[FLINK-39685][table] Redact sensitive options in SHOW CREATE and DESCRIBE CATALOG statements

[gaborgsomogyi]

What is the purpose of the change

Sensitive table/catalog/model options (e.g. password, api-key, token) were exposed verbatim in the output of SHOW CREATE TABLE, SHOW CREATE CATALOG, SHOW CREATE MATERIALIZED TABLE, SHOW CREATE MODEL, and DESCRIBE CATALOG EXTENDED. Flink already had redaction infrastructure (GlobalConfiguration.isSensitive / HIDDEN_CONTENT) used for Flink config display and factory error messages, but it was not wired to SQL display operations.

Brief change log

• ShowCreateUtil - extractFormattedOptions now accepts List<String> additionalSensitiveKeys and redacts matching values with ******. The unused 2-arg and lowerCaseKeys overloads were removed (dead code).
• ShowCreate*Operation / DescribeCatalogOperation - each execute() reads SecurityOptions.ADDITIONAL_SENSITIVE_KEYS from TableConfig and threads it through to the rendering layer.
• DefaultCatalogTable / DefaultCatalogModel - toString() now uses ConfigurationUtils.hideSensitiveValues to avoid leaking secrets in logs. Built-in sensitive key patterns apply; user-configured additional keys cannot be applied here (no config context in toString()).

Verifying this change

• ShowCreateUtilTest - extended with redaction cases for table, catalog, materialized table, and custom additionalSensitiveKeys.
• DescribeCatalogOperationTest - new; verifies extended output redacts password/token, non-sensitive values are unchanged, and non-extended output exposes no options at all.
• DefaultCatalogTableTest - new; verifies toString() redacts sensitive keys and preserves safe ones.

Does this pull request potentially affect one of the following parts:

• Dependencies (does it add or upgrade a dependency): no
• The public API, i.e., is any changed class annotated with @Public(Evolving): no
• The serializers: no
• The runtime per-record code paths (performance sensitive): no
• Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Kubernetes/Yarn, ZooKeeper: no
• The S3 file system connector: no

Documentation

• Does this pull request introduce a new feature? no
• If yes, how is the feature documented? not applicable

---

Was generative AI tooling used to co-author this PR?

• Yes (please specify the tool below)

Generated-by: Claude code

[flinkbot]

CI report:

• c7c6d69 Azure: SUCCESS

Bot commands

The @flinkbot bot supports the following commands:

• @flinkbot run azure re-run the last Azure build

[featzhang]

LGTM

[featzhang]

LGTM overall. Good use of existing GlobalConfiguration.isSensitive() infrastructure.

Questions:

1. Line 485-505 in ShowCreateUtil.java - The extractFormattedOptions(conf, printIndent, boolean lowerCaseKeys) overload was removed. Can you confirm this was truly unused? If it's @Internal API, fine; just want to make sure no external code relied on it.

2. DefaultCatalogTable.toString() L167 - The redaction here uses Collections.emptyList() for additionalSensitiveKeys because there's no TableConfig context. This means user-configured ADDITIONAL_SENSITIVE_KEYS won't apply to logs. Acceptable trade-off, but might be worth a doc note.

Minor:

3. Missing end-to-end test for ShowCreateModelOperation - only unit tests present. Not critical but would be nice to have.

4. Consider adding a debug log when redaction happens (L459-466 in ShowCreateUtil) for security auditing.

Tests look solid - good coverage of the redaction logic.

[snuyanzin]

Thanks for addressing feedback

[gaborgsomogyi]

Thanks for the review. Rebased to eliminate unrelated test failures.