[PR] [FLINK-38035][Python][PythonEnvUtils] Redact sensitive env vars in PythonEnvUtils logging [flink]

Wed, 16 Jul 2025 07:54:48 -0700 


vssakuru opened a new pull request, #26803:
URL: https://github.com/apache/flink/pull/26803

   
   
   ## What is the purpose of the change
   
   This pull request addresses a security concern in PyFlink’s environment 
logging. Previously, all environment variables were logged in plaintext when 
launching a Python process, which could unintentionally expose sensitive 
credentials (such as AWS_SECRET_ACCESS_KEY, TOKEN, PASSWORD, etc.) in log 
files. This change introduces logic to detect and redact sensitive environment 
variable values, replacing them with` ***REDACTED***` before they are written 
to logs. This helps align PyFlink behavior with best practices for security and 
production environments, particularly in cloud and containerized setups.
   
   
   ## Brief change log
   
   - Introduced a filter in PythonEnvUtils to scan environment variable keys 
for sensitive terms (SECRET, TOKEN, PASSWORD, KEY, etc.).
   - Modified the environment logging logic to redact sensitive values inline 
before outputting them to logs.
   - Ensured the logging format remains unchanged to preserve log structure and 
readability.
   
   
   ## Verifying this change
   
   * This change is already covered by existing functional test cases that 
verify PyFlink process initialization. The change only affects log output 
formatting and does not alter core logic or behavior.
   
   * This change includes unit tests to check the ` ***REDACTED***` outputs
   
   ## Does this pull request potentially affect one of the following parts:
   
     - Dependencies (does it add or upgrade a dependency): no
     - The public API, i.e., is any changed class annotated with 
`@Public(Evolving)`: no
     - The serializers: no
     - The runtime per-record code paths (performance sensitive): no
     - Anything that affects deployment or recovery: JobManager (and its 
components), Checkpointing, Kubernetes/Yarn, ZooKeeper: no
     - The S3 file system connector: no
   
   ## Documentation
   
     - Does this pull request introduce a new feature? no
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to