[PR] [FLINK-38266][flink-sql-gateway] SQL Gateway - mask sensitive table and catalog options [flink]

Tue, 19 Aug 2025 04:23:15 -0700 


maciejmaciejko-gid opened a new pull request, #26927:
URL: https://github.com/apache/flink/pull/26927

   
   ## What is the purpose of the change
   
   The SQL Gateway exposes credentials and other sensitive information through 
the SHOW CREATE TABLE and SHOW CREATE CATALOG statements. This represents a 
security risk when the SQL Gateway is used in a multi-user environment, for 
example, as a gateway for SQL editors with persistent catalogs.
   
   This feature redacts sensitive table and catalog options (configurable) by 
replacing their values with '****' in the SHOW CREATE TABLE and SHOW CREATE 
CATALOG statements. Note that this does not affect the table or catalog itself 
— it only masks sensitive options in the SQL Gateway’s response. Users can 
still interact with the table or catalog, but they will not be able to see the 
sensitive configuration details.
   
   ## Brief change log
     - SQL Gateway API options with doc
     - ShowCreateTableResult with masking based on regex (only for SHOW CREATE 
TABLE and CATALOG response)
     - Added unit tests, extended integration tests
   
   ## Verifying this change
   
   This change added tests and can be verified as follows:
   - Added unit tests for ShowCreateTableResult (corner cases, options match 
and redact)
   - Extended integration test for SQL Gateway 
(AbstractSqlGatewayStatementITCase - added scenario as file 
show_create_sensitive_options.q)
   - Manually verified - e2e test with SQL Gateway and session cluster
   
   ## Does this pull request potentially affect one of the following parts:
     - Dependencies (does it add or upgrade a dependency): NO
     - The public API, i.e., is any changed class annotated with 
`@Public(Evolving)`: YES (SqlGatewayServiceConfigOptions)
     - The serializers: NO
     - The runtime per-record code paths (performance sensitive): NO
     - Anything that affects deployment or recovery: JobManager (and its 
components), Checkpointing, Kubernetes/Yarn, ZooKeeper: NO
     - The S3 file system connector: NO
   
   ## Documentation
   
     - Does this pull request introduce a new feature? YES
     - If yes, how is the feature documented? described options in 
docs/content/docs/dev/table/sql-gateway/overview.md
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to