[I] Environment variables in table configs are revealed [pinot]

Thu, 12 Sep 2024 00:56:53 -0700 


vytautas-karpavicius opened a new issue, #13983:
URL: https://github.com/apache/pinot/issues/13983

   **Context**
   Pinot allows replacing environment variables in tables configs [as 
documented](https://docs.pinot.apache.org/configuration-reference/table#environment-variables-override)
   
   This can be used to replace secrets configured in table config. For example 
to ingest from kafka cluster that has authorization one might configure:
   ```
   {
     "tableIndexConfig": {
       "streamConfigs": {
         "sasl.jaas.config": "${KAFKA_SASL_CONFIG}"
       }
     }
   }
   ```
   
   **Problem**
   While environment variable replacement works, it reveals the secret when 
showing table config in UI or API. This defeats the purpose of having secrets 
replaced with environment variables.
   
   **To reproduce**
   1. Follow startup guide:
   ```
   # Clone a repo
   $ git clone https://github.com/apache/pinot.git
   $ cd pinot
   
   # Build Pinot
   $ mvn clean install -DskipTests -Pbin-dist
   ```
   
   2. Export secret
   ```
   export MY_SECRET=to_not_reveal
   ```
   
   3. Start Pinot
   ```
   # Run the Quick Demo
   $ cd build/
   $ bin/quick-start-batch.sh
   ```
   
   4. Open sample table:
   http://localhost:9000/#/tenants/table/airlineStats_OFFLINE
   Edit its config, change metadata and save:
   ```
       "metadata": {
         "customConfigs": {
           "regular": "some-value",
           "secret": "${MY_SECRET}"
         }
       },
   ```
   
   5. After saving, the secret is revealed in the same UI:
   ```
       "metadata": {
         "customConfigs": {
           "regular": "some-value",
           "secret": "to_not_reveal"
         }
       },
   ```
   
   6. Check the state in Zookeeper, it is saved correctly:
   ```
   "metadata": 
"{\"customConfigs\":{\"regular\":\"some-value\",\"secret\":\"${MY_SECRET}\"}}",
   ```
   
   **Expected behaviour**
   Environment variables should be replaced only internally within Pinot. They 
should not be replaced when stored in ZK, nor when revealed in UI or via API 
call.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to