Redact CREATE CATALOG

This commit introduces redacting of security-sensitive information in
the following statements:

* CREATE CATALOG
* EXPLAIN CREATE CATALOG
* PREPARE CREATE CATALOG

The current approach is as follows:

* For syntactically valid statements, only properties containing
sensitive information are masked.
* If a query is syntactically valid but retrieving security-sensitive
properties fails for any reason (e.g., the query references a
nonexistent connector or catalog property evaluation fails), all
properties are masked.
* If a query fails before or during parsing, nothing is masked.

The redacted form is created right before initialization of the
QueryStateMachine and is propagated to all places that create QueryInfo
and BasicQueryInfo (e.g., REST endpoints, query events, and
the system.runtime.queries table). Before this change,
QueryInfo/BasicQueryInfo stored the raw query text received from the end
user. From now on, the text will be altered for the cases listed above.

Author: piotrrzysko

core/trino-main/src/main/java/io/trino/FeaturesConfig.java

@@ -122,6 +122,8 @@ public class FeaturesConfig
 
     private boolean faultTolerantExecutionExchangeEncryptionEnabled = true;
 
+    private boolean statementRedactingEnabled = true;
+
     public enum DataIntegrityVerification
     {
         NONE,
@@ -514,6 +516,18 @@ public FeaturesConfig setFaultTolerantExecutionExchangeEncryptionEnabled(boolean
         return this;
     }
 
+    public boolean isStatementRedactingEnabled()
+    {
+        return statementRedactingEnabled;
+    }
+
+    @Config("deprecated.statement-redacting-enabled")
+    public FeaturesConfig setStatementRedactingEnabled(boolean statementRedactingEnabled)
+    {
+        this.statementRedactingEnabled = statementRedactingEnabled;
+        return this;
+    }
+
     public void applyFaultTolerantExecutionDefaults()
     {
         exchangeCompressionCodec = LZ4;

core/trino-main/src/main/java/io/trino/connector/CatalogFactory.java

@@ -20,6 +20,8 @@
 import io.trino.spi.connector.ConnectorFactory;
 import io.trino.spi.connector.ConnectorName;
 
+import java.util.Set;
+
 @ThreadSafe
 public interface CatalogFactory
 {
@@ -28,4 +30,6 @@ public interface CatalogFactory
     CatalogConnector createCatalog(CatalogProperties catalogProperties);
 
     CatalogConnector createCatalog(CatalogHandle catalogHandle, ConnectorName connectorName, Connector connector);
+
+    Set<String> getSecuritySensitivePropertyNames(CatalogProperties catalogProperties);
 }

core/trino-main/src/main/java/io/trino/connector/DefaultCatalogFactory.java

@@ -13,6 +13,7 @@
  */
 package io.trino.connector;
 
+import com.google.common.collect.ImmutableSet;
 import com.google.errorprone.annotations.ThreadSafe;
 import com.google.inject.Inject;
 import io.airlift.configuration.secrets.SecretsResolver;
@@ -45,6 +46,7 @@
 
 import java.util.Map;
 import java.util.Optional;
+import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ConcurrentMap;
 
@@ -144,6 +146,25 @@ public CatalogConnector createCatalog(CatalogHandle catalogHandle, ConnectorName
         return createCatalog(catalogHandle, connectorName, connector, Optional.empty());
     }
 
+    @Override
+    public Set<String> getSecuritySensitivePropertyNames(CatalogProperties catalogProperties)
+    {
+        ConnectorFactory connectorFactory = connectorFactories.get(catalogProperties.connectorName());
+        if (connectorFactory == null) {
+            // If someone tries to use a non-existent connector, we assume they
+            // misspelled the name and, for safety, we redact all the properties.
+            return ImmutableSet.copyOf(catalogProperties.properties().keySet());
+        }
+
+        ConnectorContext context = createConnectorContext(catalogProperties.catalogHandle());
+        String catalogName = catalogProperties.catalogHandle().getCatalogName().toString();
+        Map<String, String> config = secretsResolver.getResolvedConfiguration(catalogProperties.properties());
+
+        try (ThreadContextClassLoader _ = new ThreadContextClassLoader(connectorFactory.getClass().getClassLoader())) {
+            return connectorFactory.getSecuritySensitivePropertyNames(catalogName, config, context);
+        }
+    }
+
     private CatalogConnector createCatalog(CatalogHandle catalogHandle, ConnectorName connectorName, Connector connector, Optional<CatalogProperties> catalogProperties)
     {
         Tracer tracer = createTracer(catalogHandle);
@@ -196,7 +217,16 @@ private Connector createConnector(
             ConnectorFactory connectorFactory,
             Map<String, String> properties)
     {
-        ConnectorContext context = new ConnectorContextInstance(
+        ConnectorContext context = createConnectorContext(catalogHandle);
+
+        try (ThreadContextClassLoader _ = new ThreadContextClassLoader(connectorFactory.getClass().getClassLoader())) {
+            return connectorFactory.create(catalogName, properties, context);
+        }
+    }
+
+    private ConnectorContext createConnectorContext(CatalogHandle catalogHandle)
+    {
+        return new ConnectorContextInstance(
                 catalogHandle,
                 openTelemetry,
                 createTracer(catalogHandle),
@@ -206,10 +236,6 @@ private Connector createConnector(
                 new InternalMetadataProvider(metadata, typeManager),
                 pageSorter,
                 pageIndexerFactory);
-
-        try (ThreadContextClassLoader _ = new ThreadContextClassLoader(connectorFactory.getClass().getClassLoader())) {
-            return connectorFactory.create(catalogName, properties, context);
-        }
     }
 
     private Tracer createTracer(CatalogHandle catalogHandle)

core/trino-main/src/main/java/io/trino/connector/LazyCatalogFactory.java

@@ -19,6 +19,7 @@
 import io.trino.spi.connector.ConnectorFactory;
 import io.trino.spi.connector.ConnectorName;
 
+import java.util.Set;
 import java.util.concurrent.atomic.AtomicReference;
 
 import static com.google.common.base.Preconditions.checkState;
@@ -51,6 +52,12 @@ public CatalogConnector createCatalog(CatalogHandle catalogHandle, ConnectorName
         return getDelegate().createCatalog(catalogHandle, connectorName, connector);
     }
 
+    @Override
+    public Set<String> getSecuritySensitivePropertyNames(CatalogProperties catalogProperties)
+    {
+        return getDelegate().getSecuritySensitivePropertyNames(catalogProperties);
+    }
+
     private CatalogFactory getDelegate()
     {
         CatalogFactory catalogFactory = delegate.get();

core/trino-main/src/main/java/io/trino/dispatcher/DispatchManager.java

@@ -13,6 +13,7 @@
  */
 package io.trino.dispatcher;
 
+import com.google.common.base.Function;
 import com.google.common.util.concurrent.AbstractFuture;
 import com.google.common.util.concurrent.Futures;
 import com.google.common.util.concurrent.ListenableFuture;
@@ -44,6 +45,8 @@
 import io.trino.spi.TrinoException;
 import io.trino.spi.resourcegroups.SelectionContext;
 import io.trino.spi.resourcegroups.SelectionCriteria;
+import io.trino.sql.RedactedQuery;
+import io.trino.sql.SensitiveStatementRedactor;
 import jakarta.annotation.PostConstruct;
 import jakarta.annotation.PreDestroy;
 import org.weakref.jmx.Flatten;
@@ -84,6 +87,7 @@ public class DispatchManager
     private final SessionPropertyDefaults sessionPropertyDefaults;
     private final SessionPropertyManager sessionPropertyManager;
     private final Tracer tracer;
+    private final SensitiveStatementRedactor sensitiveStatementRedactor;
 
     private final int maxQueryLength;
 
@@ -107,6 +111,7 @@ public DispatchManager(
             SessionPropertyDefaults sessionPropertyDefaults,
             SessionPropertyManager sessionPropertyManager,
             Tracer tracer,
+            SensitiveStatementRedactor sensitiveStatementRedactor,
             QueryManagerConfig queryManagerConfig,
             DispatchExecutor dispatchExecutor,
             QueryMonitor queryMonitor)
@@ -121,6 +126,7 @@ public DispatchManager(
         this.sessionPropertyDefaults = requireNonNull(sessionPropertyDefaults, "sessionPropertyDefaults is null");
         this.sessionPropertyManager = sessionPropertyManager;
         this.tracer = requireNonNull(tracer, "tracer is null");
+        this.sensitiveStatementRedactor = requireNonNull(sensitiveStatementRedactor, "sensitiveStatementRedactor is null");
 
         this.maxQueryLength = queryManagerConfig.getMaxQueryLength();
 
@@ -240,7 +246,7 @@ private <C> void createQueryInternal(QueryId queryId, Span querySpan, Slug slug,
             DispatchQuery dispatchQuery = dispatchQueryFactory.createDispatchQuery(
                     session,
                     sessionContext.getTransactionId(),
-                    query,
+                    getRedactedQueryProvider(preparedQuery, query),
                     preparedQuery,
                     slug,
                     selectionContext.getResourceGroupId());
@@ -280,6 +286,11 @@ private <C> void createQueryInternal(QueryId queryId, Span querySpan, Slug slug,
         }
     }
 
+    private Function<Session, RedactedQuery> getRedactedQueryProvider(PreparedQuery preparedQuery, String query)
+    {
+        return session -> sensitiveStatementRedactor.redact(query, preparedQuery, session);
+    }
+
     private boolean queryCreated(DispatchQuery dispatchQuery)
     {
         boolean queryAdded = queryTracker.addQuery(dispatchQuery);

core/trino-main/src/main/java/io/trino/dispatcher/DispatchQueryFactory.java

@@ -17,16 +17,18 @@
 import io.trino.execution.QueryPreparer.PreparedQuery;
 import io.trino.server.protocol.Slug;
 import io.trino.spi.resourcegroups.ResourceGroupId;
+import io.trino.sql.RedactedQuery;
 import io.trino.transaction.TransactionId;
 
 import java.util.Optional;
+import java.util.function.Function;
 
 public interface DispatchQueryFactory
 {
     DispatchQuery createDispatchQuery(
             Session session,
             Optional<TransactionId> transactionId,
-            String query,
+            Function<Session, RedactedQuery> queryProvider,
             PreparedQuery preparedQuery,
             Slug slug,
             ResourceGroupId resourceGroup);

core/trino-main/src/main/java/io/trino/dispatcher/LocalDispatchQueryFactory.java

@@ -38,12 +38,14 @@
 import io.trino.server.protocol.Slug;
 import io.trino.spi.TrinoException;
 import io.trino.spi.resourcegroups.ResourceGroupId;
+import io.trino.sql.RedactedQuery;
 import io.trino.sql.tree.Statement;
 import io.trino.transaction.TransactionId;
 import io.trino.transaction.TransactionManager;
 
 import java.util.Map;
 import java.util.Optional;
+import java.util.function.Function;
 
 import static io.trino.spi.StandardErrorCode.NOT_SUPPORTED;
 import static io.trino.util.StatementUtils.getQueryType;
@@ -108,7 +110,7 @@ public LocalDispatchQueryFactory(
     public DispatchQuery createDispatchQuery(
             Session session,
             Optional<TransactionId> existingTransactionId,
-            String query,
+            Function<Session, RedactedQuery> queryProvider,
             PreparedQuery preparedQuery,
             Slug slug,
             ResourceGroupId resourceGroup)
@@ -117,8 +119,7 @@ public DispatchQuery createDispatchQuery(
         PlanOptimizersStatsCollector planOptimizersStatsCollector = new PlanOptimizersStatsCollector(queryReportedRuleStatsLimit);
         QueryStateMachine stateMachine = QueryStateMachine.begin(
                 existingTransactionId,
-                query,
-                preparedQuery.getPrepareSql(),
+                queryProvider,
                 session,
                 locationFactory.createQueryLocation(session.getQueryId()),
                 resourceGroup,

core/trino-main/src/main/java/io/trino/execution/CreateCatalogTask.java

@@ -86,7 +86,7 @@ public ListenableFuture<Void> execute(
         return immediateVoidFuture();
     }
 
-    private static Map<String, String> evaluateProperties(
+    public static Map<String, String> evaluateProperties(
             CreateCatalog statement,
             Session session,
             PlannerContext plannerContext,

core/trino-main/src/main/java/io/trino/execution/QueryPreparer.java

@@ -86,7 +86,7 @@ else if (wrappedStatement instanceof ExecuteImmediate executeImmediateStatement)
         }
         validateParameters(statement, parameters);
 
-        return new PreparedQuery(statement, parameters, prepareSql);
+        return new PreparedQuery(wrappedStatement, statement, parameters, prepareSql);
     }
 
     private static void validateParameters(Statement node, List<Expression> parameterValues)
@@ -102,17 +102,24 @@ private static void validateParameters(Statement node, List<Expression> paramete
 
     public static class PreparedQuery
     {
+        private final Statement wrappedStatement;
         private final Statement statement;
         private final List<Expression> parameters;
         private final Optional<String> prepareSql;
 
-        public PreparedQuery(Statement statement, List<Expression> parameters, Optional<String> prepareSql)
+        public PreparedQuery(Statement wrappedStatement, Statement statement, List<Expression> parameters, Optional<String> prepareSql)
         {
+            this.wrappedStatement = requireNonNull(wrappedStatement, "wrappedStatement is null");
             this.statement = requireNonNull(statement, "statement is null");
             this.parameters = ImmutableList.copyOf(requireNonNull(parameters, "parameters is null"));
             this.prepareSql = requireNonNull(prepareSql, "prepareSql is null");
         }
 
+        public Statement getWrappedStatement()
+        {
+            return wrappedStatement;
+        }
+
         public Statement getStatement()
         {
             return statement;

core/trino-main/src/main/java/io/trino/execution/QueryStateMachine.java

@@ -53,6 +53,7 @@
 import io.trino.spi.resourcegroups.ResourceGroupId;
 import io.trino.spi.security.SelectedRole;
 import io.trino.spi.type.Type;
+import io.trino.sql.RedactedQuery;
 import io.trino.sql.analyzer.Output;
 import io.trino.sql.planner.PlanFragment;
 import io.trino.tracing.TrinoAttributes;
@@ -80,6 +81,7 @@
 import java.util.concurrent.atomic.AtomicLong;
 import java.util.concurrent.atomic.AtomicReference;
 import java.util.function.Consumer;
+import java.util.function.Function;
 import java.util.function.Supplier;
 
 import static com.google.common.base.Preconditions.checkArgument;
@@ -231,8 +233,7 @@ private QueryStateMachine(
      */
     public static QueryStateMachine begin(
             Optional<TransactionId> existingTransactionId,
-            String query,
-            Optional<String> preparedQuery,
+            Function<Session, RedactedQuery> queryProvider,
             Session session,
             URI self,
             ResourceGroupId resourceGroup,
@@ -249,8 +250,7 @@ public static QueryStateMachine begin(
     {
         return beginWithTicker(
                 existingTransactionId,
-                query,
-                preparedQuery,
+                queryProvider,
                 session,
                 self,
                 resourceGroup,
@@ -269,8 +269,7 @@ public static QueryStateMachine begin(
 
     static QueryStateMachine beginWithTicker(
             Optional<TransactionId> existingTransactionId,
-            String query,
-            Optional<String> preparedQuery,
+            Function<Session, RedactedQuery> queryProvider,
             Session session,
             URI self,
             ResourceGroupId resourceGroup,
@@ -318,9 +317,11 @@ static QueryStateMachine beginWithTicker(
 
         querySpan.setAttribute(TrinoAttributes.QUERY_TYPE, queryType.map(Enum::name).orElse("UNKNOWN"));
 
+        RedactedQuery redactedQuery = queryProvider.apply(session);
+
         QueryStateMachine queryStateMachine = new QueryStateMachine(
-                query,
-                preparedQuery,
+                redactedQuery.query(),
+                redactedQuery.preparedQuery(),
                 session,
                 self,
                 resourceGroup,