[FLINK-34499] Configuration#toString hides sensitive values

flink-core/src/main/java/org/apache/flink/configuration/Configuration.java

@@ -41,6 +41,7 @@
 import java.util.Properties;
 import java.util.Set;
 import java.util.function.BiFunction;
+import java.util.stream.Collectors;
 
 import static org.apache.flink.configuration.ConfigurationUtils.canBePrefixMap;
 import static org.apache.flink.configuration.ConfigurationUtils.containsPrefixMap;
@@ -1126,6 +1127,12 @@ public boolean equals(Object obj) {
 
     @Override
     public String toString() {
-        return this.confData.toString();
+        return ConfigurationUtils.hideSensitiveValues(
+                        this.confData.entrySet().stream()
+                                .collect(
+                                        Collectors.toMap(
+                                                Map.Entry::getKey,
+                                                entry -> entry.getValue().toString())))
+                .toString();
     }
 }

flink-core/src/test/java/org/apache/flink/configuration/ConfigurationTest.java

@@ -554,6 +554,19 @@ void testMapParserErrorDoesNotLeakSensitiveData() {
                                         .doesNotContain("secret_value"));
     }
 
+    @TestTemplate
+    void testToStringDoesNotLeakSensitiveData() {
+        ConfigOption<Map<String, String>> secret =
+                ConfigOptions.key("secret").mapType().noDefaultValue();
+
+        Assertions.assertThat(GlobalConfiguration.isSensitive(secret.key())).isTrue();
+
+        final Configuration cfg = new Configuration(standardYaml);
+        cfg.setString(secret.key(), "secret_value");
+
+        assertThat(cfg.toString()).doesNotContain("secret_value");
+    }
+
     @TestTemplate
     void testGetWithOverrideDefault() {
         final Configuration conf = new Configuration(standardYaml);