feat(frontend): redact sql option in log

[zwang28]

I hereby agree to the terms of the RisingWave Labs, Inc. Contributor License Agreement.

What's changed and what's your intention?

This PR might be reverted in the future, once the more universal secure store solution is prepared.

This PR redacts SQL options when recording CREATE queries in the log.

• For queries that can be successfully parsed, it redacts the strongly typed SQL options within the parsed Statement.
• For queries that can not be successfully parsed, such as those with syntax errors, it's not redacted.
• Find the unit tests for examples.

Checklist

• I have written necessary rustdoc comments
• I have added necessary unit tests and integration tests
• I have added test labels as necessary. See details.
• I have added fuzzing tests or opened an issue to track them. (Optional, recommended for new SQL features Sqlsmith: Sql feature generation #7934).
• My PR contains breaking changes. (If it deprecates some features, please create a tracking issue to remove them in the future).
• All checks passed in ./risedev check (or alias, ./risedev c)
• My PR changes performance-critical code. (Please run macro/micro-benchmarks and show the results.)

• My PR contains critical fixes that are necessary to be merged into the latest release. (Please check out the details)

Documentation

• My PR needs documentation updates. (Please use the Release note section below to summarize the impact on users)

Release note

If this PR includes changes that directly affect users or other significant modifications relevant to the community, kindly draft a release note to provide a concise summary of these changes. Please prioritize highlighting the impact these changes will have on users.

[fuyufjh]

Hmm, it might be too aggressive to me... Can we just redact some sensitive fields? For example, any fields that contain "password"

[zwang28]

Can we just redact some sensitive fields? For example, any fields that contain "password"

By maintaining a blacklist of sql options in the kernel?

[fuyufjh]

Yeah, it's acceptable. As a quick fix, we can do it in some quick & dirty way, such as checking whether field_name.contains("password") or something.

[zwang28]

fixed

[BugenZhao]

Actually I also find this not that necessary. 😕 We can just leave the statements that failed to parse as they are.

In other words, what if users misspell "with" as "wth"? It appears that we are unable to handle all cases.

[zwang28]

fixed

[zwang28]

example:

The log below was redacted. abctokenabc was redacted because it contained keyword token.

2024-05-23T16:10:00.243564+08:00 INFO handle_query{mode="simple query" session_id=0 sql=CREATE TABLE tomb (v1 INT) WITH (connector = 'datagen', fields.v1.kind = 'sequence', datagen.rows.per.second = '1', abctokenabc = [REDACTED]) FORMAT PLAIN ENCODE JSON}: pgwire_query_log: status="ok" time=70ms

The log below was not redacted because the statement failed to parse.

2024-05-23T16:10:07.48916+08:00 ERROR handle_query{mode="simple query" session_id=0 sql=CREATE TABLEXXXXX tomb (v1 int)
WITH (
  connector = 'datagen',
  fields.v1.kind = 'sequence',
  datagen.rows.per.second = '1',
  abctokenabc = '222'
)
FORMAT PLAIN
ENCODE JSON;}: pgwire::pg_protocol: error when process message error=Failed to run the query: sql parser error: Expected an object type after CREATE, found: TABLEXXXXX at line:1, column:18

[BugenZhao]

Generally LGTM as it will be eventually superseded by the SECRET approach.

[BugenZhao]

nit: Actually tokio::task_local does not rely on any components of the tokio runtime. We may consider extracting it into a separate crate in the future.

[BugenZhao]

This looks a little bit dirty though. 🤣

[zwang28]

Yes...
We can wrap it with another context object.
Anyway the PR will be reverted in the near future..

[hzxa21]

LGTM as a quick fix.