From a3944d6c76548094fe47e99bd4ef2b9ffc611450 Mon Sep 17 00:00:00 2001 From: zemin Date: Tue, 23 Aug 2022 21:46:24 +0200 Subject: [PATCH 1/5] apache#12063 Ease of hidding sensitive properties from /status/properties endpoint --- .../druid/client/DruidServerConfig.java | 7 +++++ .../apache/druid/server/StatusResource.java | 22 +++++++++++++- .../druid/server/StatusResourceTest.java | 13 +++++++- ...tatus.resource.test.runtime.hpc.properties | 30 +++++++++++++++++++ 4 files changed, 70 insertions(+), 2 deletions(-) create mode 100644 server/src/test/resources/status.resource.test.runtime.hpc.properties diff --git a/server/src/main/java/org/apache/druid/client/DruidServerConfig.java b/server/src/main/java/org/apache/druid/client/DruidServerConfig.java index 7c15789e5e8b..9b1f9537cd40 100644 --- a/server/src/main/java/org/apache/druid/client/DruidServerConfig.java +++ b/server/src/main/java/org/apache/druid/client/DruidServerConfig.java @@ -49,6 +49,8 @@ public class DruidServerConfig @NotNull private Set hiddenProperties = Sets.newHashSet("druid.s3.accessKey", "druid.s3.secretKey", "druid.metadata.storage.connector.password"); + @JsonProperty + private Set hiddenPropertiesContain = Sets.newHashSet("password", "key", "token", "pwd"); private SegmentLoaderConfig segmentLoaderConfig; // Guice inject added here to properly bind this dependency into its dependents such as StatusResource @@ -84,4 +86,9 @@ public Set getHiddenProperties() return hiddenProperties; } + public Set getHiddenPropertiesContain() + { + return hiddenPropertiesContain; + } + } diff --git a/server/src/main/java/org/apache/druid/server/StatusResource.java b/server/src/main/java/org/apache/druid/server/StatusResource.java index ed4c626a37ea..9db2915433df 100644 --- a/server/src/main/java/org/apache/druid/server/StatusResource.java +++ b/server/src/main/java/org/apache/druid/server/StatusResource.java @@ -32,6 +32,7 @@ import org.apache.druid.utils.JvmUtils; import org.apache.druid.utils.RuntimeInfo; +import javax.annotation.Nonnull; import javax.inject.Inject; import javax.servlet.http.HttpServletRequest; import javax.ws.rs.GET; @@ -75,7 +76,26 @@ public Map getProperties() { Map allProperties = Maps.fromProperties(properties); Set hidderProperties = druidServerConfig.getHiddenProperties(); - return Maps.filterEntries(allProperties, (entry) -> !hidderProperties.contains(entry.getKey())); + Set hidderPropertiesContain = druidServerConfig.getHiddenPropertiesContain(); + Map unhiddenProperties = Maps.filterEntries(allProperties, (entry) -> !hidderProperties.contains(entry.getKey())); + return filterHiddenPropertiesContain(hidderPropertiesContain, unhiddenProperties); + } + + @Nonnull + private Map filterHiddenPropertiesContain( + Set hidderPropertiesContain, + Map unhiddenProperties + ) + { + return Maps.filterEntries( + unhiddenProperties, + (entry) -> hidderPropertiesContain + .stream() + .anyMatch( + hiddenPropertyElement -> + !entry.getKey().contains(hiddenPropertyElement) + ) + ); } @GET diff --git a/server/src/test/java/org/apache/druid/server/StatusResourceTest.java b/server/src/test/java/org/apache/druid/server/StatusResourceTest.java index 0a1de9d01ffe..e5f7bee77413 100644 --- a/server/src/test/java/org/apache/druid/server/StatusResourceTest.java +++ b/server/src/test/java/org/apache/druid/server/StatusResourceTest.java @@ -62,7 +62,7 @@ public void testLoadedModules() } @Test - public void testPropertiesWithRestrictedConfigs() + public void testHiddenProperties() { Injector injector = Guice.createInjector(Collections.singletonList(new PropertiesModule(Collections.singletonList( "status.resource.test.runtime.properties")))); @@ -71,4 +71,15 @@ public void testPropertiesWithRestrictedConfigs() Splitter.on(",").split(returnedProperties.get("druid.server.hiddenProperties")).forEach(hiddenProperties::add); hiddenProperties.forEach((property) -> Assert.assertNull(returnedProperties.get(property))); } + + @Test + public void testHiddenPropertiesContain() + { + Injector injector = Guice.createInjector(Collections.singletonList(new PropertiesModule(Collections.singletonList( + "status.resource.test.runtime.hpc.properties")))); + Map returnedProperties = injector.getInstance(StatusResource.class).getProperties(); + Set hiddenPropertiesContain = new HashSet<>(); + Splitter.on(",").split(returnedProperties.get("druid.server.hiddenPropertiesContain")).forEach(hiddenPropertiesContain::add); + hiddenPropertiesContain.forEach((property) -> Assert.assertFalse(returnedProperties.keySet().stream().anyMatch((returnedProperty) -> returnedProperty.contains(property)))); + } } diff --git a/server/src/test/resources/status.resource.test.runtime.hpc.properties b/server/src/test/resources/status.resource.test.runtime.hpc.properties new file mode 100644 index 000000000000..ea13c8bc3bb9 --- /dev/null +++ b/server/src/test/resources/status.resource.test.runtime.hpc.properties @@ -0,0 +1,30 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +druid.server.hiddenPropertiesContain=["password","key","token","pwd"] +druid.storage.type=s3 +druid.storage.bucket=your-bucket +druid.storage.baseKey=druid/segments +druid.s3.accessKey=s3accesskey +druid.s3.secretKey=s3secretkey + +druid.metadata.storage.type=mysql +druid.metadata.storage.connector.connectURI=jdbc:mysql://db.example.com:3306/druid +druid.metadata.storage.connector.user=druiduser +druid.metadata.storage.connector.password=password123 From a5e8236b22fc8b9b1d2d208e05bb167ad9a3e8e2 Mon Sep 17 00:00:00 2001 From: zemin Date: Wed, 24 Aug 2022 19:16:48 +0200 Subject: [PATCH 2/5] apache#12063 Ease of hidding sensitive properties from /status/properties endpoint --- .../src/main/java/org/apache/druid/server/StatusResource.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/src/main/java/org/apache/druid/server/StatusResource.java b/server/src/main/java/org/apache/druid/server/StatusResource.java index 9db2915433df..f5bdd1a1e8fe 100644 --- a/server/src/main/java/org/apache/druid/server/StatusResource.java +++ b/server/src/main/java/org/apache/druid/server/StatusResource.java @@ -93,7 +93,7 @@ private Map filterHiddenPropertiesContain( .stream() .anyMatch( hiddenPropertyElement -> - !entry.getKey().contains(hiddenPropertyElement) + !StringUtils.toLowerCase(entry.getKey()).contains(StringUtils.toLowerCase(hiddenPropertyElement)) ) ); } From d0cca4998bfa14dcd10e62c06195f4774e3b11ea Mon Sep 17 00:00:00 2001 From: zemin Date: Thu, 25 Aug 2022 21:50:16 +0200 Subject: [PATCH 3/5] apache#12063 Ease of hidding sensitive properties from /status/properties endpoint using one property for hiding properties, updated the index.md to document hiddenProperties --- docs/configuration/index.md | 8 +++++ .../druid/client/DruidServerConfig.java | 6 ---- .../apache/druid/server/StatusResource.java | 18 +++++----- .../druid/server/StatusResourceTest.java | 34 +++++++++++++------ ...tatus.resource.test.runtime.hpc.properties | 2 +- 5 files changed, 42 insertions(+), 26 deletions(-) diff --git a/docs/configuration/index.md b/docs/configuration/index.md index 06939316b847..d27ed25a16d4 100644 --- a/docs/configuration/index.md +++ b/docs/configuration/index.md @@ -787,6 +787,14 @@ All Druid components can communicate with each other over HTTP. |`druid.global.http.unusedConnectionTimeout`|The timeout for idle connections in connection pool. The connection in the pool will be closed after this timeout and a new one will be established. This timeout should be less than `druid.global.http.readTimeout`. Set this timeout = ~90% of `druid.global.http.readTimeout`|`PT4M`| |`druid.global.http.numMaxThreads`|Maximum number of I/O worker threads|`max(10, ((number of cores * 17) / 16 + 2) + 30)`| +### Common endpoints Configuration + +This section contains the configuration options for endpoints that are supported by all processes. + +|Property| Description |Default| +|--------|----------------------------------------------------------------------------------------------------------------------------------------------|-------| +|`druid.server.hiddenProperties`| If property names or substring of property names (case insensitive) is in this list, responses of the `/status/properties` endpoint do not show these properties |`["druid.s3.accessKey","druid.s3.secretKey","druid.metadata.storage.connector.password"]`| + ## Master Server This section contains the configuration options for the processes that reside on Master servers (Coordinators and Overlords) in the suggested [three-server configuration](../design/processes.md#server-types). diff --git a/server/src/main/java/org/apache/druid/client/DruidServerConfig.java b/server/src/main/java/org/apache/druid/client/DruidServerConfig.java index 9b1f9537cd40..8e4b495cf336 100644 --- a/server/src/main/java/org/apache/druid/client/DruidServerConfig.java +++ b/server/src/main/java/org/apache/druid/client/DruidServerConfig.java @@ -49,8 +49,6 @@ public class DruidServerConfig @NotNull private Set hiddenProperties = Sets.newHashSet("druid.s3.accessKey", "druid.s3.secretKey", "druid.metadata.storage.connector.password"); - @JsonProperty - private Set hiddenPropertiesContain = Sets.newHashSet("password", "key", "token", "pwd"); private SegmentLoaderConfig segmentLoaderConfig; // Guice inject added here to properly bind this dependency into its dependents such as StatusResource @@ -86,9 +84,5 @@ public Set getHiddenProperties() return hiddenProperties; } - public Set getHiddenPropertiesContain() - { - return hiddenPropertiesContain; - } } diff --git a/server/src/main/java/org/apache/druid/server/StatusResource.java b/server/src/main/java/org/apache/druid/server/StatusResource.java index f5bdd1a1e8fe..5aa12eed23ab 100644 --- a/server/src/main/java/org/apache/druid/server/StatusResource.java +++ b/server/src/main/java/org/apache/druid/server/StatusResource.java @@ -49,6 +49,7 @@ import java.util.Set; /** + * */ @Path("/status") public class StatusResource @@ -61,7 +62,8 @@ public class StatusResource public StatusResource( final Properties properties, final DruidServerConfig druidServerConfig, - final ExtensionsLoader extnLoader) + final ExtensionsLoader extnLoader + ) { this.properties = properties; this.druidServerConfig = druidServerConfig; @@ -76,20 +78,18 @@ public Map getProperties() { Map allProperties = Maps.fromProperties(properties); Set hidderProperties = druidServerConfig.getHiddenProperties(); - Set hidderPropertiesContain = druidServerConfig.getHiddenPropertiesContain(); - Map unhiddenProperties = Maps.filterEntries(allProperties, (entry) -> !hidderProperties.contains(entry.getKey())); - return filterHiddenPropertiesContain(hidderPropertiesContain, unhiddenProperties); + return filterHiddenProperties(hidderProperties, allProperties); } @Nonnull - private Map filterHiddenPropertiesContain( - Set hidderPropertiesContain, - Map unhiddenProperties + private Map filterHiddenProperties( + Set hidderProperties, + Map allProperties ) { return Maps.filterEntries( - unhiddenProperties, - (entry) -> hidderPropertiesContain + allProperties, + (entry) -> hidderProperties .stream() .anyMatch( hiddenPropertyElement -> diff --git a/server/src/test/java/org/apache/druid/server/StatusResourceTest.java b/server/src/test/java/org/apache/druid/server/StatusResourceTest.java index e5f7bee77413..e72c34e64ba1 100644 --- a/server/src/test/java/org/apache/druid/server/StatusResourceTest.java +++ b/server/src/test/java/org/apache/druid/server/StatusResourceTest.java @@ -26,6 +26,7 @@ import org.apache.druid.guice.PropertiesModule; import org.apache.druid.initialization.DruidModule; import org.apache.druid.initialization.ServerInjectorBuilderTest; +import org.apache.druid.java.util.common.StringUtils; import org.junit.Assert; import org.junit.Test; @@ -35,6 +36,7 @@ import java.util.List; import java.util.Map; import java.util.Set; +import java.util.stream.Collectors; public class StatusResourceTest { @@ -64,22 +66,34 @@ public void testLoadedModules() @Test public void testHiddenProperties() { - Injector injector = Guice.createInjector(Collections.singletonList(new PropertiesModule(Collections.singletonList( - "status.resource.test.runtime.properties")))); - Map returnedProperties = injector.getInstance(StatusResource.class).getProperties(); - Set hiddenProperties = new HashSet<>(); - Splitter.on(",").split(returnedProperties.get("druid.server.hiddenProperties")).forEach(hiddenProperties::add); - hiddenProperties.forEach((property) -> Assert.assertNull(returnedProperties.get(property))); + testHiddenPropertiesWithPropertyFileName("status.resource.test.runtime.properties"); } @Test public void testHiddenPropertiesContain() + { + testHiddenPropertiesWithPropertyFileName("status.resource.test.runtime.hpc.properties"); + } + + private void testHiddenPropertiesWithPropertyFileName(String fileName) { Injector injector = Guice.createInjector(Collections.singletonList(new PropertiesModule(Collections.singletonList( - "status.resource.test.runtime.hpc.properties")))); + fileName)))); Map returnedProperties = injector.getInstance(StatusResource.class).getProperties(); - Set hiddenPropertiesContain = new HashSet<>(); - Splitter.on(",").split(returnedProperties.get("druid.server.hiddenPropertiesContain")).forEach(hiddenPropertiesContain::add); - hiddenPropertiesContain.forEach((property) -> Assert.assertFalse(returnedProperties.keySet().stream().anyMatch((returnedProperty) -> returnedProperty.contains(property)))); + Set lowerCasePropertyNames = returnedProperties.keySet() + .stream() + .map(StringUtils::toLowerCase) + .collect(Collectors.toSet()); + Set hiddenProperties = new HashSet<>(); + Splitter.on(",").split(returnedProperties.get("druid.server.hiddenProperties")).forEach(hiddenProperties::add); + hiddenProperties.forEach( + (property) -> { + lowerCasePropertyNames.forEach( + lowerCasePropertyName -> Assert.assertFalse(lowerCasePropertyName.contains(StringUtils.toLowerCase( + property))) + ); + } + ); } + } diff --git a/server/src/test/resources/status.resource.test.runtime.hpc.properties b/server/src/test/resources/status.resource.test.runtime.hpc.properties index ea13c8bc3bb9..5d278669dc95 100644 --- a/server/src/test/resources/status.resource.test.runtime.hpc.properties +++ b/server/src/test/resources/status.resource.test.runtime.hpc.properties @@ -17,7 +17,7 @@ # under the License. # -druid.server.hiddenPropertiesContain=["password","key","token","pwd"] +druid.server.hiddenProperties=["password","key","token","pwd"] druid.storage.type=s3 druid.storage.bucket=your-bucket druid.storage.baseKey=druid/segments From 377d4c6b8cc57142736f8d3459496d6f105d2797 Mon Sep 17 00:00:00 2001 From: zemin Date: Thu, 25 Aug 2022 21:57:56 +0200 Subject: [PATCH 4/5] apache#12063 Ease of hidding sensitive properties from /status/properties endpoint Added java docs --- .../main/java/org/apache/druid/server/StatusResource.java | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/server/src/main/java/org/apache/druid/server/StatusResource.java b/server/src/main/java/org/apache/druid/server/StatusResource.java index 5aa12eed23ab..cebc9130b364 100644 --- a/server/src/main/java/org/apache/druid/server/StatusResource.java +++ b/server/src/main/java/org/apache/druid/server/StatusResource.java @@ -81,6 +81,11 @@ public Map getProperties() return filterHiddenProperties(hidderProperties, allProperties); } + /** + * filter out entries from allProperties with key containing elements in hidderProperties (case insensitive) + * + * @return map of properties that are not filtered out. + */ @Nonnull private Map filterHiddenProperties( Set hidderProperties, From f224f4c4a87250e42bde86947f24582a767dc73b Mon Sep 17 00:00:00 2001 From: zemin Date: Fri, 26 Aug 2022 22:00:30 +0200 Subject: [PATCH 5/5] apache#12063 Ease of hidding sensitive properties from /status/properties endpoint Add "password", "key", "token", "pwd" as default druid.server.hiddenProperties fixed typo and removed redundant space --- docs/configuration/index.md | 6 +++--- .../druid/cluster/_common/common.runtime.properties | 2 +- .../large/_common/common.runtime.properties | 2 +- .../medium/_common/common.runtime.properties | 2 +- .../micro-quickstart/_common/common.runtime.properties | 2 +- .../nano-quickstart/_common/common.runtime.properties | 2 +- .../small/_common/common.runtime.properties | 2 +- .../xlarge/_common/common.runtime.properties | 2 +- .../org/apache/druid/client/DruidServerConfig.java | 5 +++-- .../java/org/apache/druid/server/StatusResource.java | 10 +++++----- 10 files changed, 18 insertions(+), 17 deletions(-) diff --git a/docs/configuration/index.md b/docs/configuration/index.md index d27ed25a16d4..e327249eca12 100644 --- a/docs/configuration/index.md +++ b/docs/configuration/index.md @@ -791,9 +791,9 @@ All Druid components can communicate with each other over HTTP. This section contains the configuration options for endpoints that are supported by all processes. -|Property| Description |Default| -|--------|----------------------------------------------------------------------------------------------------------------------------------------------|-------| -|`druid.server.hiddenProperties`| If property names or substring of property names (case insensitive) is in this list, responses of the `/status/properties` endpoint do not show these properties |`["druid.s3.accessKey","druid.s3.secretKey","druid.metadata.storage.connector.password"]`| +|Property| Description | Default | +|--------|----------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------| +|`druid.server.hiddenProperties`| If property names or substring of property names (case insensitive) is in this list, responses of the `/status/properties` endpoint do not show these properties | `["druid.s3.accessKey","druid.s3.secretKey","druid.metadata.storage.connector.password", "password", "key", "token", "pwd"]` | ## Master Server diff --git a/examples/conf/druid/cluster/_common/common.runtime.properties b/examples/conf/druid/cluster/_common/common.runtime.properties index eafa11742d5d..b0adb0695cd7 100644 --- a/examples/conf/druid/cluster/_common/common.runtime.properties +++ b/examples/conf/druid/cluster/_common/common.runtime.properties @@ -131,7 +131,7 @@ druid.indexing.doubleStorage=double # # Security # -druid.server.hiddenProperties=["druid.s3.accessKey","druid.s3.secretKey","druid.metadata.storage.connector.password"] +druid.server.hiddenProperties=["druid.s3.accessKey","druid.s3.secretKey","druid.metadata.storage.connector.password", "password", "key", "token", "pwd"] # diff --git a/examples/conf/druid/single-server/large/_common/common.runtime.properties b/examples/conf/druid/single-server/large/_common/common.runtime.properties index eafa11742d5d..b0adb0695cd7 100644 --- a/examples/conf/druid/single-server/large/_common/common.runtime.properties +++ b/examples/conf/druid/single-server/large/_common/common.runtime.properties @@ -131,7 +131,7 @@ druid.indexing.doubleStorage=double # # Security # -druid.server.hiddenProperties=["druid.s3.accessKey","druid.s3.secretKey","druid.metadata.storage.connector.password"] +druid.server.hiddenProperties=["druid.s3.accessKey","druid.s3.secretKey","druid.metadata.storage.connector.password", "password", "key", "token", "pwd"] # diff --git a/examples/conf/druid/single-server/medium/_common/common.runtime.properties b/examples/conf/druid/single-server/medium/_common/common.runtime.properties index eafa11742d5d..b0adb0695cd7 100644 --- a/examples/conf/druid/single-server/medium/_common/common.runtime.properties +++ b/examples/conf/druid/single-server/medium/_common/common.runtime.properties @@ -131,7 +131,7 @@ druid.indexing.doubleStorage=double # # Security # -druid.server.hiddenProperties=["druid.s3.accessKey","druid.s3.secretKey","druid.metadata.storage.connector.password"] +druid.server.hiddenProperties=["druid.s3.accessKey","druid.s3.secretKey","druid.metadata.storage.connector.password", "password", "key", "token", "pwd"] # diff --git a/examples/conf/druid/single-server/micro-quickstart/_common/common.runtime.properties b/examples/conf/druid/single-server/micro-quickstart/_common/common.runtime.properties index eafa11742d5d..b0adb0695cd7 100644 --- a/examples/conf/druid/single-server/micro-quickstart/_common/common.runtime.properties +++ b/examples/conf/druid/single-server/micro-quickstart/_common/common.runtime.properties @@ -131,7 +131,7 @@ druid.indexing.doubleStorage=double # # Security # -druid.server.hiddenProperties=["druid.s3.accessKey","druid.s3.secretKey","druid.metadata.storage.connector.password"] +druid.server.hiddenProperties=["druid.s3.accessKey","druid.s3.secretKey","druid.metadata.storage.connector.password", "password", "key", "token", "pwd"] # diff --git a/examples/conf/druid/single-server/nano-quickstart/_common/common.runtime.properties b/examples/conf/druid/single-server/nano-quickstart/_common/common.runtime.properties index eafa11742d5d..b0adb0695cd7 100644 --- a/examples/conf/druid/single-server/nano-quickstart/_common/common.runtime.properties +++ b/examples/conf/druid/single-server/nano-quickstart/_common/common.runtime.properties @@ -131,7 +131,7 @@ druid.indexing.doubleStorage=double # # Security # -druid.server.hiddenProperties=["druid.s3.accessKey","druid.s3.secretKey","druid.metadata.storage.connector.password"] +druid.server.hiddenProperties=["druid.s3.accessKey","druid.s3.secretKey","druid.metadata.storage.connector.password", "password", "key", "token", "pwd"] # diff --git a/examples/conf/druid/single-server/small/_common/common.runtime.properties b/examples/conf/druid/single-server/small/_common/common.runtime.properties index eafa11742d5d..b0adb0695cd7 100644 --- a/examples/conf/druid/single-server/small/_common/common.runtime.properties +++ b/examples/conf/druid/single-server/small/_common/common.runtime.properties @@ -131,7 +131,7 @@ druid.indexing.doubleStorage=double # # Security # -druid.server.hiddenProperties=["druid.s3.accessKey","druid.s3.secretKey","druid.metadata.storage.connector.password"] +druid.server.hiddenProperties=["druid.s3.accessKey","druid.s3.secretKey","druid.metadata.storage.connector.password", "password", "key", "token", "pwd"] # diff --git a/examples/conf/druid/single-server/xlarge/_common/common.runtime.properties b/examples/conf/druid/single-server/xlarge/_common/common.runtime.properties index eafa11742d5d..b0adb0695cd7 100644 --- a/examples/conf/druid/single-server/xlarge/_common/common.runtime.properties +++ b/examples/conf/druid/single-server/xlarge/_common/common.runtime.properties @@ -131,7 +131,7 @@ druid.indexing.doubleStorage=double # # Security # -druid.server.hiddenProperties=["druid.s3.accessKey","druid.s3.secretKey","druid.metadata.storage.connector.password"] +druid.server.hiddenProperties=["druid.s3.accessKey","druid.s3.secretKey","druid.metadata.storage.connector.password", "password", "key", "token", "pwd"] # diff --git a/server/src/main/java/org/apache/druid/client/DruidServerConfig.java b/server/src/main/java/org/apache/druid/client/DruidServerConfig.java index 8e4b495cf336..3ab6e87c00ec 100644 --- a/server/src/main/java/org/apache/druid/client/DruidServerConfig.java +++ b/server/src/main/java/org/apache/druid/client/DruidServerConfig.java @@ -47,7 +47,9 @@ public class DruidServerConfig @JsonProperty @NotNull - private Set hiddenProperties = Sets.newHashSet("druid.s3.accessKey", "druid.s3.secretKey", "druid.metadata.storage.connector.password"); + private Set hiddenProperties = Sets.newHashSet("druid.s3.accessKey", "druid.s3.secretKey", + "druid.metadata.storage.connector.password", + "password", "key", "token", "pwd"); private SegmentLoaderConfig segmentLoaderConfig; @@ -84,5 +86,4 @@ public Set getHiddenProperties() return hiddenProperties; } - } diff --git a/server/src/main/java/org/apache/druid/server/StatusResource.java b/server/src/main/java/org/apache/druid/server/StatusResource.java index cebc9130b364..2476cf42386f 100644 --- a/server/src/main/java/org/apache/druid/server/StatusResource.java +++ b/server/src/main/java/org/apache/druid/server/StatusResource.java @@ -77,24 +77,24 @@ public StatusResource( public Map getProperties() { Map allProperties = Maps.fromProperties(properties); - Set hidderProperties = druidServerConfig.getHiddenProperties(); - return filterHiddenProperties(hidderProperties, allProperties); + Set hiddenProperties = druidServerConfig.getHiddenProperties(); + return filterHiddenProperties(hiddenProperties, allProperties); } /** - * filter out entries from allProperties with key containing elements in hidderProperties (case insensitive) + * filter out entries from allProperties with key containing elements in hiddenProperties (case insensitive) * * @return map of properties that are not filtered out. */ @Nonnull private Map filterHiddenProperties( - Set hidderProperties, + Set hiddenProperties, Map allProperties ) { return Maps.filterEntries( allProperties, - (entry) -> hidderProperties + (entry) -> hiddenProperties .stream() .anyMatch( hiddenPropertyElement ->