litiliu commented on PR #3486: URL: https://github.com/apache/fluss/pull/3486#issuecomment-4726498816
> HI @litiliu Thanks for the fix, this looks good to me and i've one small question, the implementation uses substring matching (contains) for all sensitive key parts. Is this intentionally aligned with Flink's behavior? I'm asking because patterns such as token and secret may also match non-sensitive configuration keys. @Prajwal-banakar Yes, this is intentional and aligned with Flink's existing behavior. The implementation follows the same semantics as `GlobalConfiguration.isSensitive(...)`, which lowercases the key and checks whether it contains any of the configured sensitive key parts. This can lead to conservative masking for keys containing terms like `token` or `secret`, even if they are not actually sensitive. I think that is acceptable here because it is safer to over-mask than to accidentally expose credentials, and it keeps the behavior consistent with the rest of Flink's configuration/logging handling. If we want stricter matching in the future, it should probably be changed centrally in Flink's sensitive-key detection logic rather than only at this call site. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
