This is an automated email from the ASF dual-hosted git repository.
wu-sheng pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/skywalking.git
The following commit(s) were added to refs/heads/master by this push:
new ad733554b0 Mask more keywords by default and remove auto generate id
for UI templates (#13884)
ad733554b0 is described below
commit ad733554b0273d6165eff7bae4150df83d49ebe8
Author: Wan Kai <[email protected]>
AuthorDate: Tue May 26 12:22:51 2026 +0800
Mask more keywords by default and remove auto generate id for UI templates
(#13884)
---
docs/en/changes/changes.md | 1 +
docs/en/debugging/config_dump.md | 2 +-
docs/en/setup/backend/admin-api/status.md | 2 +-
docs/en/setup/backend/configuration-vocabulary.md | 2 +-
.../oap/server/admin/status/StatusModuleConfig.java | 2 +-
.../admin/uimanagement/handler/UIManagementRestHandler.java | 11 +++++------
oap-server/server-starter/src/main/resources/application.yml | 2 +-
test/e2e-v2/cases/storage/expected/config-dump.yml | 2 +-
test/e2e-v2/cases/ui-management/ui-management-cases.yaml | 10 +++++-----
9 files changed, 17 insertions(+), 17 deletions(-)
diff --git a/docs/en/changes/changes.md b/docs/en/changes/changes.md
index 604b6be4e9..f914cb4204 100644
--- a/docs/en/changes/changes.md
+++ b/docs/en/changes/changes.md
@@ -285,6 +285,7 @@
* Fix: `avgHistogramPercentile` / `sumHistogramPercentile` meter functions
reported the smallest finite bucket boundary (e.g. `10` for OTel
`gen_ai_server_request_duration` whose `le` is rewritten from `0.01s` → `10ms`)
for every rank when no samples were observed in any bucket. The percentile
loop's `count >= roof` check matched on the first sorted bucket because both
sides were `0`. `calculate()` now short-circuits to `0` for every rank when the
windowed total is `0`.
* Fix: MAL `expPrefix` now applies to every metric source in `exp`, not just
the leading one. Previously the prefix was spliced after the first `.`, so
secondary metrics inside arguments (e.g. the divisor in
`a.sum(['s']).safeDiv(b.sum(['s']))`) silently skipped the prefix — a rule like
envoy-ai-gateway's `request_latency_avg` (`sum / count`) would tag-rewrite only
the dividend. The injection is now AST-aware: every bare-IDENTIFIER metric
source is wrapped, while downsampling-type consta [...]
* Add `@Stream(allowBootReshape = true)` opt-in for additive boot-time reshape
of BanyanDB streams / measures. Code-defined stream classes (e.g.
`AlarmRecord`) can now annotate their schema as eligible for in-place additive
update at OAP boot — a new `@Column` is appended to the live tag-family /
fields via `client.update` instead of being silently rejected with
`SKIPPED_SHAPE_MISMATCH` (which previously forced operators to drop the measure
/ stream and lose historical rows). Additive in [...]
+* Mask keywords `trustStorePass`, `keyStorePass` by default.
#### UI
* Add mobile menu icon and i18n labels for the iOS layer.
diff --git a/docs/en/debugging/config_dump.md b/docs/en/debugging/config_dump.md
index e320124c3d..29911ef73f 100644
--- a/docs/en/debugging/config_dump.md
+++ b/docs/en/debugging/config_dump.md
@@ -88,5 +88,5 @@ By default, we mask the config keys through the following
configurations.
```yaml
# Include the list of keywords to filter configurations including secrets.
Separate keywords by a comma.
-keywords4MaskingSecretsOfConfig:
${SW_DEBUGGING_QUERY_KEYWORDS_FOR_MASKING_SECRETS:user,password,token,accessKey,secretKey,authentication}
+keywords4MaskingSecretsOfConfig:
${SW_DEBUGGING_QUERY_KEYWORDS_FOR_MASKING_SECRETS:user,password,trustStorePass,keyStorePass,token,accessKey,secretKey,authentication}
```
\ No newline at end of file
diff --git a/docs/en/setup/backend/admin-api/status.md
b/docs/en/setup/backend/admin-api/status.md
index 7b9754696d..091e9bfa7f 100644
--- a/docs/en/setup/backend/admin-api/status.md
+++ b/docs/en/setup/backend/admin-api/status.md
@@ -28,7 +28,7 @@ export SW_STATUS=default # default (enabled)
status:
selector: ${SW_STATUS:default}
default:
- keywords4MaskingSecretsOfConfig:
${SW_DEBUGGING_QUERY_KEYWORDS_FOR_MASKING_SECRETS:user,password,token,accessKey,secretKey,authentication}
+ keywords4MaskingSecretsOfConfig:
${SW_DEBUGGING_QUERY_KEYWORDS_FOR_MASKING_SECRETS:user,password,trustStorePass,keyStorePass,token,accessKey,secretKey,authentication}
```
`keywords4MaskingSecretsOfConfig` is consumed by `/debugging/config/dump`
diff --git a/docs/en/setup/backend/configuration-vocabulary.md
b/docs/en/setup/backend/configuration-vocabulary.md
index 675aa2f3f5..029468edd7 100644
--- a/docs/en/setup/backend/configuration-vocabulary.md
+++ b/docs/en/setup/backend/configuration-vocabulary.md
@@ -333,7 +333,7 @@ It divided into several modules, each of which has its own
settings. The followi
| - | - | exportErrorStatusTraceOnly
| Export error status
trace segments through the Kafka channel.
[...]
| health-checker | default | checkIntervalSeconds
| The period of checking
OAP internal health status (in seconds).
[...]
| status | default | (selector)
| Status feature module —
hosts /status/* and /debugging/* routes on the admin-server REST host only.
Both `status` and `admin-server` are enabled by default; set SW_STATUS empty to
disable.
[...]
-| - | - | keywords4MaskingSecretsOfConfig
| Include the list of
keywords to filter configurations including secrets. Separate keywords by a
comma.
[...]
+| - | - | keywords4MaskingSecretsOfConfig
| Include the list of
keywords to filter configurations including secrets. Separate keywords by a
comma.
[...]
| inspect | default | (selector)
| Inspect API on
admin-server — /inspect/metrics (catalog) and /inspect/entities (entity
enumeration with MQE-ready output). Routes only on the admin-server register.
**Enabled by default** (admin-server is on by default too); set SW_INSPECT
empty to disable. [...]
| ui-management | default | (selector)
| UI Management REST
surface on admin-server — /ui-management/templates (CRUD) for dashboard
templates. Consumed by Horizon UI; replaces the retired GraphQL
`UIConfigurationManagement` template resolver. The sidebar menu is NOT served
(Horizon UI owns it client-side). Routes onl [...]
| configuration-discovery | default | disableMessageDigest
| If true, agent receives
the latest configuration every time, even without making any changes. By
default, OAP uses the SHA512 message digest mechanism to detect changes in
configuration.
[...]
diff --git
a/oap-server/server-admin/status/src/main/java/org/apache/skywalking/oap/server/admin/status/StatusModuleConfig.java
b/oap-server/server-admin/status/src/main/java/org/apache/skywalking/oap/server/admin/status/StatusModuleConfig.java
index b941e5dfb4..d8c2dba5ac 100644
---
a/oap-server/server-admin/status/src/main/java/org/apache/skywalking/oap/server/admin/status/StatusModuleConfig.java
+++
b/oap-server/server-admin/status/src/main/java/org/apache/skywalking/oap/server/admin/status/StatusModuleConfig.java
@@ -30,5 +30,5 @@ public class StatusModuleConfig extends ModuleConfig {
*
* @since 9.7.0
*/
- private String keywords4MaskingSecretsOfConfig =
"user,password,token,accessKey,secretKey,authentication";
+ private String keywords4MaskingSecretsOfConfig =
"user,password,trustStorePass,keyStorePass,token,accessKey,secretKey,authentication";
}
diff --git
a/oap-server/server-admin/ui-management/src/main/java/org/apache/skywalking/oap/server/admin/uimanagement/handler/UIManagementRestHandler.java
b/oap-server/server-admin/ui-management/src/main/java/org/apache/skywalking/oap/server/admin/uimanagement/handler/UIManagementRestHandler.java
index 8ae13f2849..293bad55b8 100644
---
a/oap-server/server-admin/ui-management/src/main/java/org/apache/skywalking/oap/server/admin/uimanagement/handler/UIManagementRestHandler.java
+++
b/oap-server/server-admin/ui-management/src/main/java/org/apache/skywalking/oap/server/admin/uimanagement/handler/UIManagementRestHandler.java
@@ -29,7 +29,6 @@ import com.linecorp.armeria.server.annotation.RequestObject;
import java.io.IOException;
import java.util.List;
import java.util.Optional;
-import java.util.UUID;
import lombok.extern.slf4j.Slf4j;
import
org.apache.skywalking.oap.server.admin.uimanagement.response.ErrorResponse;
import org.apache.skywalking.oap.server.core.CoreModule;
@@ -108,17 +107,17 @@ public class UIManagementRestHandler {
/**
* Add a new template. Body shape:
* <pre>{ "configuration": "<JSON-encoded config>" }</pre>
- * The server allocates the template ID (UUID) — the request must not set
it.
*/
@Post("/ui-management/templates")
public HttpResponse addTemplate(@RequestObject final DashboardSetting
setting) {
- if (setting == null || setting.getConfiguration() == null) {
+ if (setting == null || setting.getId() == null ||
setting.getId().isEmpty()) {
+ return errorResponse(HttpStatus.BAD_REQUEST, "missing_id",
+ "Request body must include 'id'.");
+ }
+ if (setting.getConfiguration() == null) {
return errorResponse(HttpStatus.BAD_REQUEST,
"missing_configuration",
"Request body must include 'configuration'.");
}
- // Server-side ID allocation — preserves the legacy semantics of the
- // GraphQL `addTemplate` mutation. Any client-supplied `id` is ignored.
- setting.setId(UUID.randomUUID().toString());
try {
final TemplateChangeStatus status =
templates().addTemplate(setting);
return statusResponse(status);
diff --git a/oap-server/server-starter/src/main/resources/application.yml
b/oap-server/server-starter/src/main/resources/application.yml
index d5f1f6ae07..985d22bd1a 100644
--- a/oap-server/server-starter/src/main/resources/application.yml
+++ b/oap-server/server-starter/src/main/resources/application.yml
@@ -746,7 +746,7 @@ status:
selector: ${SW_STATUS:default}
default:
# Include the list of keywords to filter configurations including secrets.
Separate keywords by a comma.
- keywords4MaskingSecretsOfConfig:
${SW_DEBUGGING_QUERY_KEYWORDS_FOR_MASKING_SECRETS:user,password,token,accessKey,secretKey,authentication}
+ keywords4MaskingSecretsOfConfig:
${SW_DEBUGGING_QUERY_KEYWORDS_FOR_MASKING_SECRETS:user,password,trustStorePass,keyStorePass,token,accessKey,secretKey,authentication}
# Inspect API — admin-only metric catalog + per-metric entity enumeration.
# Routes live under /inspect/*. Enabled by default; mounts onto admin-server
diff --git a/test/e2e-v2/cases/storage/expected/config-dump.yml
b/test/e2e-v2/cases/storage/expected/config-dump.yml
index 1ef914afce..24cd41e5e5 100644
--- a/test/e2e-v2/cases/storage/expected/config-dump.yml
+++ b/test/e2e-v2/cases/storage/expected/config-dump.yml
@@ -206,7 +206,7 @@ receiver-telegraf.default.activeFiles=vm
receiver-telegraf.provider=default
receiver-trace.provider=default
service-mesh.provider=default
-status.default.keywords4MaskingSecretsOfConfig=user,password,token,accessKey,secretKey,authentication
+status.default.keywords4MaskingSecretsOfConfig=user,password,trustStorePass,keyStorePass,token,accessKey,secretKey,authentication
status.provider=default
storage.mysql.asyncBatchPersistentPoolSize=4
storage.mysql.maxSizeOfBatchSql=2000
diff --git a/test/e2e-v2/cases/ui-management/ui-management-cases.yaml
b/test/e2e-v2/cases/ui-management/ui-management-cases.yaml
index ef334ed1f4..82aca58ce0 100644
--- a/test/e2e-v2/cases/ui-management/ui-management-cases.yaml
+++ b/test/e2e-v2/cases/ui-management/ui-management-cases.yaml
@@ -15,16 +15,16 @@
# REST surface for dashboard templates, mounted on the admin-server REST host
# (default :17128). The cases below walk add → get → list → change → disable →
-# list-default vs. list-with-disabled to exercise the full CRUD cycle. Each
-# step writes the new id to /tmp/uitpl.id so the following step can refer to
-# the server-allocated UUID.
+# list-default vs. list-with-disabled to exercise the full CRUD cycle. The
+# client supplies the template id on POST; subsequent steps read it back from
+# /tmp/uitpl-add.json.
cases:
- # 1. POST a new template — server allocates the UUID.
+ # 1. POST a new template — client supplies the id.
- query: |
curl -s -X POST http://${oap_host}:${oap_17128}/ui-management/templates \
-H 'Content-Type: application/json' \
- -d '{"configuration":"{\"name\":\"e2e-tpl\",\"v\":1}"}' \
+ -d
'{"id":"e2e-tpl-id","configuration":"{\"name\":\"e2e-tpl\",\"v\":1}"}' \
| tee /tmp/uitpl-add.json \
| yq -P '. | {"status": .status, "hasId": (.id != null and .id != "")}'
expected: expected/template-write-success.yml