[GitHub] [druid] santosh-d3vpl3x opened a new issue #12063: Ease of Hidding sensitive properties from `/status/properties` endpoint

[GitBox <gi...@apache.org>]

santosh-d3vpl3x opened a new issue #12063:
URL: https://github.com/apache/druid/issues/12063


   ### Description
   - Add redaction based on regex for `druid.server.hiddenProperties` (undocumented config). As a placeholder for this description, we can call the property: `druid.server.hiddenPropertiesContain`. It could be set to `["password", "key", "token", "pwd"]`, this check then hides all the properties containing these strings. 
   - It would be even better if we could just turn this off entirely by a flag, for example: `druid.server.hideAllProperties`, however I am not sure what purpose this endpoint serves in druid architecture and deployments today so it is hard for me to evaluate if `druid.server.hideAllProperties` is a valid approach.
   
   ### Motivation
   `druid.server.hiddenProperties` (undocumented config) right now allows us to hide certain properties from API response. This can be used to hide sensitive properties from `/status/properties` endpoint. But this approach has higher chances to leak unlisted sensitive properties unintentionally. It would rather be nice to have a list of regex that will help us hide most of the properties based on certain string as opposed to the . 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org