litiliu commented on PR #3486:
URL: https://github.com/apache/fluss/pull/3486#issuecomment-4726498816

   > HI @litiliu Thanks for the fix, this looks good to me and i've one small 
question, the implementation uses substring matching (contains) for all 
sensitive key parts. Is this intentionally aligned with Flink's behavior? I'm 
asking because patterns such as token and secret may also match non-sensitive 
configuration keys.
   
   @Prajwal-banakar Yes, this is intentional and aligned with Flink's existing 
behavior. The implementation follows the same semantics as 
`GlobalConfiguration.isSensitive(...)`, which lowercases the key and checks 
whether it contains any of the configured sensitive key parts.
   
   This can lead to conservative masking for keys containing terms like `token` 
or `secret`, even if they are not actually sensitive. I think that is 
acceptable here because it is safer to over-mask than to accidentally expose 
credentials, and it keeps the behavior consistent with the rest of Flink's 
configuration/logging handling. If we want stricter matching in the future, it 
should probably be changed centrally in Flink's sensitive-key detection logic 
rather than only at this call site.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to