Redact sensitive information in catalog queries

[piotrrzysko]

Description

This a follow-up to #24562 that introduces redacting of security-sensitive information in statements containing connector properties, specifically:

• CREATE CATALOG
• EXPLAIN CREATE CATALOG
• PREPARE CREATE CATALOG

The current approach is as follows:

• For syntactically valid statements, only properties containing sensitive information are masked.
• If a valid query references a nonexistent connector, all properties are masked.
• If a query fails before or during parsing, nothing is masked.

Redacted queries are returned through the REST API, the system.runtime.queries table, and query events (QueryCreatedEvent and QueryCompletedEvent).

Notice that currently this PR includes 7 commits from #24562.

Additional context and related issues

• Follow-up to Add connector SPI for returning redactable properties #24562
• Resolves Redact properties from CREATE CATALOG in query info, so they are not present in any outputs #23106

Release notes

( ) This is not user-visible or is docs only, and no release notes are required.
( ) Release notes are required. Please propose a release note for me.
(x) Release notes are required, with the following suggested text:

## Section
* Redact sensitive information in statements containing connector properties. ({issue}`23106`)

[hashhar]

Looks mostly good to me. Some comments.

[hashhar]

@mosabua for suggestions about config naming. 😄

[dain]

I'm not sure we want an option to disable this. Maybe as a temporary kill switch, but we should remove this as soon as we are happy with this feature

[hashhar]

Agreed, we can prefix with experimental. in that case like we have done in past to clarify this. Or maybe deprecated. from the beginning.

[piotrrzysko]

Added deprecated. prefix.

[hashhar]

Is there some way to notice when we need to add new node visitors here?

Should this be a "wrapper" like the various Forwarding*** classes and a test to assert that full set of methods is overridden? That way once new methods get added we'll explicitly need to either override to do no-op or to redact?

WDYT? Might be overkill for now so need to change anything - just to have a discussion.

[piotrrzysko]

That's a good point.

Perhaps this test could verify that all (minus exclusions) visit methods are implemented only for Statement nodes and not for all possible Node types.

I think adding such a test is feasible, but I'll hold off for now to ensure we’ve reached agreement on the core parts of this functionality (e.g., the SPI, where the redacting is performed, etc.).

[hashhar]

this automatically also handles things like event listener and QueryResource right?

Might be worth to explicitly call it out in the commit message (although you do imply that by mentioning anything using QueryInfo/BasicQueryInfo).

[piotrrzysko]

this automatically also handles things like event listener and QueryResource right?

Correct.

I extracted tests confirming that to separate commits into separate commits to avoid distracting from the core functionality of redacting.

I refined the commit message and included your suggestion.

[dain]

I'm not sure we want an option to disable this. Maybe as a temporary kill switch, but we should remove this as soon as we are happy with this feature

[dain]

We should consider a better value here than just ***. We could also consider using a special function like $redacted$(), which just throws exceptions if you try to actuall call that function.

[hashhar]

*** seems to be almost what everyone uses for redaction.

Can you expand on the function idea? Is that to make it so that the output of SHOW CREATE CATALOG (as an example) is valid but still fails when you try to run it.

[piotrrzysko]

A few questions/suggestions:

1. For now, I’m not masking syntactically invalid or unsupported queries (e.g., EXPLAIN ANALYZE CREATE CATALOG) in any way. Initially, I handled this by replacing the entire query text with ***. However, this seems like a significant change from the user’s perspective. I suggest starting a separate discussion about it and addressing it as a follow-up if needed.

   Another example of syntactically valid but unsupported query (fails with Unsupported statement type: ExecuteImmediate):

   PREPARE create_catalog FROM
   EXECUTE IMMEDIATE 
   'CREATE CATALOG cat USING postgresql WITH (
      "connection-url" = ''jdbc:postgresql://localhost:4000/trino'',
      "connection-user" = ''admin'',
      "connection-password" = ''1234''
   )';

2. Regarding $redacted$() vs. ***, I propose creating a GitHub issue to start a discussion. I believe we need to involve more people in this conversation. If we decide to go with $redacted$(), input from Martin would be necessary, as this is a syntax-related change.

3. I noticed an inconsistency around PREPARE CREATE CATALOG. While issuing PREPARE CREATE CATALOG is allowed, executing the prepared statement is not. Please take a look at this test: link.
   Currently, I’m not masking EXECUTE arguments because I’m unsure which direction we prefer:

   • Forbid PREPARE CREATE CATALOG, or
   • Add full support for it.

4. There are more places than just the query and preparedQuery fields in QueryInfo and query events where prepared statements may leak. The places I’ve identified so far are:

   • io.trino.SessionRepresentation#preparedStatements
   • io.trino.execution.QueryInfo#addedPreparedStatements

   I haven’t addressed these yet because I’d like to first discuss point 3.

@dain @hashhar I'd appreciate your feedback.

[hashhar]

2. I like the idea of a function that throws a error that you need to use a secret reference here because it allows the SHOW output to be valid SQL while preserving the fact that secrets are required.

3. IMO we should forbid PREPARE with arguments in general for all DDL - none of them works right now. PREPARE without arguments IMO should still be allowed because for example lot of tools might have a habit of using PreparedStatement in JDBC even if there are no arguments.

4. QueryInfo is only returned from v1/query from quick checking - if so then it's actually "secure" since the endpoint itself is protected via checkCanViewQuery (i.e. sysadmin + owner by default). But yes users can misconfigure their access control to allow checkCanViewQuery to pass for a wide group of people. Not sure of alternative ways of protecting QueryInfo.

[github-actions]

This pull request has gone a while without any activity. Tagging for triage help: @mosabua

[martint]

This should be an error, actually. It should throw IllegalArgumentException.

[piotrrzysko]

But then the query will fail during redaction. The idea is to avoid disrupting the natural flow and let it fail where it normally would if redaction didn't exist.

[martint]

Why would a query fail during redaction if it hasn’t first failed during analysis? I.e., it’s a condition that should never occur.

[piotrrzysko]

We perform redaction at a very early stage (before the query state machine is created) to modify query text exposed in query events and QueryInfo. I believe that verifying the existence of a given connector happens only during execution, for example, in CreateCatalogTask.

[martint]

I’m very confused about the purpose of this change, then. It redaction happens before analysis, how is the analyzer and execution engine able to see the unredacted values so that it can to its job?

Can you describe the technical approach at a high level so that I don’t have to reverse engineer what the code is trying to achieve?

[piotrrzysko]

Please let me know if the following helps:

Problem

Currently, when we execute a CREATE CATALOG statement containing plaintext secrets, unredacted query text is exposed via the REST API, the system.runtime.queries table, and query events.

Goal

Instead of displaying the query text in its raw form in the locations mentioned above, such as:

CREATE CATALOG test USING postgresql  
WITH (  
   "connection-user" = 'bob',  
   "connection-password" = '1234'  
)  

we aim to redact security-sensitive property values:

CREATE CATALOG test USING postgresql  
WITH (  
   "connection-user" = 'bob',  
   "connection-password" = '***'  
)  

Proposed Solution

The REST API, the system.runtime.queries table, and query events obtain query text from the QueryInfo object. Based on our research, the query text contained in QueryInfo is not interpreted anywhere in the engine.

The QueryInfo object is created by the QueryStateMachine. To redact the query text, we propose performing redaction after the query is parsed (to ensure we have the AST, available for traversal and redaction) but before the QueryStateMachine is created.

Since redaction occurs at an early stage of query processing, we need to duplicate some logic that is typically performed during analysis and execution. For example, this includes evaluating catalog properties. Additionally, we do not want to disrupt the normal query processing flow; therefore, we ensure the query never fails due to redaction. If, for any reason, redaction is not possible, we will resort to masking all properties.

To identify security-sensitive properties for a given connector, we propose introducing a new SPI to expose them: #24562

[martint]

I have concerns about this approach. This couples the implementation with the AST structure and visitor infrastructure, and it requires performing actions that should be the responsibility of the analyzer (e.g., the logic in visitCreateCatalog). In particular, the dependency on CreateCatalogTask.evaluateProperties is not appropriate.

Also, this is not sufficient -- what about values in query plans that may be derived from security sensitive properties? E.g., a TableHandle in a plan may need to include the URL/user/password for a database. Running an EXPLAIN would expose those details.

[piotrrzysko]

Also, this is not sufficient -- what about values in query plans that may be derived from security sensitive properties? E.g., a TableHandle in a plan may need to include the URL/user/password for a database. Running an EXPLAIN would expose those details.

I tried to reproduce this but I couldn't find a case where TableHandle includes catalog properties. Do you have any specific example when this might happen? Also, is my understanding correct that if security-sensitive properties might leak in EXPLAIN output, it is something that unrelated strictly to dynamic catalogs and might happen for static catalogs as well?

[github-actions]

This pull request has gone a while without any activity. Tagging for triage help: @mosabua