fresh-borzoni commented on code in PR #3486:
URL: https://github.com/apache/fluss/pull/3486#discussion_r3474762462
##########
fluss-common/src/main/java/org/apache/fluss/config/ConfigurationUtils.java:
##########
@@ -38,6 +38,25 @@
/** Utility class for {@link Configuration} related helper functions. */
public class ConfigurationUtils {
+
+ private static final String[] SENSITIVE_KEY_PARTS = {
Review Comment:
fs.gs.auth.service.account.private.key (GCS inline auth, forwarded via
fs.gs.*) matches none of these.
Shall we add private.key / private-key?
##########
fluss-common/src/main/java/org/apache/fluss/config/GlobalConfiguration.java:
##########
@@ -126,7 +126,7 @@ private static void logConfiguration(String prefix,
Configuration config) {
"{} configuration property: {}={}",
prefix,
key,
- value instanceof Password ?
Password.HIDDEN_CONTENT : value));
+ ConfigurationUtils.hideSensitiveValue(key,
value)));
Review Comment:
Only the startup path is redacted. datalake.* is a dynamic-reconfigurable
prefix and carries secret-key/access-key, so it looks the same key you mask
here logs in cleartext when changed at runtime.
Shall we pull hideSensitiveValue into a shared formatter and reuse it there?
##########
fluss-common/src/main/java/org/apache/fluss/config/ConfigurationUtils.java:
##########
@@ -38,6 +38,25 @@
/** Utility class for {@link Configuration} related helper functions. */
public class ConfigurationUtils {
+
+ private static final String[] SENSITIVE_KEY_PARTS = {
Review Comment:
Also #3526 adds a second S3-cred list that already diverges, is it worth
unifying?
##########
fluss-common/src/main/java/org/apache/fluss/config/ConfigurationUtils.java:
##########
@@ -38,6 +38,25 @@
/** Utility class for {@link Configuration} related helper functions. */
public class ConfigurationUtils {
+
+ private static final String[] SENSITIVE_KEY_PARTS = {
+ "password",
+ "secret",
+ "fs.azure.account.key",
+ "apikey",
+ "api-key",
+ "auth-params",
+ "service-key",
+ "token",
Review Comment:
token also masks client.filesystem.security.token.renewal.backoff/time-ratio
- non-secrets you'd want visible when debugging cred refresh, WDYT?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]