Skip to content

[FLINK-39561][security] Extend sensitive key redaction with missing access key patterns and user-configurable additional keys#28058

Open
gaborgsomogyi wants to merge 1 commit intoapache:masterfrom
gaborgsomogyi:FLINK-39561
Open

[FLINK-39561][security] Extend sensitive key redaction with missing access key patterns and user-configurable additional keys#28058
gaborgsomogyi wants to merge 1 commit intoapache:masterfrom
gaborgsomogyi:FLINK-39561

Conversation

@gaborgsomogyi
Copy link
Copy Markdown
Contributor

@gaborgsomogyi gaborgsomogyi commented Apr 28, 2026
edited
Loading

What is the purpose of the change

Several cloud storage access key config names were not matched by the existing SENSITIVE_KEYS patterns and were therefore leaked in logs and REST API responses:

  • fs.s3a.access.key, s3.access.key (missing access.key pattern)
  • s3.access-key (missing access-key pattern)
  • fs.oss.accessKeyId, fs.oss.accesskey (missing accesskey pattern)

Additionally, there was no way for users to protect custom or vendor-specific sensitive keys beyond the hardcoded list.

Brief change log

  • Added three new patterns to the immutable SENSITIVE_KEYS array in GlobalConfiguration: access-key, access.key, accesskey.
  • Added SecurityOptions.ADDITIONAL_SENSITIVE_KEYS (security.redaction.additional-keys), a comma-separated list option that lets users extend redaction with their own key substrings. Matching is case-insensitive substring containment,
    consistent with the built-in behaviour.
  • Tests added for all three new hardcoded patterns and for the user-extensible path.

3 call sites pass Collections.emptyList() because they do not have access to the Flink Configuration:

  • ActorSystemBootstrapTools.toMaskedMap — Pekko/Akka actor system debug logs will not apply user-defined additional keys.
  • FlinkYarnSessionCli.encodeDynamicProperties — Dynamic properties passed via -D on the YARN CLI will not be redacted by user-defined additional keys in startup logs.
  • EnvironmentInformation — Program argument logging will not apply user-defined additional keys; the built-in patterns still apply.

Verifying this change

Existing + new automated tests.

Does this pull request potentially affect one of the following parts:

  • Dependencies (does it add or upgrade a dependency): no
  • The public API, i.e., is any changed class annotated with @Public(Evolving): no
  • The serializers: no
  • The runtime per-record code paths (performance sensitive): no
  • Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Kubernetes/Yarn, ZooKeeper: no
  • The S3 file system connector: no

Documentation

  • Does this pull request introduce a new feature? no
  • If yes, how is the feature documented? not applicable
Was generative AI tooling used to co-author this PR?
  • Yes (please specify the tool below)

Generated-by: Claude code

@flinkbot
Copy link
Copy Markdown
Collaborator

flinkbot commented Apr 28, 2026
edited
Loading

CI report:

Bot commands The @flinkbot bot supports the following commands:
  • @flinkbot run azure re-run the last Azure build

@gaborgsomogyi gaborgsomogyi force-pushed the FLINK-39561 branch 5 times, most recently from fb84e98 to 5b28ee2 Compare April 29, 2026 14:15
@gaborgsomogyi
Copy link
Copy Markdown
Contributor Author

gaborgsomogyi commented Apr 29, 2026

@flinkbot run azure

@gaborgsomogyi
[FLINK-39561][security] Extend sensitive key redaction with missing a…
359b225 
…ccess key patterns and user-configurable additional keys
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gaborgsomogyi @flinkbot