Thanks for bringing this important issue to discussion Konstantin! I am in favor of not showing them by default with an optional configuration to enable it. Otherwise this poses a big security risk of exposing previously hidden information after upgrade.
Gyula On Tue, Nov 15, 2022 at 2:15 PM Maximilian Michels <m...@apache.org> wrote: > Hey Konstantin, > > I'd be in favor of not printing them at all, i.e. option (d). We have the > configuration page which lists the effective config and already removes any > known secrets. > > -Max > > On Tue, Nov 15, 2022 at 11:26 AM Konstantin Knauf <kna...@apache.org> > wrote: > > > Hi all, > > > > since Flink 1.17 [1] the Flink Web UI prints *all* environment variables > of > > the Taskmanager or Jobmanagers hosts (Jobmanager -> Configuration -> > > Environment). Given that environment variables are often used to store > > sensitive information, I think, it is wrong and dangerous to print those > in > > the Flink Web UI. Specifically, thinking about how Kubernetes Secrets are > > usually injected into Pods. > > > > One could argue that anyone who can submit a Flink Job to a cluster has > > access to these environment variables anyway, but not everyone who has > > access to the Flink UI can submit a Flink Job. > > > > I see the the following options: > > a) leave as is > > b) apply same obfuscation as in flink-conf.yaml based on some heuristic > (no > > "secret", "password" in env var name) > > c) only print allow-listed values > > d) don't print any env vars in the web UI (at least by default) > > > > What do you think? > > > > Cheers, > > > > Konstantin > > > > [1] https://issues.apache.org/jira/browse/FLINK-28311 > > > > -- > > https://twitter.com/snntrable > > https://github.com/knaufk > > >
