litiliu opened a new issue, #3485:
URL: https://github.com/apache/fluss/issues/3485

   ### Search before asking
   
   - [x] I searched in the [issues](https://github.com/apache/fluss/issues) and 
found nothing similar.
   
   ### Fluss version
   
   main branch
   
   ### Please describe the bug
   
   `GlobalConfiguration` logs every loaded configuration property during 
startup. This can leak credentials when sensitive configuration values are 
provided as plain strings.
   
   For example, when an S3 access key is configured:
   
   ```yaml
   fs.s3a.access.key: <access-key>
   ```
   
   the startup log currently includes the raw credential value:
   
   ```text
   Loading configuration property: fs.s3a.access.key=<access-key>
   ```
   
   This is a security issue because credentials can be exposed to log 
aggregation systems and users who only have log access.
   
   The current masking logic only hides values that are already represented as 
`Password` objects. However, configuration loaded from YAML is added through 
`setString`, so arbitrary sensitive keys such as `fs.s3a.access.key` are logged 
as plain strings.
   
   ### Expected behavior
   
   Sensitive configuration values should be redacted when configuration 
properties are logged.
   
   The redacted value should always be the fixed string:
   
   ```text
   ******
   ```
   
   For example:
   
   ```text
   Loading configuration property: fs.s3a.access.key=******
   ```
   
   The matching should be case-insensitive. At minimum, `fs.s3a.access.key` and 
keys containing or matching the following sensitive patterns should be 
redacted, following Flink's sensitive key handling:
   
   - `password`
   - `secret`
   - `fs.azure.account.key`
   - `apikey`
   - `api-key`
   - `auth-params`
   - `service-key`
   - `token`
   - `basic-auth`
   - `jaas.config`
   - `http-headers`
   
   ### Possible solution
   
   Add a centralized helper for detecting sensitive configuration keys and use 
it in `GlobalConfiguration.logConfiguration`.
   
   The existing `Password.HIDDEN_CONTENT` constant already uses the desired 
fixed redaction value (`******`) and can be reused.
   
   ### Are you willing to submit a PR?
   
   - [x] I'm willing to submit a PR!
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to