Skip to content

Extend query config with query.masked config with Type.PASSWORD for secure query masking #1593

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: 10.9.x
Choose a base branch
from
Open

Extend query config with query.masked config with Type.PASSWORD for secure query masking #1593

wants to merge 7 commits into from

Conversation

@KGaneshDatta
Copy link
Contributor

@KGaneshDatta KGaneshDatta commented Nov 12, 2025
edited
Loading

Problem

  • Introduced an internal query.masked configuration of Type.Password to ensure secure logging by masking sensitive values and preventing accidental exposure.
  • Enhanced the existing validation to enforce that the connector operates exclusively in either table.mode or query.mode.

Solution

Does this solution apply anywhere else?
  • yes
  • no
If yes, where?

Test Strategy

Testing done:
  • Unit tests
  • Integration tests
  • System tests
  • Manual tests

Release Plan

@KGaneshDatta KGaneshDatta requested a review from a team as a code owner November 12, 2025 11:07
@confluent-cla-assistant
Copy link

confluent-cla-assistant bot commented Nov 12, 2025

🎉 All Contributor License Agreements have been signed. Ready to merge.
Please push an empty commit if you would like to re-run the checks to verify CLA status for all contributors.

KGaneshDatta
KGaneshDatta commented Nov 18, 2025
View reviewed changes
src/main/java/io/confluent/connect/jdbc/source/JdbcSourceConnectorConfig.java
orderInGroup = defineIncrementTimestampConfigs(config, orderInGroup);
orderInGroup = defineQueryAndQuoteConfigs(config, orderInGroup);
defineTransactionAndRetryConfigs(config, orderInGroup);
}
Copy link
Contributor Author

@KGaneshDatta KGaneshDatta Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Extend this Options method, because of falling to checkstyle error of exceeding 128 lines in a method.

src/main/java/io/confluent/connect/jdbc/validation/JdbcSourceConnectorValidation.java

return true;
}

Copy link
Contributor Author

@KGaneshDatta KGaneshDatta Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a validation in order to limit using of either of query or query.masked config.

src/main/java/io/confluent/connect/jdbc/validation/JdbcSourceConnectorValidation.java Outdated
String msg =
"Do not specify table filtering configs with 'query' or 'query.masked'. "
+ "Remove table.whitelist / table.blacklist / table.include.list / "
+ "table.exclude.list.";
Copy link
Contributor Author

@KGaneshDatta KGaneshDatta Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Either of table.filtering.options or query should be provided as the connector would work in table.mode or query.mode and not both.

akanimesh7
akanimesh7 reviewed Nov 18, 2025
View reviewed changes
Copy link
Member

@akanimesh7 akanimesh7 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Few things @KGaneshDatta

  1. Since query was never exposed on cloud before this, we should perform some manual testing to understand/validate the behaviour. (How frequently will the query be executed, What if the query is taking too long to exceute ? do we have any observability into this ? Can multiple queries be provided (select * from table1;select* from table2;))
  2. If user has specified both table include/exclude list and query, we don't know which way they wanna go. The validation exception message currently instructs them to remove table include/exclude configs. Which might be other way round also.

src/main/java/io/confluent/connect/jdbc/validation/JdbcSourceConnectorValidation.java Outdated
private boolean hasAnyQueryConfig() {
String query = config.getString(JdbcSourceConnectorConfig.QUERY_CONFIG);
Password queryMasked =
config.getPassword(JdbcSourceConnectorConfig.QUERY_MASKED_CONFIG);
Copy link
Member

@akanimesh7 akanimesh7 Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you make config.getQuery return optional, then this hasAnyQueryConfig method will not be needed.

@sonarqube-confluent
Copy link

sonarqube-confluent bot commented Nov 21, 2025

Quality Gate passed Quality Gate passed

Issues
16 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
81.1% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@akanimesh7 akanimesh7 akanimesh7 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@KGaneshDatta @akanimesh7