github-actions[bot] commented on code in PR #65551:
URL: https://github.com/apache/doris/pull/65551#discussion_r3584585369
##########
fe/fe-common/src/main/java/org/apache/doris/common/ConfigBase.java:
##########
@@ -52,6 +52,10 @@ public class ConfigBase {
boolean masterOnly() default false;
+ // If true, the value is a secret (e.g. a token or password) and is
masked in every
+ // config dump API (Config.dump / getConfigInfo), so it is never
returned in plaintext.
+ boolean sensitive() default false;
Review Comment:
Because this new masking is opt-in, marking only `fe_meta_auth_token` still
leaves existing internal secrets visible. `Config.auth_token` is still a
regular `@ConfField`, and `/rest/v1/config/fe` still serves `Config.dump()`; on
the default on-prem Basic-auth path the interceptor authenticates the password
but does not require ADMIN, so `conf_item=auth_token` can still return the raw
cluster token. Please either make the legacy config reader ADMIN-only as well,
or mark existing real secrets (at least `auth_token`) as `sensitive = true` and
add coverage for that path.
##########
fe/fe-core/src/main/java/org/apache/doris/httpv2/meta/MetaService.java:
##########
@@ -245,9 +296,7 @@ public Object check(HttpServletRequest request,
HttpServletResponse response) th
@RequestMapping(value = "/dump", method = RequestMethod.GET)
public Object dump(HttpServletRequest request, HttpServletResponse
response) throws DdlException {
- if (Config.enable_all_http_auth) {
Review Comment:
`executeCheckPassword()` only proves the caller has valid credentials; it
does not enforce any privilege. Since `/dump` is excluded from
`AuthInterceptor`, this lets any Basic-authenticated user call
`Env.dumpImage()`, which takes the catalog/db/table locks, writes a full
metadata image, and returns its server-side path. This should be ADMIN-gated
like the other metadata/debug operations: capture the returned
`ActionAuthorizationInfo` and call `checkGlobalAuth(authInfo.userIdentity,
PrivPredicate.ADMIN)` before dumping, with a negative test for an authenticated
non-admin user.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]