Skip to content

[Fix](log) mask AI resource api key in logs#65557

Open
linrrzqqq wants to merge 1 commit into
apache:masterfrom
linrrzqqq:mask-ai-resource
Open

[Fix](log) mask AI resource api key in logs#65557
linrrzqqq wants to merge 1 commit into
apache:masterfrom
linrrzqqq:mask-ai-resource

Conversation

@linrrzqqq

Copy link
Copy Markdown
Collaborator

Problem Summary:

CREATE RESOURCE ... PROPERTIES('ai.api_key' = '...') could expose the API key in:

  • fe.audit.log / __internal_schema.audit_log because resource properties were not handled by LogicalPlanBuilderForEncryption.
  • fe.log when enable_print_request_before_execution=true because StmtExecutor printed the original SQL directly.
  • Even if resource SQL rewriting was added, ai.api_key was not registered as a sensitive key.

Fix:

  • Add ai.api_key to the shared sensitive property key set.
  • Mask CREATE RESOURCE and ALTER RESOURCE properties in audit SQL rewriting.
  • Reuse NeedAuditEncryption SQL masking for StmtExecutor's enable_print_request_before_execution log path.

@hello-stephen

Copy link
Copy Markdown
Contributor

Thank you for your contribution to Apache Doris.
Don't know what should be done next? See How to process your PR.

Please clearly describe your PR:

  1. What problem was fixed (it's best to include specific error reporting information). How it was fixed.
  2. Which behaviors were modified. What was the previous behavior, what is it now, why was it modified, and what possible impacts might there be.
  3. What features were added. Why was this function added?
  4. Which code was refactored and why was this part of the code refactored?
  5. Which functions were optimized and what is the difference before and after the optimization?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants