This is an automated email from the ASF dual-hosted git repository.

wu-sheng pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/skywalking.git


The following commit(s) were added to refs/heads/master by this push:
     new ad733554b0 Mask more keywords by default and remove auto generate id 
for UI templates (#13884)
ad733554b0 is described below

commit ad733554b0273d6165eff7bae4150df83d49ebe8
Author: Wan Kai <[email protected]>
AuthorDate: Tue May 26 12:22:51 2026 +0800

    Mask more keywords by default and remove auto generate id for UI templates 
(#13884)
---
 docs/en/changes/changes.md                                    |  1 +
 docs/en/debugging/config_dump.md                              |  2 +-
 docs/en/setup/backend/admin-api/status.md                     |  2 +-
 docs/en/setup/backend/configuration-vocabulary.md             |  2 +-
 .../oap/server/admin/status/StatusModuleConfig.java           |  2 +-
 .../admin/uimanagement/handler/UIManagementRestHandler.java   | 11 +++++------
 oap-server/server-starter/src/main/resources/application.yml  |  2 +-
 test/e2e-v2/cases/storage/expected/config-dump.yml            |  2 +-
 test/e2e-v2/cases/ui-management/ui-management-cases.yaml      | 10 +++++-----
 9 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/docs/en/changes/changes.md b/docs/en/changes/changes.md
index 604b6be4e9..f914cb4204 100644
--- a/docs/en/changes/changes.md
+++ b/docs/en/changes/changes.md
@@ -285,6 +285,7 @@
 * Fix: `avgHistogramPercentile` / `sumHistogramPercentile` meter functions 
reported the smallest finite bucket boundary (e.g. `10` for OTel 
`gen_ai_server_request_duration` whose `le` is rewritten from `0.01s` → `10ms`) 
for every rank when no samples were observed in any bucket. The percentile 
loop's `count >= roof` check matched on the first sorted bucket because both 
sides were `0`. `calculate()` now short-circuits to `0` for every rank when the 
windowed total is `0`.
 * Fix: MAL `expPrefix` now applies to every metric source in `exp`, not just 
the leading one. Previously the prefix was spliced after the first `.`, so 
secondary metrics inside arguments (e.g. the divisor in 
`a.sum(['s']).safeDiv(b.sum(['s']))`) silently skipped the prefix — a rule like 
envoy-ai-gateway's `request_latency_avg` (`sum / count`) would tag-rewrite only 
the dividend. The injection is now AST-aware: every bare-IDENTIFIER metric 
source is wrapped, while downsampling-type consta [...]
 * Add `@Stream(allowBootReshape = true)` opt-in for additive boot-time reshape 
of BanyanDB streams / measures. Code-defined stream classes (e.g. 
`AlarmRecord`) can now annotate their schema as eligible for in-place additive 
update at OAP boot — a new `@Column` is appended to the live tag-family / 
fields via `client.update` instead of being silently rejected with 
`SKIPPED_SHAPE_MISMATCH` (which previously forced operators to drop the measure 
/ stream and lose historical rows). Additive in [...]
+* Mask keywords `trustStorePass`, `keyStorePass` by default.
 
 #### UI
 * Add mobile menu icon and i18n labels for the iOS layer.
diff --git a/docs/en/debugging/config_dump.md b/docs/en/debugging/config_dump.md
index e320124c3d..29911ef73f 100644
--- a/docs/en/debugging/config_dump.md
+++ b/docs/en/debugging/config_dump.md
@@ -88,5 +88,5 @@ By default, we mask the config keys through the following 
configurations.
 
 ```yaml
 # Include the list of keywords to filter configurations including secrets. 
Separate keywords by a comma.
-keywords4MaskingSecretsOfConfig: 
${SW_DEBUGGING_QUERY_KEYWORDS_FOR_MASKING_SECRETS:user,password,token,accessKey,secretKey,authentication}
+keywords4MaskingSecretsOfConfig: 
${SW_DEBUGGING_QUERY_KEYWORDS_FOR_MASKING_SECRETS:user,password,trustStorePass,keyStorePass,token,accessKey,secretKey,authentication}
 ```
\ No newline at end of file
diff --git a/docs/en/setup/backend/admin-api/status.md 
b/docs/en/setup/backend/admin-api/status.md
index 7b9754696d..091e9bfa7f 100644
--- a/docs/en/setup/backend/admin-api/status.md
+++ b/docs/en/setup/backend/admin-api/status.md
@@ -28,7 +28,7 @@ export SW_STATUS=default                # default (enabled)
 status:
   selector: ${SW_STATUS:default}
   default:
-    keywords4MaskingSecretsOfConfig: 
${SW_DEBUGGING_QUERY_KEYWORDS_FOR_MASKING_SECRETS:user,password,token,accessKey,secretKey,authentication}
+    keywords4MaskingSecretsOfConfig: 
${SW_DEBUGGING_QUERY_KEYWORDS_FOR_MASKING_SECRETS:user,password,trustStorePass,keyStorePass,token,accessKey,secretKey,authentication}
 ```
 
 `keywords4MaskingSecretsOfConfig` is consumed by `/debugging/config/dump`
diff --git a/docs/en/setup/backend/configuration-vocabulary.md 
b/docs/en/setup/backend/configuration-vocabulary.md
index 675aa2f3f5..029468edd7 100644
--- a/docs/en/setup/backend/configuration-vocabulary.md
+++ b/docs/en/setup/backend/configuration-vocabulary.md
@@ -333,7 +333,7 @@ It divided into several modules, each of which has its own 
settings. The followi
 | -                       | -             | exportErrorStatusTraceOnly         
                                                                                
                                                      | Export error status 
trace segments through the Kafka channel.                                       
                                                                                
                                                                                
                  [...]
 | health-checker          | default       | checkIntervalSeconds               
                                                                                
                                                      | The period of checking 
OAP internal health status (in seconds).                                        
                                                                                
                                                                                
               [...]
 | status                  | default       | (selector)                         
                                                                                
                                                     | Status feature module — 
hosts /status/* and /debugging/* routes on the admin-server REST host only. 
Both `status` and `admin-server` are enabled by default; set SW_STATUS empty to 
disable.                                                                        
                   [...]
-| -                       | -             | keywords4MaskingSecretsOfConfig    
                                                                                
                                                      | Include the list of 
keywords to filter configurations including secrets. Separate keywords by a 
comma.                                                                          
                                                                                
                      [...]
+| -                       | -             | keywords4MaskingSecretsOfConfig    
                                                                                
                                                      | Include the list of 
keywords to filter configurations including secrets. Separate keywords by a 
comma.                                                                          
                                                                                
                      [...]
 | inspect                 | default       | (selector)                         
                                                                                
                                                      | Inspect API on 
admin-server — /inspect/metrics (catalog) and /inspect/entities (entity 
enumeration with MQE-ready output). Routes only on the admin-server register. 
**Enabled by default** (admin-server is on by default too); set SW_INSPECT 
empty to disable.                     [...]
 | ui-management           | default       | (selector)                         
                                                                                
                                                      | UI Management REST 
surface on admin-server — /ui-management/templates (CRUD) for dashboard 
templates. Consumed by Horizon UI; replaces the retired GraphQL 
`UIConfigurationManagement` template resolver. The sidebar menu is NOT served 
(Horizon UI owns it client-side). Routes onl [...]
 | configuration-discovery | default       | disableMessageDigest               
                                                                                
                                                      | If true, agent receives 
the latest configuration every time, even without making any changes. By 
default, OAP uses the SHA512 message digest mechanism to detect changes in 
configuration.                                                                  
                          [...]
diff --git 
a/oap-server/server-admin/status/src/main/java/org/apache/skywalking/oap/server/admin/status/StatusModuleConfig.java
 
b/oap-server/server-admin/status/src/main/java/org/apache/skywalking/oap/server/admin/status/StatusModuleConfig.java
index b941e5dfb4..d8c2dba5ac 100644
--- 
a/oap-server/server-admin/status/src/main/java/org/apache/skywalking/oap/server/admin/status/StatusModuleConfig.java
+++ 
b/oap-server/server-admin/status/src/main/java/org/apache/skywalking/oap/server/admin/status/StatusModuleConfig.java
@@ -30,5 +30,5 @@ public class StatusModuleConfig extends ModuleConfig {
      *
      * @since 9.7.0
      */
-    private String keywords4MaskingSecretsOfConfig = 
"user,password,token,accessKey,secretKey,authentication";
+    private String keywords4MaskingSecretsOfConfig = 
"user,password,trustStorePass,keyStorePass,token,accessKey,secretKey,authentication";
 }
diff --git 
a/oap-server/server-admin/ui-management/src/main/java/org/apache/skywalking/oap/server/admin/uimanagement/handler/UIManagementRestHandler.java
 
b/oap-server/server-admin/ui-management/src/main/java/org/apache/skywalking/oap/server/admin/uimanagement/handler/UIManagementRestHandler.java
index 8ae13f2849..293bad55b8 100644
--- 
a/oap-server/server-admin/ui-management/src/main/java/org/apache/skywalking/oap/server/admin/uimanagement/handler/UIManagementRestHandler.java
+++ 
b/oap-server/server-admin/ui-management/src/main/java/org/apache/skywalking/oap/server/admin/uimanagement/handler/UIManagementRestHandler.java
@@ -29,7 +29,6 @@ import com.linecorp.armeria.server.annotation.RequestObject;
 import java.io.IOException;
 import java.util.List;
 import java.util.Optional;
-import java.util.UUID;
 import lombok.extern.slf4j.Slf4j;
 import 
org.apache.skywalking.oap.server.admin.uimanagement.response.ErrorResponse;
 import org.apache.skywalking.oap.server.core.CoreModule;
@@ -108,17 +107,17 @@ public class UIManagementRestHandler {
     /**
      * Add a new template. Body shape:
      * <pre>{ "configuration": "&lt;JSON-encoded config&gt;" }</pre>
-     * The server allocates the template ID (UUID) — the request must not set 
it.
      */
     @Post("/ui-management/templates")
     public HttpResponse addTemplate(@RequestObject final DashboardSetting 
setting) {
-        if (setting == null || setting.getConfiguration() == null) {
+        if (setting == null || setting.getId() == null || 
setting.getId().isEmpty()) {
+            return errorResponse(HttpStatus.BAD_REQUEST, "missing_id",
+                                 "Request body must include 'id'.");
+        }
+        if (setting.getConfiguration() == null) {
             return errorResponse(HttpStatus.BAD_REQUEST, 
"missing_configuration",
                                  "Request body must include 'configuration'.");
         }
-        // Server-side ID allocation — preserves the legacy semantics of the
-        // GraphQL `addTemplate` mutation. Any client-supplied `id` is ignored.
-        setting.setId(UUID.randomUUID().toString());
         try {
             final TemplateChangeStatus status = 
templates().addTemplate(setting);
             return statusResponse(status);
diff --git a/oap-server/server-starter/src/main/resources/application.yml 
b/oap-server/server-starter/src/main/resources/application.yml
index d5f1f6ae07..985d22bd1a 100644
--- a/oap-server/server-starter/src/main/resources/application.yml
+++ b/oap-server/server-starter/src/main/resources/application.yml
@@ -746,7 +746,7 @@ status:
   selector: ${SW_STATUS:default}
   default:
     # Include the list of keywords to filter configurations including secrets. 
Separate keywords by a comma.
-    keywords4MaskingSecretsOfConfig: 
${SW_DEBUGGING_QUERY_KEYWORDS_FOR_MASKING_SECRETS:user,password,token,accessKey,secretKey,authentication}
+    keywords4MaskingSecretsOfConfig: 
${SW_DEBUGGING_QUERY_KEYWORDS_FOR_MASKING_SECRETS:user,password,trustStorePass,keyStorePass,token,accessKey,secretKey,authentication}
 
 # Inspect API — admin-only metric catalog + per-metric entity enumeration.
 # Routes live under /inspect/*. Enabled by default; mounts onto admin-server
diff --git a/test/e2e-v2/cases/storage/expected/config-dump.yml 
b/test/e2e-v2/cases/storage/expected/config-dump.yml
index 1ef914afce..24cd41e5e5 100644
--- a/test/e2e-v2/cases/storage/expected/config-dump.yml
+++ b/test/e2e-v2/cases/storage/expected/config-dump.yml
@@ -206,7 +206,7 @@ receiver-telegraf.default.activeFiles=vm
 receiver-telegraf.provider=default
 receiver-trace.provider=default
 service-mesh.provider=default
-status.default.keywords4MaskingSecretsOfConfig=user,password,token,accessKey,secretKey,authentication
+status.default.keywords4MaskingSecretsOfConfig=user,password,trustStorePass,keyStorePass,token,accessKey,secretKey,authentication
 status.provider=default
 storage.mysql.asyncBatchPersistentPoolSize=4
 storage.mysql.maxSizeOfBatchSql=2000
diff --git a/test/e2e-v2/cases/ui-management/ui-management-cases.yaml 
b/test/e2e-v2/cases/ui-management/ui-management-cases.yaml
index ef334ed1f4..82aca58ce0 100644
--- a/test/e2e-v2/cases/ui-management/ui-management-cases.yaml
+++ b/test/e2e-v2/cases/ui-management/ui-management-cases.yaml
@@ -15,16 +15,16 @@
 
 # REST surface for dashboard templates, mounted on the admin-server REST host
 # (default :17128). The cases below walk add → get → list → change → disable →
-# list-default vs. list-with-disabled to exercise the full CRUD cycle. Each
-# step writes the new id to /tmp/uitpl.id so the following step can refer to
-# the server-allocated UUID.
+# list-default vs. list-with-disabled to exercise the full CRUD cycle. The
+# client supplies the template id on POST; subsequent steps read it back from
+# /tmp/uitpl-add.json.
 
 cases:
-  # 1. POST a new template — server allocates the UUID.
+  # 1. POST a new template — client supplies the id.
   - query: |
       curl -s -X POST http://${oap_host}:${oap_17128}/ui-management/templates \
         -H 'Content-Type: application/json' \
-        -d '{"configuration":"{\"name\":\"e2e-tpl\",\"v\":1}"}' \
+        -d 
'{"id":"e2e-tpl-id","configuration":"{\"name\":\"e2e-tpl\",\"v\":1}"}' \
         | tee /tmp/uitpl-add.json \
         | yq -P '. | {"status": .status, "hasId": (.id != null and .id != "")}'
     expected: expected/template-write-success.yml

Reply via email to