Hey, Hao
Please see my comments as follows:
2. I think we can also modify the create catalog ddl syntax.
```
CREATE CATALOG cat USING CONNECTION mycat.mydb.mysql_prod
WITH (
'type' = 'jdbc'
);
```
Does `mycat.mydb.mysql_prod` exist in another catalog? This feels like a
chicken-egg problem. I think for connections to be used for catalog
creation, it needs to be system connection similar to system function
which
exist outside of CatalogManager. Maybe we can defer this to later
functionality?
I think connection is a very common need for most catalogs like
MySQLCatalog、KafkaCatalog、HiveCatalog and so on, all of these catalogs need
a connection.
3. It seems the connector factory should merge the with options and
connection options together and then create the source/sink. It's
better that framework can merge all these options and connectors don't
need
any codes.
I think it's better to separate connections with table options and make
it
explicit. Reasons is: the connection here should be a decrypted one.
It's
sensitive and should be handled carefully regarding logging, usage etc.
Mixing with original table options makes it hard to do. But the Flip
used
`CatalogConnection` which is an encrypted one. I'll update it to
`SensitveConnection`.
(4)Framework-level Resolution : +1 to Shengkai's point about having the
framework (DynamicTableFactory) return complete options to reduce
connector
adaptation cost.
Please see my explanation for Shengkai's similar question.
In this case, I think reducing connector development cost is more
important than making is explicit, the connector knows which options is
sensitive or not.
4. Why we need to introduce ConnectionFactory? I think connection is
like
CatalogTable. It should hold the basic information and all information
in
the connection should be stored into secret store.
The main reason is to enable user defined connection handling for
different
types. For example, if connection type is `basic`, the corresponding
factory can handle basic type secrets (e.g. extract username/password
from
connection options and do encryption).
(2) Configurability of SECRET_FIELDS : Could the hardcoded
SECRET_FIELDS
in BasicConnectionFactory be made configurable (e.g., 'token' vs
'accessKey') for better connector compatibility?
This depends on `ConnectionFactory` implementation and can be self
defined
by user.
I hope the BasicConnectionFactory can be a common one that can feed most
common users case, otherwise encrypt all options is a good idea.
Btw, I also want to push the FLIP forward and start a vote ASAP, thus a
meeting is welcome if you think it can help finalizing the discussion
thread.
Best,
Leonard
Hi friends
I like the updated FLIP goals, that’s what I want. I’ve some feedback:
(1) Minor: Interface Hierarchy : Why doesn't WritableSecretStore extend
SecretStore?
(2) Configurability of SECRET_FIELDS : Could the hardcoded
SECRET_FIELDS
in BasicConnectionFactory be made configurable (e.g., 'token' vs
'accessKey') for better connector compatibility?
(3)Inconsistent Return Types : ConnectionFactory#resolveConnection
returns
SensitiveConnection, while BasicConnectionFactory#resolveConnection
returns
Map<String, String>. Should these be aligned?
(4)Framework-level Resolution : +1 to Shengkai's point about having the
framework (DynamicTableFactory) return complete options to reduce
connector
adaptation cost.
(5)Secret ID Handling : When no encryption is needed, secretId is null
(from secrets.isEmpty() ? null : secretStore.storeSecret(secrets)).
This
behavior should be explicitly documented in the interfaces.
Best,
Leonard
2025 7月 24 11:44,Shengkai Fang <fskm...@gmail.com> 写道:
hi.
Sorry for the late reply. I just have some questions:
1. Why SecretStoreFactory#open throws a CatalogException? I think the
exteranl system can not handle this exception.
2. I think we can also modify the create catalog ddl syntax.
```
CREATE CATALOG cat USING CONNECTION mycat.mydb.mysql_prod
WITH (
'type' = 'jdbc'
);
```
3. It seems the connector factory should merge the with options and
connection options together and then create the source/sink. It's
better that framework can merge all these options and connectors don't
need
any codes.
4. Why we need to introduce ConnectionFactory? I think connection is
like
CatalogTable. It should hold the basic information and all
information in
the connection should be stored into secret store.
Best,
Shengkai
Timo Walther <twal...@apache.org> 于2025年7月22日周二 22:04写道:
Hi Mayank,
Thanks for updating the FLIP and clearly documenting our discussion.
+1 for moving forward with the vote, unless there are objections from
others.
Cheers,
Timo
On 22.07.25 02:14, Mayank Juneja wrote:
Hi Ryan and Austin,
Thanks for your suggestions. I've updated the FLIP with the
following
additional info -
1. *table.secret-store.kind* key to register the SecretStore in a
yaml
file
2. *updateSecret* method in WritableSecretStore interface
Thanks,
Mayank
On Thu, Jul 17, 2025 at 5:42 PM Austin Cawley-Edwards <
austin.caw...@gmail.com> wrote:
Hey all,
Thanks for the nice flip all! I’m just reading through – had one
question
on the ALTER CONNECTION implementation flow. Would it make sense
for
the
WritableSecretStore to expose a method for updating a secret by
ID, so
it
can be done atomically? Else, would we need to call delete and
create
again, potentially introducing concurrent resolution errors?
Best,
Austin
On Thu, Jul 17, 2025 at 13:07 Ryan van Huuksloot
<ryan.vanhuuksl...@shopify.com.invalid> wrote:
Hi Mayank,
Thanks for updating the FLIP. Overall it looks good to me.
One question I had related to how someone could choose the
SecretStore
they
want to use if they use something like the SQL Gateway as the
entrypoint
on
top of a remote Session cluster. I don't see an explicit way to
set
the
SecretStore in the FLIP.
I assume we'll do it similar to the CatalogStore but I wanted to
call
this
out.
table.catalog-store.kind: filetable.catalog-store.file.path:
file:///path/to/catalog/store/
Ryan van Huuksloot
Staff Engineer, Infrastructure | Streaming Platform
[image: Shopify]
<
https://www.shopify.com/?utm_medium=salessignatures&utm_source=hs_email
On Wed, Jul 16, 2025 at 2:22 PM Mayank Juneja <
mayankjunej...@gmail.com>
wrote:
Hi everyone,
Thanks for your valuable inputs. I have updated the FLIP with the
ideas
proposed earlier in the thread. Looking forward to your feedback.
https://cwiki.apache.org/confluence/x/cYroF
Best,
Mayank
On Fri, Jun 27, 2025 at 2:59 AM Leonard Xu <xbjt...@gmail.com>
wrote:
Quick response, thanks Mayank, Hao and Timo for the effort. The
new
proposal looks well, +1 from my side.
Could you draft(update) current FLIP docs thus we can have some
specific
discussions later?
Best,
Leonard
2025 6月 26 15:06,Timo Walther <twal...@apache.org> 写道:
Hi everyone,
sorry for the late reply, feature freeze kept me busy. Mayank,
Hao
and
I
synced offline and came up we an improved proposal. Before we
update
the
FLIP let me summarize the most important key facts that
hopefully
address
most concerns:
1) SecretStore
- Similar to CatalogStore, we introduce a SecretStore as the
highest
level in TableEnvironment.
- SecretStore is initialized with options and potentially
environment
variables. Including
EnvironmentSettings.withSecretStore(SecretStore).
- The SecretStore is pluggable and discovered using the regular
factory-approach.
- For example, it could implement Azure Key Vault or other
cloud
provider secrets stores.
- Goal: Flink and Flink catalogs do not have to deal with
sensitive
data.
2) Connections
- Connections are catalog objects identified with 3-part
identifiers.
3-part identifiers are crucial for managability of larger
projects
and
align with existing catalog objects.
- They contain connection details, e.g. URL, query parameters,
and
other
configuration.
- They do not contain secrets, but only pointers to secrets in
the
SecretStore.
3) Connection DDL
CREATE [TEMPORARY] CONNECTION mycat.mydb.OpenAPI WITH (
'type' = 'basic' | 'bearer' | 'jwt' | 'oauth' | ...,
...
)
- Connection type is pluggable and discovered using the regular
factory-approach.
- The factory extracts secrets and puts them into SecretStore.
- The factory only leaves non-confidential options left that
can
be
stored in a catalog.
When executing:
CREATE [TEMPORARY] CONNECTION mycat.mydb.OpenAPI WITH (
'type' = 'basic',
'url' = 'api.example.com',
'username' = 'bob',
'password' = 'xyz'
)
The catalog will receive something similar to:
CREATE [TEMPORARY] CONNECTION mycat.mydb.OpenAPI WITH (
'type' = 'basic',
'url' = 'api.example.com',
'secret.store' = 'azure-key-vault'
'secret.id' = 'secretId'
)
- However, the exact property design is up to the connection
factory.
4) Connection Usage
CREATE TABLE t (...) USING CONNECTION mycat.mydb.OpenAPI;
- MODEL, FUNCTION, TABLE DDL will support USING CONNECTION
keyword
similar to BigQuery.
- The connection will be provided in a table/model
provider/function
definition factory.
5) CatalogStore / Catalog Initialization
Catalog store or catalog can make use of SecretStore to
retrieve
initial
credentials for bootstrapping. All objects lower then catalog
store/catalog
can then use connections. If you think we still need system
level
connections, we can support CREATE SYSTEM CONNECTION GlobalName
WITH
(..)
similar to SYSTEM functions directly store in a
ConnectioManager in
TableEnvironment. But for now I would suggest to start simple
with
per-catalog connections and later evolve the design.
Dealing with secrets is a very sensitive topic and I'm clearly
not
an
expert on it. This is why we should try to push the problem to
existing
solutions and don't start storing secrets in Flink in any way.
Thus,
the
interfaces will be defined very generic.
Looking forward to your feedback.
Cheers,
Timo
On 09.06.25 04:01, Leonard Xu wrote:
Thanks Timo for joining this thread.
I agree that this feature is needed by the community; the
current
disagreement is only about the implementation method or
solution.
Your thoughts looks generally good to me, looking forward to
your
proposal.
Best,
Leonard
2025 6月 6 22:46,Timo Walther <twal...@apache.org> 写道:
Hi everyone,
thanks for this healthy discussion. Looking at high number of
participants, it looks like we definitely want this feature. We
just
need
to figure out the "how".
This reminds me very much of the discussion we had for CREATE
FUNCTION. There, we discussed whether functions should be named
globally
or
catalog-specific. In the end, we decided for both `CREATE SYSTEM
FUNCTION`
and `CREATE FUNCTION`, satisfying both the data platform team
of an
organization (which might provide system functions) and
individual
data
teams or use cases (scoped by catalog/database).
Looking at other modern vendors like Snowflake there is
SECRET
(scoped
to schema) [1] and API INTEGRATION [2] (scoped to account). So
also
other
vendors offer global and per-team / per-use case connections
details.
In general, I think fitting connections into the existing
concepts
for
catalog objects (with three-part identifier) makes managing them
easier.
But I also see the need for global defaults.
Btw keep in mind that a catalog implementation should only
store
metadata. Similar how a CatalogTable doesn't store the actual
data, a
CatalogConnection should not store the credentials. It should
only
offer
a
factory that allows for storing and retrieving them. In real
world
scenarios a factory is most likely backed by a product like
Azure
Key
Vault.
So code-wise having a ConnectionManager that behaves similar
to
FunctionManager sounds reasonable.
+1 for having special syntax instead of using properties.
This
allows
to access connections in tables, models, functions. And
catalogs,
if
we
agree to have global ones as well.
What do you think?
Let me spend some more thoughts on this and come back with a
concrete
proposal by early next week.
Cheers,
Timo
[1]
https://docs.snowflake.com/en/sql-reference/sql/create-secret
[2]
https://docs.snowflake.com/en/sql-reference/sql/create-api-integration
On 04.06.25 10:47, Leonard Xu wrote:
Hey,Mayank
Please see my feedback as following:
1. One of the motivations of this FLIP is to improve
security.
However, the current design stores all connection information in
the
catalog,
and each Flink SQL job reads from the catalog during
compilation.
The
connection information is passed between SQL Gateway and the
catalog in plaintext, which actually introduces new security
risks.
2. The name "Connection" should be changed to something like
ConnectionSpec to clearly indicate that it is a object
containing
only
static
properties without a lifecycle. Putting aside the naming
issue,
I
think the current model and hierarchy design is somewhat
strange.
Storing
various kinds of connections (e.g., Kafka, MySQL) in the
same
Catalog
with hierarchical identifiers like
catalog-name.db-name.connection-name
raises the following questions:
(1) What is the purpose of this hierarchical structure of
Connection
object ?
(2) If we can use a Connection to create a MySQL table, why
can't
we
use a Connection to create a MySQL Catalog?
3. Regarding the connector usage examples given in this
FLIP:
```sql
1 -- Example 2: Using connection for jdbc tables
2 CREATE OR REPLACE CONNECTION mysql_customer_db
3 WITH (
4 'type' = 'jdbc',
5 'jdbc.url' = 'jdbc:mysql://
customer-db.example.com:3306/customerdb',
6 'jdbc.connection.ssl.enabled' = 'true'
7 );
8
9 CREATE TABLE customers (
10 customer_id INT,
11 PRIMARY KEY (customer_id) NOT ENFORCED
12 ) WITH (
13 'connector' = 'jdbc',
14 'jdbc.connection' = 'mysql_customer_db',
15 'jdbc.connection.ssl.enabled' = 'true',
16 'jdbc.connection.max-retry-timeout' = '60s',
17 'jdbc.table-name' = 'customers',
18 'jdbc.lookup.cache' = 'PARTIAL'
19 );
```
I see three issues from SQL semantics and Connector
compatibility
perspectives:
(1) Look at line 14: `mysql_customer_db` is an object
identifier
of
a
CONNECTION defined in SQL. However, this identifier is
referenced
via a string value inside the table’s WITH clause, which
feel
hack for me.
(2) Look at lines 14–16: the use of the specific prefix
`jdbc.connection` will confuse users because `connection.xx`
maybe
already
used as
a prefix for existing configuration items.
(3) Look at lines 14–18: Why do all existing configuration
options
need to be prefixed with `jdbc`, even they’re not related to
Connection
properties?
This completely changes user habits — is it backward
compatible?
In my opinion, Connection should be a model independent of
both
Catalog and Table, and can be referenced by all
catalog/table/udf/model
object.
It should be managed by a Component such as a
ConnectionManager
to
enable reuse. For security purposes, authentication mechanisms
could
be supported within the ConnectionManager.
Best,
Leonard
2025 6月 4 02:04,Martijn Visser <martijnvis...@apache.org>
写道:
Hi all,
First of all, I think having a Connection resource is
something
that
will
be beneficial for Apache Flink. I could see that being
extended
in
the
future to allow for easier secret handling [1].
In my mental mind, I'm comparing this proposal against
SQL/MED
from
the ISO
standard [2]. I do think that SQL/MED isn't a very user
friendly
syntax
though, looking at Postgres for example [3].
I think it's a valid question if Connection should be
considered
with a
catalog or database-level scope. @Ryan can you share
something
more,
since
you've mentioned "Note: I much prefer catalogs for this
case.
Which
is what
we use internally to manage connection properties". It
looks
like
there
isn't a strong favourable approach looking at other vendors
(like,
Databricks does scopes it on a Unity catalog, Snowflake on
a
database
level).
Also looking forward to Leonard's input.
Best regards,
Martijn
[1] https://issues.apache.org/jira/browse/FLINK-36818
[2] https://www.iso.org/standard/84804.html
[3]
https://www.postgresql.org/docs/current/sql-createserver.html
On Fri, May 30, 2025 at 5:07 AM Leonard Xu <
xbjt...@gmail.com
wrote:
Hey Mayank.
Thanks for the FLIP, I went through this FLIP quickly and
found
some
issues which I think we
need to deep discuss later. As we’re on a short Dragon
boat
Festival,
could you kindly hold
on this thread? and we will back to continue the FLIP
discuss.
Best,
Leonard
2025 4月 29 23:07,Mayank Juneja <mayankjunej...@gmail.com
写道:
Hi all,
I would like to open up for discussion a new FLIP-529
[1].
Motivation:
Currently, Flink SQL handles external connectivity by
defining
endpoints
and credentials in table configuration. This approach
prevents
reusability
of these connections and makes table definition less
secure
by
exposing
sensitive information.
We propose the introduction of a new "connection"
resource
in
Flink. This
will be a pluggable resource configured with a remote
endpoint
and
associated access key. Once defined, connections can be
reused
across
table
definitions, and eventually for model definition (as
discussed
in
FLIP-437)
for inference, enabling seamless and secure integration
with
external
systems.
The connection resource will provide a new, optional way
to
manage
external
connectivity in Flink. Existing methods for table
definitions
will
remain
unchanged.
[1] https://cwiki.apache.org/confluence/x/cYroF
Best Regards,
Mayank Juneja
--
*Mayank Juneja*
Product Manager | Data Streaming and AI
