flink icon indicating copy to clipboard operation
flink copied to clipboard
verified publisher icon apache

[FLINK-38266][flink-sql-gateway] SQL Gateway - mask sensitive table and catalog options

Open maciejmaciejko-gid opened this issue 4 months ago • 1 comments

What is the purpose of the change

The SQL Gateway exposes credentials and other sensitive information through the SHOW CREATE TABLE and SHOW CREATE CATALOG statements. This represents a security risk when the SQL Gateway is used in a multi-user environment, for example, as a gateway for SQL editors with persistent catalogs.

This feature redacts sensitive table and catalog options (configurable) by replacing their values with '****' in the SHOW CREATE TABLE and SHOW CREATE CATALOG statements. Note that this does not affect the table or catalog itself — it only masks sensitive options in the SQL Gateway’s response. Users can still interact with the table or catalog, but they will not be able to see the sensitive configuration details.

Brief change log

  • SQL Gateway API options with doc
  • ShowCreateTableResult with masking based on regex (only for SHOW CREATE TABLE and CATALOG response)
  • Added unit tests, extended integration tests

Verifying this change

This change added tests and can be verified as follows:

  • Added unit tests for ShowCreateTableResult (corner cases, options match and redact)
  • Extended integration test for SQL Gateway (AbstractSqlGatewayStatementITCase - added scenario as file show_create_sensitive_options.q)
  • Manually verified - e2e test with SQL Gateway and session cluster

Does this pull request potentially affect one of the following parts:

  • Dependencies (does it add or upgrade a dependency): NO
  • The public API, i.e., is any changed class annotated with @Public(Evolving): YES (SqlGatewayServiceConfigOptions)
  • The serializers: NO
  • The runtime per-record code paths (performance sensitive): NO
  • Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Kubernetes/Yarn, ZooKeeper: NO
  • The S3 file system connector: NO

Documentation

  • Does this pull request introduce a new feature? YES
  • If yes, how is the feature documented? described options in docs/content/docs/dev/table/sql-gateway/overview.md

maciejmaciejko-gid avatar Aug 19 '25 11:08 maciejmaciejko-gid

CI report:

  • 730e8ceb41204ac682c71c9da42f385c607fdfcc Azure: SUCCESS
Bot commands The @flinkbot bot supports the following commands:
  • @flinkbot run azure re-run the last Azure build

flinkbot avatar Aug 19 '25 11:08 flinkbot