gaborgsomogyi opened a new pull request, #28058:
URL: https://github.com/apache/flink/pull/28058
## What is the purpose of the change
Several cloud storage access key config names were not matched by the
existing SENSITIVE_KEYS patterns and were therefore leaked in logs and REST API
responses:
- `fs.s3a.access.key`, `s3.access.key` (missing access.key pattern)
- `s3.access-key` (missing access-key pattern)
- `fs.oss.accessKeyId`, `fs.oss.accesskey` (missing accesskey pattern)
Additionally, there was no way for users to protect custom or
vendor-specific sensitive keys beyond the hardcoded list.
## Brief change log
- Added three new patterns to the immutable `SENSITIVE_KEYS` array in
GlobalConfiguration: `access-key`, `access.key`, `accesskey`.
- Added `SecurityOptions.SENSITIVE_KEYS_ADDITIONAL`
(`security.redaction.additional-keys`), a comma-separated list option that lets
users extend redaction with their own key substrings. Matching is
case-insensitive substring containment,
consistent with the built-in behaviour.
- Tests added for all three new hardcoded patterns and for the
user-extensible path.
3 call sites pass `Collections.emptyList()` because they do not have access
to the Flink Configuration:
- ActorSystemBootstrapTools.toMaskedMap — Pekko/Akka actor system debug logs
will not apply user-defined additional keys.
- FlinkYarnSessionCli.encodeDynamicProperties — Dynamic properties passed
via -D on the YARN CLI will not be redacted by user-defined additional keys in
startup logs.
- EnvironmentInformation — Program argument logging will not apply
user-defined additional keys; the built-in patterns still apply.
## Verifying this change
Existing + new automated tests.
## Does this pull request potentially affect one of the following parts:
- Dependencies (does it add or upgrade a dependency): no
- The public API, i.e., is any changed class annotated with
`@Public(Evolving)`: no
- The serializers: no
- The runtime per-record code paths (performance sensitive): no
- Anything that affects deployment or recovery: JobManager (and its
components), Checkpointing, Kubernetes/Yarn, ZooKeeper: no
- The S3 file system connector: no
## Documentation
- Does this pull request introduce a new feature? no
- If yes, how is the feature documented? not applicable
---
##### Was generative AI tooling used to co-author this PR?
- [X] Yes (please specify the tool below)
Generated-by: Claude code
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
