tDataMasking properties for Apache Spark Streaming

These properties are used to configure tDataMasking running in the Spark Streaming Job framework.

The Spark Streaming tDataMasking component belongs to the Data Quality family.

This component is available in Talend Real-Time Big Data Platform and Talend Data Fabric.

Basic settings

Schema and Edit Schema	A schema is a row description. It defines the number of fields (columns) to be processed and passed on to the next component. When you create a Spark Job, avoid the reserved word `line` when naming the fields. Click Sync columns to retrieve the schema from the previous component connected in the Job. Click Edit schema to make changes to the schema. If the current schema is of the Repository type, three options are available: View schema: choose this option to view the schema only. Change to built-in property: choose this option to change the schema to Built-in for local changes. Update repository connection: choose this option to change the schema stored in the repository and decide whether to propagate the changes to all the Jobs upon completion. If you just want to propagate the changes to the current Job, you can select No upon completion and choose this schema metadata again in the Repository Content window. Information noteRemember: When you select the Dynamic data type, remember that: The data masking function applies to each data of the dynamic column. For example, if the columns are `name`, `address`, and `email`, the data masking function applies to each of these three data as separate data, not as a whole. If some data types from the dynamic column are incompatible with some data masking functions, the Job fails. For example, the Email Masking function is incompatible with the `Integer` data type. Some data masking functions validate the input data. When at least one data from a record cannot be masked, the record goes to the invalid output flow. The output schema of this component contains read-only columns: TWEAK: Is generated when the Use tweaks with FF1 Encryption check box is selected. This column contains the tweak necessary to decrypt the data. ORIGINAL_MARK: Identifies by true or false if the record is an original record or a substitute record respectively.
	Built-In: You create and store the schema locally for this component only.
	Repository: You have already created the schema and stored it in the Repository. You can reuse it in various projects and Job designs.
Modifications	Define in the table what fields to change and how to change them: Input Column: Select the column from the input flow that contains the data to be masked. The supported data types are: `Date`, `Double`, `Float`, `Integer`, `Long` and `String`. These modifications are based on the function you select in the Function column. Category: select a category of masking functions from the list. Character Handling Data Handling Number Handling Bank Account Generation Data Generation Phone Number generation SSN Generation Bank Account Masking Address Masking Email Masking Credit Card Masking Phone Masking SSN Masking Set to null Function: Select the function that will hide or obfuscate the original data with substitutes. For example, you can replace digits or letters with the substitute of your choice, replace values with synonyms from an index file or nullify values. The functions you can select from the Function list depend on the data type of the input column. For example, if the column type is Long, you can use the `Numeric variance` function. If the column type is String, the `Numeric variance` function will not be available. Also, the Function list for a Date column is date-specific, it allows you to decide the type of modification you want to do on date values. Method: Select the Basic method or one FF1 algorithm (Format-Preserving Encryption (FPE)), FF1 with AES or FF1 with SHA-2: The Basic method is the default algorithm. Information noteNote: As the masking methods are stronger, it is recommended to use the FF1 algorithms rather than the Basic method. The FF1 with AES method is based on the Advanced Encryption Standard in CBC mode. The FF1 with SHA-2 method depends on the secure hash function HMAC-256. Information noteNote: Java 8u161 is the minimum required version to use the FF1 with AES method. To be able to use this FPE method with Java versions earlier than 8u161, download the Java Cryptography Extension (JCE) unlimited strength jurisdiction policy files from Oracle website. The FF1 with AES and FF1 with SHA-2 methods require a password to be specified in the Password or 256-bit key for FF1 methods field of the Advanced settings to generate unique masked values. The Alphabet list is only available for functions that use Format-Preserving Encryption algorithms. When using the Character handling functions, such as Replace all, Replace characters between two positions, Replace all digits with FPE methods, you must select an alphabet. Characters that belong to the selected alphabets are masked with characters from the same character type within the selected alphabet. When selecting the Best guess alphabet, masked values contain characters from all alphabets represented in the input values. Best guess is the default alphabet. Any unrecognized character is copied to the output as is. Extra Parameter: This field is used by some of the functions, it will be disabled when not applicable. When applicable, enter a number or a letter to decide the behavior of the function you have selected. When you set Function to Generate from file/list, define the file path in Extra Parameter. Set the file path as follows: In local mode: Apache Spark 3.1 and earlier: prefix://file path or file:///file path. Apache Spark 3.2 and later: file:///file path. In Standalone and Yarn modes: prefix://file path. If the index is on a cluster: hdfs://hdpnameservice1/file path. Keep format: this function is only used on Strings. Select this check box to keep the input format when using the Generate account number and keep original country, Generate credit card number and keep original bank, Bank Account Masking, Credit Card Masking, Phone Masking and SSN Masking functions or categories. That is to say, if there are spaces, dots ('.'), hyphens ('-') or slashes ('/') in the input, those characters are kept in the output. If you select this check box when using Phone Masking functions, the characters that are not numbers from the input are copied to the output as is.

Advanced settings

FF1 settings	Password or 256-bit key for FF1 methods: Set the password or secret key required for the FF1 with AES and FF1 with SHA-2 methods to generate unique masked values. If the password is not set, a random password is created at each Job execution. When using the FF1 with AES and FF1 with SHA-2 methods and a password, the seed from the Seed for random generator field is not used. You can get the 256-bit key using: Online tools OpenSSL: openssl rand -base64 32 Use tweaks with FF1 Encryption: Select this check box to use tweaks. A unique tweak is generated for each record and applies to all data of a record. If bijective masking is necessary, do not use this feature. For more information about tweaks, see the data masking functions. Use a column containing the tweaks: Available when Use tweaks with FF1 Encryption check box is selected. Select this check box to use an input column as the input for tweaks which must be 32 digit hexadecimal strings. Column containing the tweaks: Available when the Use a column containing the tweaks check box is selected. Select the column that contains the tweaks. Key derivation function : Select the key derivation function. Jobs created from Talend Studio 8.0 R2022-04 run using PBKDF2 with 300,000 iterations. When you import a Job prior to Talend Studio 8.0 R2022-04, you can run the Job using 300,000 iterations. The results will be different than using 65,536 iterations.
Seed for random generator	Set a random number if you want to generate the same sample of substitute data in each execution of the Job. The seed is not set by default. This field is of `Long` type. The value range is [-2⁶³, 2⁶³-1]. If you do not set the seed, the component creates a new random seed for each Job execution. Repeating the execution with a different seed will result in a different sample being generated.
Encoding	Select the encoding from the list or select Custom and define it manually. If you select Custom and leave the field empty, the supported encodings depend on the JVM that you are using. This field is compulsory for the file encoding.
Output the original row	Select this check box to output original data rows in addition to the substitute data. Outputting both the original and substitute data can be useful in debug or test processes.
Null input returns null	This check box is selected by default. When selected, the component outputs null when input values are null. When cleared, and when the input data is null, the masking function applies: The functions that do not validate the input data (The Character Handling functions, the Address Masking function, and the Numeric variance function) return the default value depending on the data type: String: Empty output. Numeric input: `0`. For the Date variance function, the output date is the one on which the Job was run. The generation functions generate a new value. The data are sent to the main flow. The validation functions (Email Masking, Phone Masking, Credit Card Masking, SSN Masking, and Bank Account Masking) cannot validate the value. The data are sent to the "Invalid" output flow. From Talend Studio R2024-08 onwards, when Null input returns null is selected and the input data is null, the masking function is not applied, null is returned and the input data are sent to the main flow.
Empty input returns an empty output	When this check box is selected, empty values are left unchanged in the output data. Otherwise, the selected functions are applied to the input data.
Send invalid data to "Invalid" output flow	This check box is selected by default. Selected: When the data can be masked, they are sent to the main flow. Otherwise, the data are sent to the "Invalid" output flow. Cleared: The data are sent to the main flow. The data are considered invalid when: The format of the SSN, phone number or email address is incorrect, regardless of the Method used. They do not comply to the FF1 with AES and FF1 with SHA-2 methods.

Usage

Usage rule	This component, along with the Spark Streaming component Palette it belongs to, appears only when you are creating a Spark Streaming Job. This component is used as an intermediate step. You need to use the Spark Configuration tab in the Run view to define the connection to a given Spark cluster for the whole Job. This connection is effective on a per-Job basis. For further information about a Talend Spark Streaming Job, see Getting started with Spark Streaming Jobs. Note that in this documentation, unless otherwise explicitly stated, a scenario presents only Standard Jobs, that is to say traditional Talend data integration Jobs.
Spark Connection	In the Spark Configuration tab in the Run view, define the connection to a given Spark cluster for the whole Job. In addition, since the Job expects its dependent jar files for execution, you must specify the directory in the file system to which these jar files are transferred so that Spark can access these files: Yarn mode (Yarn client or Yarn cluster): When using Google Dataproc, specify a bucket in the Google Storage staging bucket field in the Spark configuration tab. When using HDInsight, specify the blob to be used for Job deployment in the Windows Azure Storage configuration area in the Spark configuration tab. When using Altus, specify the S3 bucket or the Azure Data Lake Storage for Job deployment in the Spark configuration tab. When using on-premises distributions, use the configuration component corresponding to the file system your cluster is using. Typically, this system is HDFS and so use tHDFSConfiguration. Standalone mode: use the configuration component corresponding to the file system your cluster is using, such as tHDFSConfiguration Apache Spark Batch or tS3Configuration Apache Spark Batch. If you are using Databricks without any configuration component present in your Job, your business data is written directly in DBFS (Databricks Filesystem). This connection is effective on a per-Job basis.

Usage rule

This component, along with the Spark Streaming component Palette it belongs to, appears only when you are creating a Spark Streaming Job.

This component is used as an intermediate step.

You need to use the Spark Configuration tab in the Run view to define the connection to a given Spark cluster for the whole Job.

This connection is effective on a per-Job basis.

For further information about a Talend Spark Streaming Job, see Getting started with Spark Streaming Jobs.

Note that in this documentation, unless otherwise explicitly stated, a scenario presents only Standard Jobs, that is to say traditional Talend data integration Jobs.

Spark Connection

In the Spark Configuration tab in the Run view, define the connection to a given Spark cluster for the whole Job. In addition, since the Job expects its dependent jar files for execution, you must specify the directory in the file system to which these jar files are transferred so that Spark can access these files:

Yarn mode (Yarn client or Yarn cluster):
- When using Google Dataproc, specify a bucket in the Google Storage staging bucket field in the Spark configuration tab.
- When using HDInsight, specify the blob to be used for Job deployment in the Windows Azure Storage configuration area in the Spark configuration tab.
- When using Altus, specify the S3 bucket or the Azure Data Lake Storage for Job deployment in the Spark configuration tab.
- When using on-premises distributions, use the configuration component corresponding to the file system your cluster is using. Typically, this system is HDFS and so use tHDFSConfiguration.
Standalone mode: use the configuration component corresponding to the file system your cluster is using, such as tHDFSConfiguration Apache Spark Batch or tS3Configuration Apache Spark Batch.

If you are using Databricks without any configuration component present in your Job, your business data is written directly in DBFS (Databricks Filesystem).

This connection is effective on a per-Job basis.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!

Leave your feedback here