You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@druid.apache.org by GitBox <gi...@apache.org> on 2022/09/07 13:33:19 UTC

[GitHub] [druid] capistrant opened a new pull request, #13045: fix bug in /status/properties filtering

capistrant opened a new pull request, #13045:
URL: https://github.com/apache/druid/pull/13045

   <!-- Thanks for trying to help us make Apache Druid be the best it can be! Please fill out as much of the following information as is possible (where relevant, and remove it when irrelevant) to help make the intention and scope of this PR clear in order to ease review. -->
   
   <!-- Please read the doc for contribution (https://github.com/apache/druid/blob/master/CONTRIBUTING.md) before making this PR. Also, once you open a PR, please _avoid using force pushes and rebasing_ since these make it difficult for reviewers to see what you've changed in response to their reviews. See [the 'If your pull request shows conflicts with master' section](https://github.com/apache/druid/blob/master/CONTRIBUTING.md#if-your-pull-request-shows-conflicts-with-master) for more details. -->
   
   <!-- Replace XXXX with the id of the issue fixed in this PR. Remove this section if there is no corresponding issue. Don't reference the issue in the title of this pull-request. -->
   
   <!-- If you are a committer, follow the PR action item checklist for committers:
   https://github.com/apache/druid/blob/master/dev/committer-instructions.md#pr-and-issue-action-item-checklist-for-committers. -->
   
   ### Description
   
   <!-- Describe the goal of this PR, what problem are you fixing. If there is a corresponding issue (referenced above), it's not necessary to repeat the description here, however, you may choose to keep one summary sentence. -->
   
   <!-- Describe your patch: what did you change in code? How did you fix the problem? -->
   
   <!-- If there are several relatively logically separate changes in this PR, create a mini-section for each of them. For example: -->
   
   #### Fixed a bug in `/status/properties` endpoint
   
   #12950 introduced or exposed an issue with masking sensitive properties when calling `/status/properties`. 
   
   The unit test for this method was broken before the aforementioned patch was created. 
   
   ```JAVA
   Splitter.on(",").split(returnedProperties.get("druid.server.hiddenProperties")).forEach(hiddenProperties::add);
   ```
   
   That java is not a valid way to split a string with the format `["item1", ... "itemN"]` ... `[` `]` `"` all need to be stripped out of the string before that line is valid.
   
   Due to that bad splitting of the string, the unit test was passing, but not testing what we wanted it to test. My patch fixes the splitting of that hiddenProperties string. This fix causes the test to fail, alerting me to the fact that the filtering method is not working as intended. I went away from using the filtered map concept in the original patch, and instead removed the sensitive k:v pairs from a copy of the passed map and returned that modified map. This now passes the updated unit tests and has been verified in a cluster.
   
   <!--
   In each section, please describe design decisions made, including:
    - Choice of algorithms
    - Behavioral aspects. What configuration values are acceptable? How are corner cases and error conditions handled, such as when there are insufficient resources?
    - Class organization and design (how the logic is split between classes, inheritance, composition, design patterns)
    - Method organization and design (how the logic is split between methods, parameters and return types)
    - Naming (class, method, API, configuration, HTTP endpoint, names of emitted metrics)
   -->
   
   
   <!-- It's good to describe an alternative design (or mention an alternative name) for every design (or naming) decision point and compare the alternatives with the designs that you've implemented (or the names you've chosen) to highlight the advantages of the chosen designs and names. -->
   
   <!-- If there was a discussion of the design of the feature implemented in this PR elsewhere (e. g. a "Proposal" issue, any other issue, or a thread in the development mailing list), link to that discussion from this PR description and explain what have changed in your final design compared to your original proposal or the consensus version in the end of the discussion. If something hasn't changed since the original discussion, you can omit a detailed discussion of those aspects of the design here, perhaps apart from brief mentioning for the sake of readability of this PR description. -->
   
   <!-- Some of the aspects mentioned above may be omitted for simple and small changes. -->
   
   <hr>
   
   ##### Key changed/added classes in this PR
    * `StatusResource`
    * `StatusResourceTest`
   
   <hr>
   
   <!-- Check the items by putting "x" in the brackets for the done things. Not all of these items apply to every PR. Remove the items which are not done or not relevant to the PR. None of the items from the checklist below are strictly necessary, but it would be very helpful if you at least self-review the PR. -->
   
   This PR has:
   - [X] been self-reviewed.
   - [X] added unit tests or modified existing tests to cover new code paths, ensuring the threshold for [code coverage](https://github.com/apache/druid/blob/master/dev/code-review/code-coverage.md) is met.
   - [X] been tested in a test Druid cluster.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] FrankChen021 commented on a diff in pull request #13045: fix bug in /status/properties filtering

Posted by GitBox <gi...@apache.org>.
FrankChen021 commented on code in PR #13045:
URL: https://github.com/apache/druid/pull/13045#discussion_r964876401


##########
server/src/test/java/org/apache/druid/server/StatusResourceTest.java:
##########
@@ -85,7 +85,11 @@ private void testHiddenPropertiesWithPropertyFileName(String fileName)
                                                            .map(StringUtils::toLowerCase)
                                                            .collect(Collectors.toSet());
     Set<String> hiddenProperties = new HashSet<>();
-    Splitter.on(",").split(returnedProperties.get("druid.server.hiddenProperties")).forEach(hiddenProperties::add);
+    String hiddenPropertiesString = returnedProperties.get("druid.server.hiddenProperties")

Review Comment:
   I'm wondering if we can use jackson to deserialize the `hiddenPropertiesString` to a String array or set.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] capistrant commented on pull request #13045: fix bug in /status/properties filtering

Posted by GitBox <gi...@apache.org>.
capistrant commented on PR #13045:
URL: https://github.com/apache/druid/pull/13045#issuecomment-1239413242

   I confirmed in my current 0.22.x cluster that the exact match filtering works as expected despite the unit test being broken in that version too.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] capistrant commented on a diff in pull request #13045: fix bug in /status/properties filtering

Posted by GitBox <gi...@apache.org>.
capistrant commented on code in PR #13045:
URL: https://github.com/apache/druid/pull/13045#discussion_r965334847


##########
server/src/main/java/org/apache/druid/server/StatusResource.java:
##########
@@ -92,15 +96,15 @@ private Map<String, String> filterHiddenProperties(
       Map<String, String> allProperties
   )
   {
-    return Maps.filterEntries(
-        allProperties,
-        (entry) -> hiddenProperties
-            .stream()
-            .anyMatch(
-                hiddenPropertyElement ->
-                    !StringUtils.toLowerCase(entry.getKey()).contains(StringUtils.toLowerCase(hiddenPropertyElement))
-            )
+    Map<String, String> propertyCopy = new HashMap<>(allProperties);
+    allProperties.keySet().forEach(
+        (key) -> {
+          if (hiddenProperties.stream().anyMatch((hiddenProperty) -> StringUtils.toLowerCase(key).contains(StringUtils.toLowerCase(hiddenProperty)))) {
+            propertyCopy.remove(key);

Review Comment:
   I'd be ok with that. could help reduce confusion in the case of troubleshooting configs



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] capistrant commented on a diff in pull request #13045: fix bug in /status/properties filtering

Posted by GitBox <gi...@apache.org>.
capistrant commented on code in PR #13045:
URL: https://github.com/apache/druid/pull/13045#discussion_r965337263


##########
server/src/main/java/org/apache/druid/server/StatusResource.java:
##########
@@ -92,15 +96,15 @@ private Map<String, String> filterHiddenProperties(
       Map<String, String> allProperties
   )
   {
-    return Maps.filterEntries(
-        allProperties,
-        (entry) -> hiddenProperties
-            .stream()
-            .anyMatch(
-                hiddenPropertyElement ->
-                    !StringUtils.toLowerCase(entry.getKey()).contains(StringUtils.toLowerCase(hiddenPropertyElement))
-            )
+    Map<String, String> propertyCopy = new HashMap<>(allProperties);
+    allProperties.keySet().forEach(

Review Comment:
   Isn't this going to be O(N*M) regardless since for every hidden property we would have to check every property and vice versa? In fact, for the current implementation we sometimes get a short-circuit on the nested iteration since it is using `anyMatch`. 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] vogievetsky merged pull request #13045: fix bug in /status/properties filtering

Posted by GitBox <gi...@apache.org>.
vogievetsky merged PR #13045:
URL: https://github.com/apache/druid/pull/13045


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] abhishekagarwal87 commented on pull request #13045: fix bug in /status/properties filtering

Posted by GitBox <gi...@apache.org>.
abhishekagarwal87 commented on PR #13045:
URL: https://github.com/apache/druid/pull/13045#issuecomment-1239428601

   Great catch @capistrant. LGTM. can you also add an assertion that the size of returned properties is less than `injector.getInstance(Properties.class).size()`? That way, such an issue won't happen again. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] paul-rogers commented on a diff in pull request #13045: fix bug in /status/properties filtering

Posted by GitBox <gi...@apache.org>.
paul-rogers commented on code in PR #13045:
URL: https://github.com/apache/druid/pull/13045#discussion_r965319656


##########
server/src/main/java/org/apache/druid/server/StatusResource.java:
##########
@@ -92,15 +96,15 @@ private Map<String, String> filterHiddenProperties(
       Map<String, String> allProperties
   )
   {
-    return Maps.filterEntries(
-        allProperties,
-        (entry) -> hiddenProperties
-            .stream()
-            .anyMatch(
-                hiddenPropertyElement ->
-                    !StringUtils.toLowerCase(entry.getKey()).contains(StringUtils.toLowerCase(hiddenPropertyElement))
-            )
+    Map<String, String> propertyCopy = new HashMap<>(allProperties);

Review Comment:
   When this code is nested inside a resource, it is hard to test. Should we pull this out as a static method so it can be tested easily with various sets of properties and hidden property lists?



##########
server/src/main/java/org/apache/druid/server/StatusResource.java:
##########
@@ -92,15 +96,15 @@ private Map<String, String> filterHiddenProperties(
       Map<String, String> allProperties
   )
   {
-    return Maps.filterEntries(
-        allProperties,
-        (entry) -> hiddenProperties
-            .stream()
-            .anyMatch(
-                hiddenPropertyElement ->
-                    !StringUtils.toLowerCase(entry.getKey()).contains(StringUtils.toLowerCase(hiddenPropertyElement))
-            )
+    Map<String, String> propertyCopy = new HashMap<>(allProperties);
+    allProperties.keySet().forEach(

Review Comment:
   The set of hidden properties is likely to be much smaller than the set of all properties. Should we iterate over the hidden properties so we have a much lower total cost? One could argue that this operation is used infrequently and efficiency doesn't matter. But, since we're changing the code anyway, we might as well make it simple.



##########
server/src/main/java/org/apache/druid/server/StatusResource.java:
##########
@@ -92,15 +96,15 @@ private Map<String, String> filterHiddenProperties(
       Map<String, String> allProperties
   )
   {
-    return Maps.filterEntries(
-        allProperties,
-        (entry) -> hiddenProperties
-            .stream()
-            .anyMatch(
-                hiddenPropertyElement ->
-                    !StringUtils.toLowerCase(entry.getKey()).contains(StringUtils.toLowerCase(hiddenPropertyElement))
-            )
+    Map<String, String> propertyCopy = new HashMap<>(allProperties);
+    allProperties.keySet().forEach(
+        (key) -> {
+          if (hiddenProperties.stream().anyMatch((hiddenProperty) -> StringUtils.toLowerCase(key).contains(StringUtils.toLowerCase(hiddenProperty)))) {
+            propertyCopy.remove(key);

Review Comment:
   Should we convert the value to, say, "*****" so that at least the user knows that the property was set to something?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] cryptoe commented on a diff in pull request #13045: fix bug in /status/properties filtering

Posted by GitBox <gi...@apache.org>.
cryptoe commented on code in PR #13045:
URL: https://github.com/apache/druid/pull/13045#discussion_r964998814


##########
server/src/main/java/org/apache/druid/server/StatusResource.java:
##########
@@ -92,15 +93,15 @@ private Map<String, String> filterHiddenProperties(
       Map<String, String> allProperties
   )
   {
-    return Maps.filterEntries(
-        allProperties,
-        (entry) -> hiddenProperties
-            .stream()
-            .anyMatch(
-                hiddenPropertyElement ->
-                    !StringUtils.toLowerCase(entry.getKey()).contains(StringUtils.toLowerCase(hiddenPropertyElement))
-            )
+    Map<String, String> propertyCopy = new HashMap<>(allProperties);
+    allProperties.keySet().forEach(
+        (key) -> {
+          if (hiddenProperties.stream().anyMatch((hiddenProperty) -> StringUtils.toLowerCase(key).contains(StringUtils.toLowerCase(hiddenProperty)))) {

Review Comment:
   nit: So if we have set of hiddenProps as =["pwd"] and in the allProperties we have {"foopwd"->"secret1" , "pwd"->"secret", "foo"->"bar"  } the output would be {"foo"->"bar"} . 
   In that case, we should update a JavaDoc to reflect this 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] capistrant commented on pull request #13045: fix bug in /status/properties filtering

Posted by GitBox <gi...@apache.org>.
capistrant commented on PR #13045:
URL: https://github.com/apache/druid/pull/13045#issuecomment-1240856243

   @paul-rogers welp, I guess this got merged quickly since it needed to fix the regression in backport. I think I will follow on with a PR to master (no-backport) with a change to add the redactions instead of deletion. I'm also interested in hearing more about the efficiency of scanning the configs for stuff to redact. Perhaps I'm overlooking some point about making it more efficient, per your comment. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org