Skip to content

[FLINK-39685][table] Redact sensitive options in SHOW CREATE and DESCRIBE CATALOG statements#28167

Open
gaborgsomogyi wants to merge 1 commit into
apache:masterfrom
gaborgsomogyi:FLINK-39685
Open

[FLINK-39685][table] Redact sensitive options in SHOW CREATE and DESCRIBE CATALOG statements#28167
gaborgsomogyi wants to merge 1 commit into
apache:masterfrom
gaborgsomogyi:FLINK-39685

Conversation

@gaborgsomogyi
Copy link
Copy Markdown
Contributor

@gaborgsomogyi gaborgsomogyi commented May 15, 2026

What is the purpose of the change

Sensitive table/catalog/model options (e.g. password, api-key, token) were exposed verbatim in the output of SHOW CREATE TABLE, SHOW CREATE CATALOG, SHOW CREATE MATERIALIZED TABLE, SHOW CREATE MODEL, and DESCRIBE CATALOG EXTENDED. Flink already had redaction infrastructure (GlobalConfiguration.isSensitive / HIDDEN_CONTENT) used for Flink config display and factory error messages, but it was not wired to SQL display operations.

Brief change log

  • ShowCreateUtil - extractFormattedOptions now accepts List<String> additionalSensitiveKeys and redacts matching values with ******. The unused 2-arg and lowerCaseKeys overloads were removed (dead code).
  • ShowCreate*Operation / DescribeCatalogOperation - each execute() reads SecurityOptions.ADDITIONAL_SENSITIVE_KEYS from TableConfig and threads it through to the rendering layer.
  • DefaultCatalogTable / DefaultCatalogModel - toString() now uses ConfigurationUtils.hideSensitiveValues to avoid leaking secrets in logs. Built-in sensitive key patterns apply; user-configured additional keys cannot be applied here (no config context in toString()).

Verifying this change

  • ShowCreateUtilTest - extended with redaction cases for table, catalog, materialized table, and custom additionalSensitiveKeys.
  • DescribeCatalogOperationTest - new; verifies extended output redacts password/token, non-sensitive values are unchanged, and non-extended output exposes no options at all.
  • DefaultCatalogTableTest - new; verifies toString() redacts sensitive keys and preserves safe ones.

Does this pull request potentially affect one of the following parts:

  • Dependencies (does it add or upgrade a dependency): no
  • The public API, i.e., is any changed class annotated with @Public(Evolving): no
  • The serializers: no
  • The runtime per-record code paths (performance sensitive): no
  • Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Kubernetes/Yarn, ZooKeeper: no
  • The S3 file system connector: no

Documentation

  • Does this pull request introduce a new feature? no
  • If yes, how is the feature documented? not applicable
Was generative AI tooling used to co-author this PR?
  • Yes (please specify the tool below)

Generated-by: Claude code

@flinkbot
Copy link
Copy Markdown
Collaborator

flinkbot commented May 15, 2026
edited
Loading

CI report:

Bot commands The @flinkbot bot supports the following commands:
  • @flinkbot run azure re-run the last Azure build

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gaborgsomogyi @flinkbot