Skip to content

Add connector SPI for returning security-sensitive properties #23103

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

Add connector SPI for returning security-sensitive properties #23103

wants to merge 2 commits into from

Conversation

piotrrzysko
Copy link
Member

@piotrrzysko piotrrzysko commented Aug 22, 2024
edited
Loading

Description

This PR implements the SPI changes proposed in #22887. In the issue, we suggested that connectors should return security-sensitive properties. During the development of this PR, we realized it would be more flexible to retrieve these properties from connector factories, as in some cases, we want to mask security-sensitive properties before a connector is initiated. For instance, when creating a new catalog with the CREATE CATALOG statement.

Additionally, this PR includes an implementation of the new SPI for the PostgreSQL connector. Once we confirm that the approach is correct, we will apply it to the remaining connectors.

Here is a PR demonstrating how the new SPI could be used to mask security-sensitive properties in queries related to creating catalogs: #23104.

Additional context and related issues

Release notes

( ) This is not user-visible or is docs only, and no release notes are required.
( ) Release notes are required. Please propose a release note for me.
(x) Release notes are required, with the following suggested text:

# Section
* Add connector SPI for returning security-sensitive properties. ({issue}`issuenumber`)

@piotrrzysko
Add SPI for returning connectors' sensitive properties
35b5471 
The SPI will be used by the engine to mask security-sensitive
information in statements that manage catalogs. It has been added at the
connector factory level, rather than the connector level, to allow more
flexibility in retrieving properties. In some cases, we want to perform
masking before a connector is initiated. For example, when we create a
new catalog by issuing the CREATE CATALOG statement.
@cla-bot cla-bot bot added the cla-signed label Aug 22, 2024
This was referenced Aug 22, 2024
Closed
Closed
@piotrrzysko
Expose sensitive properties for PostgreSQL connector
41589ee 
The purpose of the included test is to identify security-sensitive
properties that may be used by the connector. It uses the output
generated by the maven-dependency-plugin, configured in the connector's
pom.xml file. This output contains the connector's runtime classpath,
which is then scanned to identify all property names annotated with
@ConfigSecuritySensitive. Scanning the classpath ensures that all
configuration classes are included, even those used conditionally.
@piotrrzysko piotrrzysko force-pushed the piotrrzysko/sensitive-properties-spi branch from 1586f14 to 41589ee Compare August 22, 2024 07:09
@piotrrzysko piotrrzysko marked this pull request as ready for review August 22, 2024 08:22
@hashhar hashhar mentioned this pull request Aug 22, 2024
Open
@piotrrzysko piotrrzysko marked this pull request as draft August 24, 2024 07:13
@piotrrzysko piotrrzysko mentioned this pull request Dec 23, 2024
Open
@piotrrzysko
Copy link
Member Author

Closing in favour of #24562

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
cla-signed
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add system to identify security sensitive catalog properties
1 participant
@piotrrzysko