github-actions[bot] commented on code in PR #65551:
URL: https://github.com/apache/doris/pull/65551#discussion_r3584585369


##########
fe/fe-common/src/main/java/org/apache/doris/common/ConfigBase.java:
##########
@@ -52,6 +52,10 @@ public class ConfigBase {
 
         boolean masterOnly() default false;
 
+        // If true, the value is a secret (e.g. a token or password) and is 
masked in every
+        // config dump API (Config.dump / getConfigInfo), so it is never 
returned in plaintext.
+        boolean sensitive() default false;

Review Comment:
   Because this new masking is opt-in, marking only `fe_meta_auth_token` still 
leaves existing internal secrets visible. `Config.auth_token` is still a 
regular `@ConfField`, and `/rest/v1/config/fe` still serves `Config.dump()`; on 
the default on-prem Basic-auth path the interceptor authenticates the password 
but does not require ADMIN, so `conf_item=auth_token` can still return the raw 
cluster token. Please either make the legacy config reader ADMIN-only as well, 
or mark existing real secrets (at least `auth_token`) as `sensitive = true` and 
add coverage for that path.



##########
fe/fe-core/src/main/java/org/apache/doris/httpv2/meta/MetaService.java:
##########
@@ -245,9 +296,7 @@ public Object check(HttpServletRequest request, 
HttpServletResponse response) th
 
     @RequestMapping(value = "/dump", method = RequestMethod.GET)
     public Object dump(HttpServletRequest request, HttpServletResponse 
response) throws DdlException {
-        if (Config.enable_all_http_auth) {

Review Comment:
   `executeCheckPassword()` only proves the caller has valid credentials; it 
does not enforce any privilege. Since `/dump` is excluded from 
`AuthInterceptor`, this lets any Basic-authenticated user call 
`Env.dumpImage()`, which takes the catalog/db/table locks, writes a full 
metadata image, and returns its server-side path. This should be ADMIN-gated 
like the other metadata/debug operations: capture the returned 
`ActionAuthorizationInfo` and call `checkGlobalAuth(authInfo.userIdentity, 
PrivPredicate.ADMIN)` before dumping, with a negative test for an authenticated 
non-admin user.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to