SbloodyS commented on code in PR #18278: URL: https://github.com/apache/dolphinscheduler/pull/18278#discussion_r3296370407
########## docs/docs/en/contribute/backend/spi/task.md: ########## @@ -15,3 +15,15 @@ In additional, the `TaskChannelFactory` extends from `PrioritySPI`, this means y Since the task plug-in involves the front-end page, the front-end SPI has not yet been implemented, so you need to implement the front-end page corresponding to the plug-in separately. If there is a class conflict in the task plugin, you can use [Shade-Relocating Classes](https://maven.apache.org/plugins/maven-shade-plugin/) to solve this problem. + +#### Runtime credentials for task plugins + +Some task plugins need to access external systems using short-lived credentials. A plugin should avoid storing long-lived credentials in task parameters and should avoid printing credentials in task logs. + +Recommended practice: + +- Use the task execution context, such as project, workflow, task instance, data source, tenant, and worker group, when requesting runtime credentials from an external authorization service. +- Pass short-lived credentials to the task process through environment variables or temporary files with restricted file permissions. +- Mask sensitive values before logging command lines, environment variables, or generated configuration files. +- Remove temporary credential files after task completion or cancellation. +- Keep external data authorization in the external system. DolphinScheduler should provide task context and execution lifecycle, while the external system validates and enforces data permissions. Review Comment: Are these written by AI? I don't understand the relevance of what you added. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
