linrrzqqq opened a new pull request, #65557:
URL: https://github.com/apache/doris/pull/65557

   Problem Summary:
   
   `CREATE RESOURCE ... PROPERTIES('ai.api_key' = '...')` could expose the API 
key in:
   
   - `fe.audit.log` / `__internal_schema.audit_log` because resource properties 
were not handled by `LogicalPlanBuilderForEncryption`.
   - `fe.log` when `enable_print_request_before_execution=true` because 
`StmtExecutor` printed the original SQL directly.
   - Even if resource SQL rewriting was added, `ai.api_key` was not registered 
as a sensitive key.
   
   Fix:
   - Add `ai.api_key` to the shared sensitive property key set.
   - Mask `CREATE RESOURCE` and `ALTER RESOURCE` properties in audit SQL 
rewriting.
   - Reuse `NeedAuditEncryption` SQL masking for `StmtExecutor`'s 
`enable_print_request_before_execution` log path.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to