Skip to content

[FLINK-38266][flink-sql-gateway] SQL Gateway - mask sensitive table and catalog options #26927

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

[FLINK-38266][flink-sql-gateway] SQL Gateway - mask sensitive table and catalog options #26927

wants to merge 7 commits into from

Conversation

maciejmaciejko-gid
Copy link

What is the purpose of the change

The SQL Gateway exposes credentials and other sensitive information through the SHOW CREATE TABLE and SHOW CREATE CATALOG statements. This represents a security risk when the SQL Gateway is used in a multi-user environment, for example, as a gateway for SQL editors with persistent catalogs.

This feature redacts sensitive table and catalog options (configurable) by replacing their values with '****' in the SHOW CREATE TABLE and SHOW CREATE CATALOG statements. Note that this does not affect the table or catalog itself — it only masks sensitive options in the SQL Gateway’s response. Users can still interact with the table or catalog, but they will not be able to see the sensitive configuration details.

Brief change log

  • SQL Gateway API options with doc
  • ShowCreateTableResult with masking based on regex (only for SHOW CREATE TABLE and CATALOG response)
  • Added unit tests, extended integration tests

Verifying this change

This change added tests and can be verified as follows:

  • Added unit tests for ShowCreateTableResult (corner cases, options match and redact)
  • Extended integration test for SQL Gateway (AbstractSqlGatewayStatementITCase - added scenario as file show_create_sensitive_options.q)
  • Manually verified - e2e test with SQL Gateway and session cluster

Does this pull request potentially affect one of the following parts:

  • Dependencies (does it add or upgrade a dependency): NO
  • The public API, i.e., is any changed class annotated with @Public(Evolving): YES (SqlGatewayServiceConfigOptions)
  • The serializers: NO
  • The runtime per-record code paths (performance sensitive): NO
  • Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Kubernetes/Yarn, ZooKeeper: NO
  • The S3 file system connector: NO

Documentation

  • Does this pull request introduce a new feature? YES
  • If yes, how is the feature documented? described options in docs/content/docs/dev/table/sql-gateway/overview.md

@flinkbot
Copy link
Collaborator

flinkbot commented Aug 19, 2025
edited
Loading

CI report:

Bot commands The @flinkbot bot supports the following commands:
  • @flinkbot run azure re-run the last Azure build

@maciejmaciejko-gid maciejmaciejko-gid marked this pull request as draft August 19, 2025 11:32
@maciejmaciejko-gid maciejmaciejko-gid marked this pull request as ready for review August 19, 2025 15:32
davidradl
davidradl reviewed Aug 20, 2025
View reviewed changes
docs/content/docs/dev/table/sql-gateway/overview.md
<td><h5>sql-gateway.security.mask-sensitive-options.enabled</h5></td>
<td style="word-wrap: break-word;">true</td>
<td>Boolean</td>
<td>Masks sensitive option values (e.g., passwords or tokens) in SHOW CREATE results to prevent accidental exposure.</td>
Copy link
Contributor

@davidradl davidradl Aug 20, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume the default would be hideSensitiveValues
and the names be in addition to the above or replace them

@github-actions github-actions bot added community-reviewed PR has been reviewed by the community. and removed community-reviewed PR has been reviewed by the community. labels Aug 20, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
1 more reviewer

@davidradl davidradl davidradl left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
community-reviewed PR has been reviewed by the community.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@maciejmaciejko-gid @flinkbot @davidradl