Agree, that we should not display sensitive data, like passwords, I would say the best option is to mask it during output.
Kind regards, Arina > On Apr 17, 2020, at 5:34 PM, Charles Givre <[email protected]> wrote: > > Hello all, > I was thinking about this, if a user were to execute an EXPLAIN PLAN FOR > query, they get a lot of information about the storage plugin, including in > some cases creds. > The example below shows a query plan for the JDBC storage plugin. As you > can see, the user creds are right there.... > > I'm wondering would it be advisable or possible to mask the creds in query > plans so that users can't access this information? If masking it isn't an > option, is there some other way to prevent users from seeing this > information? In a multi-tenant environment, it seems like a rather large > security hole. > Thanks, > -- C > > > { > "head" : { > "version" : 1, > "generator" : { > "type" : "ExplainHandler", > "info" : "" > }, > "type" : "APACHE_DRILL_PHYSICAL", > "options" : [ ], > "queue" : 0, > "hasResourcePlan" : false, > "resultMode" : "EXEC" > }, > "graph" : [ { > "pop" : "jdbc-scan", > "@id" : 5, > "sql" : "SELECT *\nFROM `stats`.`batting`", > "columns" : [ "`playerID`", "`yearID`", "`stint`", "`teamID`", "`lgID`", > "`G`", "`AB`", "`R`", "`H`", "`2B`", "`3B`", "`HR`", "`RBI`", "`SB`", "`CS`", > "`BB`", "`SO`", "`IBB`", "`HBP`", "`SH`", "`SF`", "`GIDP`" ], > "config" : { > "type" : "jdbc", > "driver" : "com.mysql.cj.jdbc.Driver", > "url" : "jdbc:mysql://localhost:3306/?serverTimezone=EST5EDT", > "username" : "<username>", > "password" : "<password>", > "caseInsensitiveTableNames" : false, > "sourceParameters" : { }, > "enabled" : true > }, > "userName" : "", > "cost" : { > "memoryCost" : 1.6777216E7, > "outputRowCount" : 100.0 > } > }, { > "pop" : "limit", > "@id" : 4, > "child" : 5, > "first" : 0, > "last" : 10, > "initialAllocation" : 1000000, > "maxAllocation" : 10000000000, > "cost" : { > "memoryCost" : 1.6777216E7, > "outputRowCount" : 10.0 > } > }, { > "pop" : "limit", > "@id" : 3, > >
