diff --git a/datasources/src/main/java/org/opensearch/sql/datasources/service/DataSourceServiceImpl.java b/datasources/src/main/java/org/opensearch/sql/datasources/service/DataSourceServiceImpl.java index d6c1907f84..25e8006d66 100644 --- a/datasources/src/main/java/org/opensearch/sql/datasources/service/DataSourceServiceImpl.java +++ b/datasources/src/main/java/org/opensearch/sql/datasources/service/DataSourceServiceImpl.java @@ -34,6 +34,8 @@ public class DataSourceServiceImpl implements DataSourceService { private static String DATASOURCE_NAME_REGEX = "[@*A-Za-z]+?[*a-zA-Z_\\-0-9]*"; + public static final Set CONFIDENTIAL_AUTH_KEYS = + Set.of("auth.username", "auth.password", "auth.access_key", "auth.secret_key"); private final DataSourceLoaderCache dataSourceLoaderCache; @@ -159,7 +161,12 @@ private void removeAuthInfo(Set dataSourceMetadataSet) { private void removeAuthInfo(DataSourceMetadata dataSourceMetadata) { HashMap safeProperties = new HashMap<>(dataSourceMetadata.getProperties()); - safeProperties.entrySet().removeIf(entry -> entry.getKey().contains("auth")); + safeProperties + .entrySet() + .removeIf( + entry -> + CONFIDENTIAL_AUTH_KEYS.stream() + .anyMatch(confidentialKey -> entry.getKey().endsWith(confidentialKey))); dataSourceMetadata.setProperties(safeProperties); } } diff --git a/datasources/src/test/java/org/opensearch/sql/datasources/service/DataSourceServiceImplTest.java b/datasources/src/test/java/org/opensearch/sql/datasources/service/DataSourceServiceImplTest.java index c8312e6013..409c26d6db 100644 --- a/datasources/src/test/java/org/opensearch/sql/datasources/service/DataSourceServiceImplTest.java +++ b/datasources/src/test/java/org/opensearch/sql/datasources/service/DataSourceServiceImplTest.java @@ -233,7 +233,7 @@ void testGetDataSourceMetadataSet() { assertEquals(1, dataSourceMetadataSet.size()); DataSourceMetadata dataSourceMetadata = dataSourceMetadataSet.iterator().next(); assertTrue(dataSourceMetadata.getProperties().containsKey("prometheus.uri")); - assertFalse(dataSourceMetadata.getProperties().containsKey("prometheus.auth.type")); + assertTrue(dataSourceMetadata.getProperties().containsKey("prometheus.auth.type")); assertFalse(dataSourceMetadata.getProperties().containsKey("prometheus.auth.username")); assertFalse(dataSourceMetadata.getProperties().containsKey("prometheus.auth.password")); assertFalse( @@ -352,11 +352,47 @@ void testRemovalOfAuthorizationInfo() { DataSourceMetadata dataSourceMetadata1 = dataSourceService.getDataSourceMetadata("testDS"); assertEquals("testDS", dataSourceMetadata1.getName()); assertEquals(DataSourceType.PROMETHEUS, dataSourceMetadata1.getConnector()); - assertFalse(dataSourceMetadata1.getProperties().containsKey("prometheus.auth.type")); + assertTrue(dataSourceMetadata1.getProperties().containsKey("prometheus.auth.type")); assertFalse(dataSourceMetadata1.getProperties().containsKey("prometheus.auth.username")); assertFalse(dataSourceMetadata1.getProperties().containsKey("prometheus.auth.password")); } + @Test + void testRemovalOfAuthorizationInfoForGlueWithRoleARN() { + HashMap properties = new HashMap<>(); + properties.put("glue.auth.type", "iam_role"); + properties.put("glue.auth.role_arn", "role_arn"); + properties.put("glue.indexstore.opensearch.uri", "http://localhost:9200"); + properties.put("glue.indexstore.opensearch.auth", "basicauth"); + properties.put("glue.indexstore.opensearch.auth.username", "username"); + properties.put("glue.indexstore.opensearch.auth.password", "password"); + DataSourceMetadata dataSourceMetadata = + new DataSourceMetadata( + "testGlue", + DataSourceType.S3GLUE, + Collections.singletonList("glue_access"), + properties, + null); + when(dataSourceMetadataStorage.getDataSourceMetadata("testGlue")) + .thenReturn(Optional.of(dataSourceMetadata)); + + DataSourceMetadata dataSourceMetadata1 = dataSourceService.getDataSourceMetadata("testGlue"); + assertEquals("testGlue", dataSourceMetadata1.getName()); + assertEquals(DataSourceType.S3GLUE, dataSourceMetadata1.getConnector()); + assertTrue(dataSourceMetadata1.getProperties().containsKey("glue.auth.type")); + assertTrue(dataSourceMetadata1.getProperties().containsKey("glue.auth.role_arn")); + assertTrue(dataSourceMetadata1.getProperties().containsKey("glue.indexstore.opensearch.uri")); + assertTrue(dataSourceMetadata1.getProperties().containsKey("glue.indexstore.opensearch.auth")); + assertFalse( + dataSourceMetadata1 + .getProperties() + .containsKey("glue.indexstore.opensearch.auth.username")); + assertFalse( + dataSourceMetadata1 + .getProperties() + .containsKey("glue.indexstore.opensearch.auth.password")); + } + @Test void testGetDataSourceMetadataForNonExistingDataSource() { when(dataSourceMetadataStorage.getDataSourceMetadata("testDS")).thenReturn(Optional.empty()); @@ -381,7 +417,7 @@ void testGetDataSourceMetadataForSpecificDataSourceName() { "testDS", DataSourceType.PROMETHEUS, Collections.emptyList(), properties))); DataSourceMetadata dataSourceMetadata = this.dataSourceService.getDataSourceMetadata("testDS"); assertTrue(dataSourceMetadata.getProperties().containsKey("prometheus.uri")); - assertFalse(dataSourceMetadata.getProperties().containsKey("prometheus.auth.type")); + assertTrue(dataSourceMetadata.getProperties().containsKey("prometheus.auth.type")); assertFalse(dataSourceMetadata.getProperties().containsKey("prometheus.auth.username")); assertFalse(dataSourceMetadata.getProperties().containsKey("prometheus.auth.password")); verify(dataSourceMetadataStorage, times(1)).getDataSourceMetadata("testDS");