
// 李四 → 李*
// Smith → S***
// compoundSurnameAware 可识别复姓(如"欧阳")银行卡脱敏
{
"type": "mask",
"preset": "bank",
"field": "card_number",
"keepFirst": 4,
"keepLast": 4,
"maskChar": "*"
}
// 示例:6222026009728972 → 6222****8972地址脱敏(地级市降级)
{
"type": "mask",
"preset": "address",
"field": "full_address",
"level": "city", // district, city, province
"keepFirst": 5,
"keepLast": 3,
"maskChar": "*"
}
// 详细地址自动降级为城市级别并进行脱敏数字/金额脱敏
{
"type": "mask",
"preset": "amount_obfuscation",
"field": "salary",
"strategy": "round", // round, range, noise, mask_digits
"step": 1000, // 舍入步长
"outputFormat": "number"
}
// 示例:12345 → 12000(按 1000 舍入)
// 其他strategy示例:
// strategy: "noise", ratio: 0.05 → 添加5%的随机噪声
// strategy: "mask_digits", keepDigits: 2 → 保留2位有效数字哈希脱敏(不可逆)
用 Hash 算法进行不可逆脱敏,无法恢复原值:
{
"type": "mask",
"preset": "hash",
"field": "email",
"algorithm": "sha256",
"outputLength": 16,
"storeOriginal": true,
"keepFirst": 0,
"keepLast": 0
}
// 示例:user@example.com → a7f3c8e9d2b1f4c5 (SHA256 hash)
// storeOriginal: true 保存原值映射,可用于reverse lookup自定义脱敏
{
"type": "mask",
"preset": "custom",
"field": "custom_field",
"keepFirst": 2,
"keepLast": 2,
"maskChar": "#"
}
// 示例:ABCDEFGHIJ → AB####IJ
// 也支持正则模式
{
"type": "mask",
"preset": "email",
"field": "email",
"mode": "regex",
"params": {
"pattern": "^(.{1,3}).*(@.+)$",
"replace": "$1***$2"
}
}
// 示例:user@example.com → u***@example.com实战示例
例 1:出库前保护用户资料
[
{ "type": "mask", "preset": "name", "field": "name", "keepFirst": 1, "maskChar": "*" },
{ "type": "mask", "preset": "phone", "field": "phone", "keepFirst": 3, "keepLast": 4 },
{ "type": "mask", "preset": "email", "field": "email" },
{ "type": "mask", "preset": "id", "field": "id_number" }
]
// 结果示例:
// name: "张三" → "张*"
// phone: "13812345678" → "138****5678"
// email: "user@example.com" → "u**r@example.com"
// id_number: "110101199003071234" → "1101011990****1234"例 2:多种脱敏组合
[
{ "type": "mask", "preset": "name", "field": "employee_name", "keepFirst": 1 },
{ "type": "mask", "preset": "custom", "field": "ssn", "keepFirst": 3, "keepLast": 2, "maskChar": "*" },
{ "type": "mask", "preset": "bank", "field": "bank_account", "keepFirst": 4, "keepLast": 4 }
]
// 结果示例:
// employee_name: "李四" → "李*"
// ssn: "123456789" → "123****89"
// bank_account: "6222026009728972" → "6222****8972"例 3:金融数据脱敏
[
{ "type": "mask", "preset": "bank", "field": "card_number", "keepFirst": 4, "keepLast": 4 },
{ "type": "mask", "preset": "amount_obfuscation", "field": "balance", "strategy": "round", "step": 100 },
{ "type": "mask", "preset": "hash", "field": "customer_id", "algorithm": "sha256", "storeOriginal": true }
]
💡 下一步:了解清洗规则来修正和规范数据。