datamasque.client.models package¶

Submodules¶

datamasque.client.models.connection module¶

Connection configuration models for the DataMasque API.

class datamasque.client.models.connection.AzureConnectionConfig(*, name: str, id: ConnectionId | None = None, base_directory: str = '', is_file_mask_source: bool = False, is_file_mask_destination: bool = False, mask_type: Literal['file'] = 'file', type: Literal['azure_blob_connection'] = 'azure_blob_connection', container: str = '', connection_string: str | None = None, **extra_data: Any)[source]¶

Bases: FileConnectionConfig

Connection configuration for an Azure Blob Storage container.

connection_string comes back encrypted from list_connections and is write-only in practice.

connection_string: str | None¶

container: str¶

type: Literal['azure_blob_connection']¶

class datamasque.client.models.connection.ConnectionConfig(*, name: str, id: ConnectionId | None = None, **extra_data: Any)[source]¶

Bases: BaseModel

Base class for all connection configurations.

Use validate_connection(payload) to deserialize an API response into the appropriate concrete subclass.

id: ConnectionId | None¶

name: str¶

class datamasque.client.models.connection.DatabaseConnectionConfig(*, name: str, id: ConnectionId | None = None, host: str, port: int, database: str, user: str, password: str | None = None, database_type: DatabaseType, engine_options: dict | None = None, schema: str | None = None, data_encoding: str | None = None, is_read_only: bool = False, s3_bucket_name: str | None = None, s3_redshift_iam_role: str | None = None, mask_type: Literal['database'] = 'database', **extra_data: Any)[source]¶

Bases: ConnectionConfig

Connection configuration for a SQL database.

Use DynamoConnectionConfig for DynamoDB, SnowflakeConnectionConfig for Snowflake, and MongoConnectionConfig for MongoDB.

data_encoding: str | None¶

database: str¶

database_type: DatabaseType¶

db_schema: str | None¶

property db_type: str¶

engine_options: dict | None¶

host: str¶

is_read_only: bool¶

mask_type: Literal['database']¶

password: str | None¶

port: int¶

s3_bucket_name: str | None¶

s3_redshift_iam_role: str | None¶

user: str¶

class datamasque.client.models.connection.DatabaseType(*values)[source]¶

Bases: Enum

Supported database engines for DatabaseConnectionConfig.

databricks = 'databricks'¶

databricks_lakebase = 'databricks_lakebase'¶

db2_luw = 'db2_luw'¶

db2i = 'db2i'¶

dynamodb = 'dynamo_db'¶

mariadb = 'mariadb'¶

mongodb = 'mongodb'¶

mssql_linked = 'mssql_linked'¶

mysql = 'mysql'¶

oracle = 'oracle'¶

postgres = 'postgres'¶

redshift = 'redshift'¶

snowflake = 'snowflake'¶

sql_server = 'mssql'¶

class datamasque.client.models.connection.DatabricksConnectionConfig(*, name: str, id: ConnectionId | None = None, server_hostname: str, http_path: str, access_token: str | None = None, catalog: str, schema: str | None = None, is_read_only: bool = False, version: str = '1.0', mask_type: Literal['database'] = 'database', db_type: Literal['databricks'] = 'databricks', **extra_data: Any)[source]¶

Bases: ConnectionConfig

Connection configuration for a Databricks SQL Warehouse.

access_token: str | None¶

catalog: str¶

property database_type: DatabaseType¶

db_schema: str | None¶

db_type: Literal['databricks']¶

http_path: str¶

is_read_only: bool¶

mask_type: Literal['database']¶

server_hostname: str¶

version: str¶

class datamasque.client.models.connection.DynamoConnectionConfig(*, name: str, id: ConnectionId | None = None, s3_bucket_name: str | None = None, dynamo_append_datetime: bool = False, dynamo_append_suffix: str = '-MASKED', dynamo_replace_tables: bool = True, dynamo_default_region: str | None = None, dynamo_default_sse: SseConfig = SseConfig(selection=<SseSelection.dynamodb_owned: 'dynamodb_owned'>, kms_key_id=None), iam_role_arn: str | None = None, export_s3_prefix: str | None = None, mask_type: Literal['database'] = 'database', db_type: Literal['dynamo_db'] = 'dynamo_db', **extra_data: Any)[source]¶

Bases: ConnectionConfig

Connection configuration for a DynamoDB table.

property database_type: DatabaseType¶

db_type: Literal['dynamo_db']¶

dynamo_append_datetime: bool¶

dynamo_append_suffix: str¶

dynamo_default_region: str | None¶

dynamo_default_sse: SseConfig¶

dynamo_replace_tables: bool¶

export_s3_prefix: str | None¶

iam_role_arn: str | None¶

mask_type: Literal['database']¶

s3_bucket_name: str | None¶

class datamasque.client.models.connection.FileConnectionConfig(*, name: str, id: ConnectionId | None = None, base_directory: str = '', is_file_mask_source: bool = False, is_file_mask_destination: bool = False, mask_type: Literal['file'] = 'file', **extra_data: Any)[source]¶

Bases: ConnectionConfig

Abstract base for file-based connections.

is_file_mask_source and is_file_mask_destination control whether the connection can be used as the source, destination, or both of a masking run.

base_directory: str¶

is_file_mask_destination: bool¶

is_file_mask_source: bool¶

mask_type: Literal['file']¶

class datamasque.client.models.connection.MongoConnectionConfig(*, name: str, id: ConnectionId | None = None, host: str = '', port: int = 27017, database: str = '', user: str = '', password: str | None = None, auth_source: str = 'admin', tls: bool = False, direct_connection: bool = False, replica_set: str = '', is_read_only: bool = False, mask_type: Literal['database'] = 'database', db_type: Literal['mongodb'] = 'mongodb', **extra_data: Any)[source]¶

Bases: ConnectionConfig

Connection configuration for a MongoDB instance.

auth_source: str¶

database: str¶

property database_type: DatabaseType¶

db_type: Literal['mongodb']¶

direct_connection: bool¶

host: str¶

is_read_only: bool¶

mask_type: Literal['database']¶

password: str | None¶

port: int¶

replica_set: str¶

tls: bool¶

user: str¶

class datamasque.client.models.connection.MountedShareConnectionConfig(*, name: str, id: ConnectionId | None = None, base_directory: str = '', is_file_mask_source: bool = False, is_file_mask_destination: bool = False, mask_type: Literal['file'] = 'file', type: Literal['mounted_share_connection'] = 'mounted_share_connection', **extra_data: Any)[source]¶

Bases: FileConnectionConfig

Connection configuration for a mounted file share.

type: Literal['mounted_share_connection']¶

class datamasque.client.models.connection.MssqlLinkedServerConnectionConfig(*, name: str, id: ConnectionId | None = None, host: str, port: int, database: str, user: str, password: str | None = None, database_type: DatabaseType, engine_options: dict | None = None, schema: str | None = None, data_encoding: str | None = None, is_read_only: bool = False, s3_bucket_name: str | None = None, s3_redshift_iam_role: str | None = None, mask_type: Literal['database'] = 'database', linked_server: str = '', **extra_data: Any)[source]¶

Bases: DatabaseConnectionConfig

Connection configuration for a Microsoft SQL Server linked-server setup.

linked_server: str¶

class datamasque.client.models.connection.S3ConnectionConfig(*, name: str, id: ConnectionId | None = None, base_directory: str = '', is_file_mask_source: bool = False, is_file_mask_destination: bool = False, mask_type: Literal['file'] = 'file', type: Literal['s3_connection'] = 's3_connection', bucket: str = '', iam_role_arn: str | None = None, **extra_data: Any)[source]¶

Bases: FileConnectionConfig

Connection configuration for an S3 bucket.

bucket: str¶

iam_role_arn: str | None¶

type: Literal['s3_connection']¶

class datamasque.client.models.connection.SnowflakeConnectionConfig(*, name: str, id: ConnectionId | None = None, database: str, user: str, snowflake_account_id: str, snowflake_warehouse: str, snowflake_storage_integration_name: str, host: str = '', port: int | None = None, schema: str | None = None, snowflake_role: str = '', is_read_only: bool = False, password: str | None = None, snowflake_private_key: FileId | None = None, snowflake_private_key_passphrase: str | None = None, snowflake_stage_location: SnowflakeStageLocation | None = None, s3_bucket_name: str | None = None, iam_role_arn: str | None = None, snowflake_azure_container_name: str | None = None, snowflake_azure_connection_string: str | None = None, snowflake_azure_connection_string_encrypted: str | None = None, mask_type: Literal['database'] = 'database', db_type: Literal['snowflake'] = 'snowflake', **extra_data: Any)[source]¶

Bases: ConnectionConfig

Connection configuration for a Snowflake database.

Supports password authentication (password) and key-pair authentication (snowflake_private_key + optional snowflake_private_key_passphrase).

database: str¶

property database_type: DatabaseType¶

db_schema: str | None¶

db_type: Literal['snowflake']¶

host: str¶

iam_role_arn: str | None¶

is_read_only: bool¶

mask_type: Literal['database']¶

password: str | None¶

port: int | None¶

s3_bucket_name: str | None¶

snowflake_account_id: str¶

snowflake_azure_connection_string: str | None¶

snowflake_azure_connection_string_encrypted: str | None¶

snowflake_azure_container_name: str | None¶

snowflake_private_key: FileId | None¶

snowflake_private_key_passphrase: str | None¶

snowflake_role: str¶

snowflake_stage_location: SnowflakeStageLocation | None¶

snowflake_storage_integration_name: str¶

snowflake_warehouse: str¶

user: str¶

class datamasque.client.models.connection.SnowflakeStageLocation(*values)[source]¶

Bases: str, Enum

Storage backend for a Snowflake connection’s external stage.

aws_s3 = 'aws_s3'¶

azure_blob_storage = 'azure_blob_storage'¶

local = 'local'¶

class datamasque.client.models.connection.SseConfig(*, selection: SseSelection, kms_key_id: str | None = None)[source]¶

Bases: BaseModel

Server-side encryption configuration for a DynamoDB connection.

kms_key_id is required when selection is SseSelection.account_managed and must be None for every other selection.

kms_key_id: str | None¶

selection: SseSelection¶

class datamasque.client.models.connection.SseSelection(*values)[source]¶

Bases: Enum

Mirrors the available options in the AWS console for DynamoDB Server-Side Encryption.

account_managed = 'account_managed'¶

aws_managed = 'aws_managed'¶

dynamodb_owned = 'dynamodb_owned'¶

use_source = 'use_source'¶

datamasque.client.models.connection.unwrap_connection_id(value: Any) → Any[source]¶

Coerce a ConnectionConfig to its id; pass other values through unchanged.

Used by request-model validators that accept either a ConnectionId or a full ConnectionConfig for user convenience. Raises ValueError if the config has no id (i.e. the caller hasn’t yet created it on the server).

datamasque.client.models.connection.validate_connection(payload: dict) → ConnectionConfig[source]¶

Validate an API response payload into the appropriate concrete ConnectionConfig subclass.

Dispatches on mask_type, then on type (file) or db_type (database).

datamasque.client.models.data_selection module¶

Models related to data selection in endpoints such as /api/async-generate-ruleset.

class datamasque.client.models.data_selection.HashColumnsTableConfig(*, table: list[str] | None = None, columns: dict[str, list[str] | None] | None = None)[source]¶

Bases: BaseModel

Configuration for hash_columns at the table level.

table contains table-level hash column defaults applied to all selected columns. columns contains per-column overrides (None or [] disables hashing for that column).

columns: dict[str, list[str] | None] | None¶

table: list[str] | None¶

datamasque.client.models.data_selection.JsonPath¶

A path into a JSON/structured document, e.g. ["employees", 0, "firstName"] or ["users", "*", "email"]. String elements are object keys (or the * wildcard), and integer elements are list indices.

alias of list[str | int]

datamasque.client.models.data_selection.Locator¶

A locator identifying a masked value within a file. - Tabular files (CSV, parquet, fixed-width) use a bare string column name, e.g. "email". - Structured files (JSON) use a JsonPath, e.g. ["employees", "*", "email"].

alias of str | list[str | int]

class datamasque.client.models.data_selection.SelectedColumns(*, columns: dict[str, dict[str, list[str]]], hash_columns: dict[str, dict[str, HashColumnsTableConfig]] | None = None)[source]¶

Bases: BaseModel

Selected columns and hash columns for database masking ruleset generation.

columns: dict[str, dict[str, list[str]]]¶

hash_columns: dict[str, dict[str, HashColumnsTableConfig]] | None¶

class datamasque.client.models.data_selection.SelectedFileData(*, user_selections: list[UserSelection])[source]¶

Bases: BaseModel

Selected files and locators for file masking ruleset generation.

user_selections: list[UserSelection]¶

class datamasque.client.models.data_selection.UserSelection(*, files: list[str], locators: list[str | list[str | int]])[source]¶

Bases: BaseModel

Information about selected files and locators for file masking ruleset generation.

files: list[str]¶

locators: list[str | list[str | int]]¶

datamasque.client.models.discovery module¶

Typed request and response shapes for schema-discovery and ruleset-generation endpoints.

class datamasque.client.models.discovery.ConstraintColumns(*, columns: list[str], **extra_data: Any)[source]¶

Bases: BaseModel

A constraint’s column list in table metadata.

columns: list[str]¶

class datamasque.client.models.discovery.DiscoveryMatch(*, label: str, categories: list[str], flagged_by: str, description: str, hit_ratio: int | None = None, **extra_data: Any)[source]¶

Bases: BaseModel

A single match found by schema or file discovery.

categories: list[str]¶

description: str¶

flagged_by: str¶

hit_ratio: int | None¶

label: str¶

class datamasque.client.models.discovery.FileDiscoveryFile(*, path: str | None = None, file_type: str | None = None, delimiter: str | None = None, encoding: str | None = None, **extra_data: Any)[source]¶

Bases: BaseModel

A file entry in a file discovery result.

delimiter: str | None¶

encoding: str | None¶

file_type: str | None¶

path: str | None¶

Bases: BaseModel

A locator (column/path) within a discovered file.

data_types: list[str] | None¶

locator: str | list[str | int] | None¶

matches: list[FileDiscoveryMatch] | None¶

Bases: BaseModel

A single match in a file discovery locator.

categories: list[str] | None¶

description: str | None¶

flagged_by: str | None¶

hit_ratio: int | None¶

label: str | None¶

class datamasque.client.models.discovery.FileDiscoveryResult(*, id: int | None = None, connection: Any | None = None, file_type: str | None = None, files: list[FileDiscoveryFile] | None = None, results: list[FileDiscoveryLocatorResult] | None = None, **extra_data: Any)[source]¶

Bases: BaseModel

A single record from GET /api/runs/{run_id}/file-discovery-results/.

connection: Any | None¶

file_type: str | None¶

files: list[FileDiscoveryFile] | None¶

id: int | None¶

results: list[FileDiscoveryLocatorResult] | None¶

class datamasque.client.models.discovery.FileRulesetGenerationRequest(*, connection: ConnectionId | ConnectionConfig, selected_data: list[UserSelection])[source]¶

Bases: BaseModel

Request body for POST /api/generate-file-ruleset/.

connection accepts either a ConnectionId or a full ConnectionConfig returned by an earlier client call.

connection: ConnectionId | ConnectionConfig¶

selected_data: list[UserSelection]¶

class datamasque.client.models.discovery.ForeignKeyRef(*, name: str, referenced_column: str, **extra_data: Any)[source]¶

Bases: BaseModel

A foreign key declared on a column, pointing to another column it references.

name: str¶

referenced_column: str¶

class datamasque.client.models.discovery.InDataDiscoveryConfig(*, enabled: bool | None = None, row_sample_size: int | None = None, custom_rules: list[InDataDiscoveryRule] | None = None, non_sensitive_rules: list[InDataDiscoveryRule] | None = None, force: bool | None = None)[source]¶

Bases: BaseModel

In-data discovery configuration nested under SchemaDiscoveryRequest.in_data_discovery.

custom_rules: list[InDataDiscoveryRule] | None¶

enabled: bool | None¶

force: bool | None¶

non_sensitive_rules: list[InDataDiscoveryRule] | None¶

row_sample_size: int | None¶

class datamasque.client.models.discovery.InDataDiscoveryRule(*, name: str | None = None, pattern: str)[source]¶

Bases: BaseModel

A single rule for in-data discovery.

name: str | None¶

pattern: str¶

class datamasque.client.models.discovery.ReferencingForeignKey(*, name: str, referencing_column: str, **extra_data: Any)[source]¶

Bases: BaseModel

A foreign key declared on another column that points at this column.

name: str¶

referencing_column: str¶

class datamasque.client.models.discovery.RulesetGenerationRequest(*, connection: ConnectionId | ConnectionConfig, selected_columns: dict[str, dict[str, list[str]]], hash_columns: dict[str, dict[str, HashColumnsTableConfig]] | None = None)[source]¶

Bases: BaseModel

Request body for POST /api/generate-ruleset/v2/.

connection accepts either a ConnectionId or a full ConnectionConfig returned by an earlier client call. selected_columns is the same nested schema -> table -> [column, ...] mapping used by SelectedColumns.columns, and hash_columns follows the HashColumnsTableConfig shape.

connection: ConnectionId | ConnectionConfig¶

hash_columns: dict[str, dict[str, HashColumnsTableConfig]] | None¶

selected_columns: dict[str, dict[str, list[str]]]¶

class datamasque.client.models.discovery.SchemaDiscoveryColumn(*, data_type: str | None = None, max_length: int | None = None, foreign_keys: list[ForeignKeyRef], discovery_matches: list[DiscoveryMatch], numeric_precision: int | None = None, numeric_scale: int | None = None, constraint_columns: list[str], pk_constraint_name: str | None = None, uk_constraint_name: str | None = None, unique_index_names: list[str], referencing_foreign_keys: list[ReferencingForeignKey], constraint: str, **extra_data: Any)[source]¶

Bases: BaseModel

Column-level data in a schema discovery result.

constraint: str¶

constraint_columns: list[str]¶

data_type: str | None¶

discovery_matches: list[DiscoveryMatch]¶

foreign_keys: list[ForeignKeyRef]¶

max_length: int | None¶

numeric_precision: int | None¶

numeric_scale: int | None¶

pk_constraint_name: str | None¶

referencing_foreign_keys: list[ReferencingForeignKey]¶

uk_constraint_name: str | None¶

unique_index_names: list[str]¶

class datamasque.client.models.discovery.SchemaDiscoveryPage(*, count: int, next: str | None = None, previous: str | None = None, results: list[SchemaDiscoveryResult], table_metadata: dict[str, dict[str, TableConstraints]] | None = None, **extra_data: Any)[source]¶

Bases: Page[SchemaDiscoveryResult]

Admin-server envelope for GET /api/schema-discovery/v2/{run_id}/.

Extends the standard Page with table_metadata.

table_metadata: dict[str, dict[str, TableConstraints]] | None¶

class datamasque.client.models.discovery.SchemaDiscoveryRequest(*, connection: ConnectionId | ConnectionConfig, custom_keywords: list[str] = <factory>, ignored_keywords: list[str] = <factory>, schemas: list[str] = <factory>, in_data_discovery: InDataDiscoveryConfig | None = None, disable_built_in_keywords: bool = False, disable_global_custom_keywords: bool = False, disable_global_ignored_keywords: bool = False)[source]¶

Bases: BaseModel

Request body for POST /api/schema-discovery/.

connection accepts either a ConnectionId or a full ConnectionConfig returned by an earlier client call. Every other field uses the server’s default value when omitted.

connection: ConnectionId | ConnectionConfig¶

custom_keywords: list[str]¶

disable_built_in_keywords: bool¶

disable_global_custom_keywords: bool¶

disable_global_ignored_keywords: bool¶

ignored_keywords: list[str]¶

in_data_discovery: InDataDiscoveryConfig | None¶

schemas: list[str]¶

class datamasque.client.models.discovery.SchemaDiscoveryResult(*, id: int, column: str, table: str, schema: str | None = None, data: SchemaDiscoveryColumn, **extra_data: Any)[source]¶

Bases: BaseModel

A single row in the v2 schema discovery results.

column: str¶

data: SchemaDiscoveryColumn¶

id: int¶

schema_name: str | None¶

table: str¶

class datamasque.client.models.discovery.TableConstraints(*, primary_keys: list[ConstraintColumns] | None = None, unique_keys: list[ConstraintColumns] | None = None, foreign_keys: list[ConstraintColumns] | None = None, **extra_data: Any)[source]¶

Bases: BaseModel

Constraint metadata for a single table.

foreign_keys: list[ConstraintColumns] | None¶

primary_keys: list[ConstraintColumns] | None¶

unique_keys: list[ConstraintColumns] | None¶

datamasque.client.models.dm_instance module¶

class datamasque.client.models.dm_instance.DataMasqueInstanceConfig(*, base_url: str, username: str, password: str | None = None, verify_ssl: bool = True, token_source: Callable[[], str] | None = None)[source]¶

Bases: BaseModel

Connection configuration for DataMasqueClient.

base_url is the root URL of the DataMasque admin server (e.g. https://datamasque.example.com/). Set verify_ssl=False to skip TLS certificate verification (only use this with a self-signed certificate; do not disable it otherwise). Exactly one of password or token_source must be set. token_source is a user-supplied callable that returns the bare API token string — the hex value returned by POST /api/auth/token/login/; the client prepends it with Token ` when sending the `Authorization header. The client calls token_source on each authentication attempt, so the callable is free to fetch and refresh tokens out-of-band (e.g. from a secrets manager).

base_url: str¶

password: str | None¶

token_source: Callable[[], str] | None¶

username: str¶

verify_ssl: bool¶

datamasque.client.models.files module¶

class datamasque.client.models.files.DataMasqueFile(*, name: str, created_date: datetime, modified_date: datetime | None = None, id: FileId | None = None, **extra_data: Any)[source]¶

Bases: BaseModel

Base class for the concrete file types (SeedFile, OracleWalletFile, SslZipFile, SnowflakeKeyFile).

created_date: datetime¶

abstractmethod classmethod get_content_param_name() → str[source]¶: Returns the multipart form field name used when uploading files of this type.

abstractmethod classmethod get_url() → str[source]¶: Returns the API URL path for files of this type.

id: FileId | None¶

modified_date: datetime | None¶

name: str¶

class datamasque.client.models.files.OracleWalletFile(*, name: str, created_date: datetime, modified_date: datetime | None = None, id: FileId | None = None, **extra_data: Any)[source]¶

Bases: DataMasqueFile

Represents an Oracle wallet file (ZIP file).

classmethod get_content_param_name() → str[source]¶: Returns the multipart form field name used when uploading files of this type.

classmethod get_url() → str[source]¶: Returns the API URL path for files of this type.

class datamasque.client.models.files.SeedFile(*, name: str, created_date: datetime, modified_date: datetime | None = None, id: FileId | None = None, **extra_data: Any)[source]¶

Bases: DataMasqueFile

Represents a seed file (CSV file).

classmethod get_content_param_name() → str[source]¶: Returns the multipart form field name used when uploading files of this type.

classmethod get_url() → str[source]¶: Returns the API URL path for files of this type.

class datamasque.client.models.files.SnowflakeKeyFile(*, name: str, created_date: datetime, modified_date: datetime | None = None, id: FileId | None = None, **extra_data: Any)[source]¶

Bases: DataMasqueFile

Represents a private SSH key file for Snowflake connections.

classmethod get_content_param_name() → str[source]¶: Returns the multipart form field name used when uploading files of this type.

classmethod get_url() → str[source]¶: Returns the API URL path for files of this type.

class datamasque.client.models.files.SslZipFile(*, name: str, created_date: datetime, modified_date: datetime | None = None, id: FileId | None = None, **extra_data: Any)[source]¶

Bases: DataMasqueFile

Represents a ZIP file of SSL certificates used to establish secure database connections.

classmethod get_content_param_name() → str[source]¶: Returns the multipart form field name used when uploading files of this type.

classmethod get_url() → str[source]¶: Returns the API URL path for files of this type.

datamasque.client.models.ifm module¶

Typed request and response shapes for the IFM (in-flight masking) HTTP API.

class datamasque.client.models.ifm.DataMasqueIfmInstanceConfig(*, admin_server_base_url: str, ifm_base_url: str, username: str, password: str | None = None, verify_ssl: bool = True, token_source: Callable[[], str] | None = None)[source]¶

Bases: BaseModel

Connection configuration for DataMasqueIfmClient.

admin_server_base_url is where JWTs are obtained and refreshed; ifm_base_url is where the IFM API itself lives (typically a separate hostname or the admin server with /ifm prefix). Exactly one of password or token_source must be set. token_source is a user-supplied callable that returns the bare JWT access token string — the value issued by the admin server’s /api/auth/jwt/login/ endpoint; the client prepends it with Bearer ` when sending the `Authorization header. The client calls token_source on each authentication and refresh, so the callable is free to fetch and refresh tokens out-of-band (e.g. from a secrets manager).

admin_server_base_url: str¶

ifm_base_url: str¶

password: str | None¶

token_source: Callable[[], str] | None¶

username: str¶

verify_ssl: bool¶

class datamasque.client.models.ifm.IfmLog(*, log_level: str, timestamp: str, message: str, **extra_data: Any)[source]¶

Bases: BaseModel

A single log entry produced by IFM during a mask call or a ruleset-plan validation.

log_level: str¶

message: str¶

timestamp: str¶

Bases: BaseModel

Request body for POST /ruleset-plans/{name}/mask/.

data is the list of records to be masked; every other field overrides server defaults configured on the plan.

ai_engine_url: str | None¶

data: list[Any]¶

disable_instance_secret: bool | None¶

hash_values: Any | None¶

log_level: str | None¶

request_id: str | None¶

run_secret: str | None¶

class datamasque.client.models.ifm.IfmMaskResult(*, success: bool, request_id: str | None = None, ruleset_plan: IfmRulesetPlanRef | None = None, logs: list[IfmLog] | None = None, data: list[Any] | None = None, **extra_data: Any)[source]¶

Bases: BaseModel

Response shape for POST /ruleset-plans/{name}/mask/.

success is populated by the client based on the HTTP status the server returned:

True — masking completed; data carries the masked records (possibly an empty list if the request had no input).
False — the server rejected the request with a soft failure (e.g. a masking function received an unsupported value type); data is omitted and details surface in logs.

Hard failures (plan not found, auth, transport) still raise rather than producing an IfmMaskResult.

data: list[Any] | None¶

logs: list[IfmLog] | None¶

request_id: str | None¶

ruleset_plan: IfmRulesetPlanRef | None¶

success: bool¶

class datamasque.client.models.ifm.IfmRulesetPlanRef(*, name: str, serial: int, **extra_data: Any)[source]¶

Bases: BaseModel

Reference to a ruleset plan embedded in a mask response.

name: str¶

serial: int¶

class datamasque.client.models.ifm.IfmTokenInfo(*, scopes: list[str], **extra_data: Any)[source]¶

Bases: BaseModel

Response body for GET /verify-token/ — the list of scopes granted to the current JWT.

scopes: list[str]¶

class datamasque.client.models.ifm.RulesetPlan(*, name: str, serial: int, created_time: datetime, modified_time: datetime, options: RulesetPlanOptions, ruleset_yaml: str | None = None, logs: list[IfmLog] | None = None, url: str | None = None, **extra_data: Any)[source]¶

Bases: BaseModel

Unified model for IFM ruleset plans.

Collapses the list/detail/create/update response shapes into one model with optional fields for parts that differ by endpoint.

created_time: datetime¶

logs: list[IfmLog] | None¶

modified_time: datetime¶

name: str¶

options: RulesetPlanOptions¶

ruleset_yaml: str | None¶

serial: int¶

url: str | None¶

class datamasque.client.models.ifm.RulesetPlanCreateRequest(*, name: str, ruleset_yaml: str, options: RulesetPlanOptions | None = None)[source]¶

Bases: BaseModel

Request body for POST /ifm/ruleset-plans/.

name: str¶

options: RulesetPlanOptions | None¶

ruleset_yaml: str¶

class datamasque.client.models.ifm.RulesetPlanOptions(*, enabled: bool | None = None, default_encoding: str | None = None, default_charset: str | None = None, default_log_level: str | None = None)[source]¶

Bases: BaseModel

Server-defined defaults applied when a mask request omits the corresponding fields.

All keys are optional; callers can supply any subset (or none) and the IFM server fills in remaining defaults.

default_charset: str | None¶

default_encoding: str | None¶

default_log_level: str | None¶

enabled: bool | None¶

class datamasque.client.models.ifm.RulesetPlanPartialUpdateRequest(*, ruleset_yaml: str | None = None, options: RulesetPlanOptions | None = None)[source]¶

Bases: BaseModel

Request body for PATCH /ifm/ruleset-plans/{name}/ — every field is optional.

options: RulesetPlanOptions | None¶

ruleset_yaml: str | None¶

class datamasque.client.models.ifm.RulesetPlanUpdateRequest(*, ruleset_yaml: str, options: RulesetPlanOptions | None = None)[source]¶

Bases: BaseModel

Request body for PUT /ifm/ruleset-plans/{name}/.

options: RulesetPlanOptions | None¶

ruleset_yaml: str¶

datamasque.client.models.license module¶

Typed response shape for the license endpoint.

class datamasque.client.models.license.LicenseInfo(*, uuid: str, name: str, type: str, is_expired: bool, uploadable: bool, version: str | None = None, raw_type: str | None = None, expiry_date: datetime | None = None, quota_tb: float | None = None, maximum_node_count: int | None = None, row_limit: int | None = None, platform_name: str | None = None, platform_code: str | None = None, days_until_expiry: int | None = None, is_contract_product: bool | None = None, contract_license_type: str | None = None, switchable_license_metadata: SwitchableLicenseMetadata | None = None, **extra_data: Any)[source]¶

Bases: BaseModel

License information returned by GET /api/license/.

Core fields (uuid, name, type, is_expired, uploadable) are always present in the server response. Other fields vary by license type and server version.

contract_license_type: str | None¶

days_until_expiry: int | None¶

expiry_date: datetime | None¶

is_contract_product: bool | None¶

is_expired: bool¶

maximum_node_count: int | None¶

name: str¶

platform_code: str | None¶

platform_name: str | None¶

quota_tb: float | None¶

raw_type: str | None¶

row_limit: int | None¶

switchable_license_metadata: SwitchableLicenseMetadata | None¶

type: str¶

uploadable: bool¶

uuid: str¶

version: str | None¶

class datamasque.client.models.license.SwitchableLicenseMetadata(*, can_switch_license_source: bool | None = None, license_source: str | None = None, license_select_time: datetime | None = None, aws_account_number: str | None = None, last_checkout_success_time: datetime | None = None, last_checkout_success_type: str | None = None, last_checkout_error: str | None = None, last_checkout_license_arn: str | None = None, last_checkout_product_name: str | None = None, last_checkout_contract_expiry: datetime | None = None, last_checkout_agreement_id: str | None = None, last_checkout_agreement_url: str | None = None, checkout_mode: str | None = None, selected_product_sku: str | None = None, allow_fallback: bool | None = None, last_checkout_success_license_count: int | None = None, iam_role_arn: str | None = None, **extra_data: Any)[source]¶

Bases: BaseModel

Metadata for switchable license management (AWS Marketplace, etc.).

allow_fallback: bool | None¶

aws_account_number: str | None¶

can_switch_license_source: bool | None¶

checkout_mode: str | None¶

iam_role_arn: str | None¶

last_checkout_agreement_id: str | None¶

last_checkout_agreement_url: str | None¶

last_checkout_contract_expiry: datetime | None¶

last_checkout_error: str | None¶

last_checkout_license_arn: str | None¶

last_checkout_product_name: str | None¶

last_checkout_success_license_count: int | None¶

last_checkout_success_time: datetime | None¶

last_checkout_success_type: str | None¶

license_select_time: datetime | None¶

license_source: str | None¶

selected_product_sku: str | None¶

datamasque.client.models.ruleset module¶

class datamasque.client.models.ruleset.Ruleset(*, name: str, config_yaml: str = '', mask_type: RulesetType = RulesetType.database, id: RulesetId | None = None, is_valid: ValidationStatus | None = None, **extra_data: Any)[source]¶

Bases: BaseModel

Represents a ruleset.

id: RulesetId | None¶

is_valid: ValidationStatus | None¶

name: str¶

ruleset_type: RulesetType¶

yaml: str¶

class datamasque.client.models.ruleset.RulesetType(*values)[source]¶

Bases: Enum

Ruleset type (database masking or file masking).

database = 'database'¶

file = 'file'¶

datamasque.client.models.ruleset.unwrap_ruleset_id(value: Any) → Any[source]¶

Coerce a Ruleset to its id; pass other values through unchanged.

Used by request-model validators that accept either a RulesetId or a full Ruleset for user convenience. Raises ValueError if the ruleset has no id (i.e. the caller hasn’t yet created it on the server).

datamasque.client.models.ruleset_library module¶

class datamasque.client.models.ruleset_library.RulesetLibrary(*, name: str, namespace: str = '', config_yaml: str | None = None, id: RulesetLibraryId | None = None, is_valid: ValidationStatus | None = None, created: datetime | None = None, modified: datetime | None = None, **extra_data: Any)[source]¶

Bases: BaseModel

Represents a ruleset library.

created: datetime | None¶

id: RulesetLibraryId | None¶

is_valid: ValidationStatus | None¶

modified: datetime | None¶

name: str¶

namespace: str¶

yaml: str | None¶

datamasque.client.models.runs module¶

Typed request and response shapes for run-related API endpoints.

class datamasque.client.models.runs.MaskType(*values)[source]¶

Bases: Enum

Type of a masking run.

database = 'database'¶

file = 'file'¶

file_data_discovery = 'file_data_discovery'¶

class datamasque.client.models.runs.MaskingRunOptions(*, batch_size: int | None = None, dry_run: bool | None = None, continue_on_failure: bool | None = None, max_rows: int | None = None, diagnostic_logging: bool | None = None, run_secret: Annotated[str | None, MinLen(min_length=16), MaxLen(max_length=256)] = None, disable_instance_secret: bool | None = None)[source]¶

Bases: BaseModel

Optional run-time overrides for MaskingRunRequest.options.

All fields optional; server applies defaults when omitted. run_secret, if supplied, must be 16–256 characters and is used as the per-run encryption key; the server auto-generates one when omitted.

batch_size: int | None¶

continue_on_failure: bool | None¶

diagnostic_logging: bool | None¶

disable_instance_secret: bool | None¶

dry_run: bool | None¶

max_rows: int | None¶

run_secret: str | None¶

class datamasque.client.models.runs.MaskingRunRequest(*, connection: ConnectionId | ConnectionConfig, ruleset: RulesetId | Ruleset, mask_type: MaskType = MaskType.database, destination_connection: ConnectionId | ConnectionConfig | None = None, options: MaskingRunOptions = <factory>, name: str | None = None)[source]¶

Bases: BaseModel

Request body for POST /api/runs/.

connection, destination_connection, and ruleset accept either the server-assigned ID or the corresponding object returned by an earlier client call (e.g. a ConnectionConfig or Ruleset); the object’s id is extracted at construction time.

connection: ConnectionId | ConnectionConfig¶

destination_connection: ConnectionId | ConnectionConfig | None¶

mask_type: MaskType¶

name: str | None¶

options: MaskingRunOptions¶

ruleset: RulesetId | Ruleset¶

class datamasque.client.models.runs.RunConnectionRef(*, id: ConnectionId | None = None, name: str, **extra_data: Any)[source]¶

Bases: BaseModel

A reference to a connection used in a run — just the ID and display name.

id: ConnectionId | None¶

name: str¶

class datamasque.client.models.runs.RunInfo(*, id: int, status: MaskingRunStatus, mask_type: MaskType, source_connection: RunConnectionRef, ruleset_name: str, name: str | None = None, destination_connection: RunConnectionRef | None = None, ruleset: RulesetId | None = None, start_time: datetime | None = None, end_time: datetime | None = None, options: dict[str, Any] | None = None, **extra_data: Any)[source]¶

Bases: BaseModel

Full record for a masking run.

destination_connection: RunConnectionRef | None¶

end_time: datetime | None¶

id: int¶

mask_type: MaskType¶

name: str | None¶

options: dict[str, Any] | None¶

ruleset: RulesetId | None¶

ruleset_name: str¶

source_connection: RunConnectionRef¶

start_time: datetime | None¶

status: MaskingRunStatus¶

class datamasque.client.models.runs.UnfinishedRun(*, id: int, source_connection: RunConnectionRef, ruleset_name: str, status: MaskingRunStatus, destination_connection: RunConnectionRef | None = None, **extra_data: Any)[source]¶

Bases: BaseModel

Represents a masking run that is queued, running, validating, or cancelling.

destination_connection: RunConnectionRef | None¶

id: int¶

ruleset_name: str¶

source_connection: RunConnectionRef¶

status: MaskingRunStatus¶

datamasque.client.models.status module¶

class datamasque.client.models.status.AsyncRulesetGenerationTaskStatus(*values)[source]¶

Bases: Enum

List of statuses of async ruleset generation tasks.

failed = 'failed'¶

finished = 'finished'¶

classmethod get_final_states() → set[AsyncRulesetGenerationTaskStatus][source]¶: Returns the list of final statuses, i.e. the ruleset generation has completed, successfully or otherwise.

property is_in_final_state: bool¶: Returns True if this status is a final status.

queued = 'queued'¶

running = 'running'¶

class datamasque.client.models.status.MaskingRunStatus(*values)[source]¶

Bases: Enum

List of valid masking run statuses.

cancelled = 'cancelled'¶

cancelling = 'cancelling'¶

failed = 'failed'¶

finished = 'finished'¶

finished_with_warnings = 'finished_with_warnings'¶

classmethod get_final_states() → set[MaskingRunStatus][source]¶: Returns the list of final statuses, i.e. the run is completed, successfully or otherwise.

classmethod get_finished_states() → set[MaskingRunStatus][source]¶: Returns the list of statuses that indicate the run completed successfully.

property is_finished: bool¶: Returns True if this status is a finished status.

property is_in_final_state: bool¶: Returns True if this status is a final status.

queued = 'queued'¶

running = 'running'¶

validating = 'validating'¶

class datamasque.client.models.status.ValidationStatus(*values)[source]¶

Bases: Enum

Validation status of a ruleset or ruleset library.

in_progress = 'in_progress'¶

invalid = 'invalid'¶

unknown = 'unknown'¶

valid = 'valid'¶

datamasque.client.models.user module¶

class datamasque.client.models.user.User(*, username: str, email: str, user_roles: list[UserRole], id: UserId | None = None, password: str | None = None, **extra_data: Any)[source]¶

Bases: BaseModel

Represents a DataMasque user account.

email: str¶

static generate_password() → str[source]¶

Generates a password suitable for DataMasque authentication.

The password consists of 16 characters without the same character occurring three times in a row and without any three consecutive characters forming an increasing or decreasing sequence.

id: UserId | None¶

password: str | None¶

roles: list[UserRole]¶

username: str¶

class datamasque.client.models.user.UserRole(*values)[source]¶

Bases: Enum

List of supported user roles.

ruleset_library_manager can be optionally included alongside mask_builder. It is not valid as a standalone role.

mask_builder = 'mask_builder'¶

mask_runner = 'mask_runner'¶

ruleset_library_manager = 'ruleset_library_managers'¶

superuser = 'admin'¶

datamasque.client.models package¶

Submodules¶

datamasque.client.models.connection module¶

datamasque.client.models.data_selection module¶

datamasque.client.models.discovery module¶

datamasque.client.models.dm_instance module¶

datamasque.client.models.files module¶

datamasque.client.models.ifm module¶

datamasque.client.models.license module¶

datamasque.client.models.ruleset module¶

datamasque.client.models.ruleset_library module¶

datamasque.client.models.runs module¶

datamasque.client.models.status module¶

datamasque.client.models.user module¶

DataMasque Python

Navigation

Related Topics