-
Notifications
You must be signed in to change notification settings - Fork 531
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(frontend): redact sql option in log #16871
Conversation
This comment was marked as outdated.
This comment was marked as outdated.
src/utils/pgwire/src/pg_protocol.rs
Outdated
v4 = '', | ||
) FORMAT plain ENCODE json (a='1',b='2') | ||
"; | ||
assert_eq!(redact_sql(sql), "CREATE SOURCE temp (k BIGINT, v CHARACTER VARYING) WITH (connector = [REDACTED], v1 = [REDACTED], v2 = [REDACTED], v3 = [REDACTED], v4 = [REDACTED]) FORMAT PLAIN ENCODE JSON (a = [REDACTED], b = [REDACTED])"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, it might be too aggressive to me... Can we just redact some sensitive fields? For example, any fields that contain "password"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we just redact some sensitive fields? For example, any fields that contain "password"
By maintaining a blacklist of sql options in the kernel?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, it's acceptable. As a quick fix, we can do it in some quick & dirty way, such as checking whether field_name.contains("password")
or something.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
src/utils/pgwire/src/pg_protocol.rs
Outdated
.into_iter() | ||
.map(|sql| sql.to_redacted_string()) | ||
.join(";"), | ||
Err(_) => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually I also find this not that necessary. 😕 We can just leave the statements that failed to parse as they are.
In other words, what if users misspell "with" as "wth"? It appears that we are unable to handle all cases.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
# Conflicts: # src/utils/pgwire/src/pg_server.rs
example: The log below was redacted.
The log below was not redacted because the statement failed to parse.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Generally LGTM as it will be eventually superseded by the SECRET approach.
@@ -27,6 +27,7 @@ normal = ["workspace-hack"] | |||
[dependencies] | |||
itertools = { workspace = true } | |||
serde = { version = "1.0", features = ["derive"], optional = true } | |||
tokio = { version = "0.2", package = "madsim-tokio" } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: Actually tokio::task_local
does not rely on any components of the tokio
runtime. We may consider extracting it into a separate crate in the future.
pg_serve( | ||
&listen_addr, | ||
session_mgr, | ||
TlsConfig::new_default(), | ||
Some(redact_sql_option_keywords), | ||
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks a little bit dirty though. 🤣
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes...
We can wrap it with another context object.
Anyway the PR will be reverted in the near future..
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM as a quick fix.
# Conflicts: # src/sqlparser/Cargo.toml
I hereby agree to the terms of the RisingWave Labs, Inc. Contributor License Agreement.
What's changed and what's your intention?
This PR might be reverted in the future, once the more universal secure store solution is prepared.
This PR redacts SQL options when recording CREATE queries in the log.
Checklist
./risedev check
(or alias,./risedev c
)Documentation
Release note
If this PR includes changes that directly affect users or other significant modifications relevant to the community, kindly draft a release note to provide a concise summary of these changes. Please prioritize highlighting the impact these changes will have on users.