Hi everyone, important correction, this is since 1.16.0, not 1.17+.
Best, Konstantin Am Di., 15. Nov. 2022 um 14:25 Uhr schrieb Gyula Fóra <gyula.f...@gmail.com >: > Thanks for bringing this important issue to discussion Konstantin! > > I am in favor of not showing them by default with an optional configuration > to enable it. > Otherwise this poses a big security risk of exposing previously hidden > information after upgrade. > > Gyula > > On Tue, Nov 15, 2022 at 2:15 PM Maximilian Michels <m...@apache.org> wrote: > > > Hey Konstantin, > > > > I'd be in favor of not printing them at all, i.e. option (d). We have the > > configuration page which lists the effective config and already removes > any > > known secrets. > > > > -Max > > > > On Tue, Nov 15, 2022 at 11:26 AM Konstantin Knauf <kna...@apache.org> > > wrote: > > > > > Hi all, > > > > > > since Flink 1.17 [1] the Flink Web UI prints *all* environment > variables > > of > > > the Taskmanager or Jobmanagers hosts (Jobmanager -> Configuration -> > > > Environment). Given that environment variables are often used to store > > > sensitive information, I think, it is wrong and dangerous to print > those > > in > > > the Flink Web UI. Specifically, thinking about how Kubernetes Secrets > are > > > usually injected into Pods. > > > > > > One could argue that anyone who can submit a Flink Job to a cluster has > > > access to these environment variables anyway, but not everyone who has > > > access to the Flink UI can submit a Flink Job. > > > > > > I see the the following options: > > > a) leave as is > > > b) apply same obfuscation as in flink-conf.yaml based on some heuristic > > (no > > > "secret", "password" in env var name) > > > c) only print allow-listed values > > > d) don't print any env vars in the web UI (at least by default) > > > > > > What do you think? > > > > > > Cheers, > > > > > > Konstantin > > > > > > [1] https://issues.apache.org/jira/browse/FLINK-28311 > > > > > > -- > > > https://twitter.com/snntrable > > > https://github.com/knaufk > > > > > > -- https://twitter.com/snntrable https://github.com/knaufk
