Skip to content

Mask password in logs and system tables for the redis table function#95325

Merged
antaljanosbenjamin merged 1 commit intomasterfrom
hide-secrets-in-redis-table-function
Jan 28, 2026
Merged

Mask password in logs and system tables for the redis table function#95325
antaljanosbenjamin merged 1 commit intomasterfrom
hide-secrets-in-redis-table-function

Conversation

@antaljanosbenjamin
Copy link
Member

@antaljanosbenjamin antaljanosbenjamin commented Jan 27, 2026
edited
Loading

Changelog category (leave one):

  • Critical Bug Fix (crash, data loss, RBAC) or LOGICAL_ERROR

Changelog entry (a user-readable short description of the changes that goes into CHANGELOG.md):

The password argument of the redis table function now will be masked in the logs and system tables (e.g.: query_log).

Documentation entry for user-facing changes

  • Documentation is written (mandatory for new features)

@clickhouse-gh
Copy link
Contributor

clickhouse-gh bot commented Jan 27, 2026
edited by antaljanosbenjamin
Loading

Workflow [PR], commit [002ef60]

Summary:

job_name test_name status info comment
Stress test (amd_debug) failure
Logical error: Block structure mismatch in A stream: different number of columns: (STID: 0993-38e6) FAIL cidb, issue ISSUE EXISTS

Copilot AI reviewed Jan 27, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR implements password hiding for the redis table function in logs and system tables, addressing a security concern where sensitive credentials were previously exposed.

Changes:

  • Added password masking logic for the redis table function by implementing findRedisFunctionSecretArguments() method
  • Renamed existing findRedisSecretArguments() to findRedisTableEngineSecretArguments() for clarity between table engine and table function handling
  • Added comprehensive test coverage for both redis table function and Redis table engine password masking

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
src/Parsers/FunctionSecretArgumentsFinder.h Implements password masking for redis table function and renames existing method for table engine
tests/integration/test_mask_sensitive_info/test.py Adds test cases verifying password masking works for both Redis table engine and redis table function

@clickhouse-gh clickhouse-gh bot added pr-critical-bugfix pr-must-backport Pull request should be backported intentionally. Use this label with great care! labels Jan 27, 2026
Copilot AI mentioned this pull request Jan 27, 2026
Closed
5 tasks
Copy link
Contributor

Copilot AI commented Jan 27, 2026

@antaljanosbenjamin I've opened a new pull request, #95327, to work on those changes. Once the pull request is ready, I'll request review from you.

@antaljanosbenjamin antaljanosbenjamin changed the title Hide password in logs for redis table function Mask password in logs and system tabels for redis table function Jan 27, 2026
@antaljanosbenjamin antaljanosbenjamin changed the title Mask password in logs and system tabels for redis table function Mask password in logs and system tabels for the redis table function Jan 27, 2026
@kssenii kssenii self-assigned this Jan 27, 2026
@antaljanosbenjamin antaljanosbenjamin changed the title Mask password in logs and system tabels for the redis table function Mask password in logs and system tables for the redis table function Jan 28, 2026
@antaljanosbenjamin antaljanosbenjamin added this pull request to the merge queue Jan 28, 2026
Merged via the queue into master with commit 5c731d3 Jan 28, 2026
132 of 134 checks passed
@antaljanosbenjamin antaljanosbenjamin deleted the hide-secrets-in-redis-table-function branch January 28, 2026 14:13
@robot-ch-test-poll1 robot-ch-test-poll1 added the pr-must-backport-synced The `*-must-backport` labels are synced into the cloud Sync PR label Jan 28, 2026
This was referenced Jan 28, 2026
Merged
Merged
Merged
Merged
Merged
Merged
robot-clickhouse added a commit that referenced this pull request Jan 28, 2026
@robot-clickhouse
Merge pull request #95406 from ClickHouse/cherrypick/26.1/95325
eb99452 
Cherry pick #95325 to 26.1: Mask password in logs and system tables for the `redis` table function
robot-clickhouse added a commit that referenced this pull request Jan 28, 2026
@robot-clickhouse
Backport #95325 to 26.1: Mask password in logs and system tables for …
76e26ad 
…the `redis` table function
@robot-clickhouse robot-clickhouse mentioned this pull request Jan 28, 2026
Merged
@robot-clickhouse robot-clickhouse added the pr-synced-to-cloud The PR is synced to the cloud repo label Jan 28, 2026
clickhouse-gh bot added a commit that referenced this pull request Jan 28, 2026
@clickhouse-gh
Merge pull request #95407 from ClickHouse/backport/26.1/95325
0f5a504 
Backport #95325 to 26.1: Mask password in logs and system tables for the `redis` table function
robot-ch-test-poll added a commit that referenced this pull request Jan 29, 2026
@robot-ch-test-poll
Merge pull request #95401 from ClickHouse/cherrypick/25.3/95325
3035693 
Cherry pick #95325 to 25.3: Mask password in logs and system tables for the `redis` table function
robot-clickhouse added a commit that referenced this pull request Jan 29, 2026
@robot-clickhouse
Backport #95325 to 25.3: Mask password in logs and system tables for …
87ce53b 
…the `redis` table function
@robot-ch-test-poll robot-ch-test-poll mentioned this pull request Jan 29, 2026
Merged
robot-ch-test-poll added a commit that referenced this pull request Jan 29, 2026
@robot-ch-test-poll
Merge pull request #95402 from ClickHouse/cherrypick/25.8/95325
2269f47 
Cherry pick #95325 to 25.8: Mask password in logs and system tables for the `redis` table function
@robot-ch-test-poll robot-ch-test-poll mentioned this pull request Jan 29, 2026
Merged
robot-clickhouse added a commit that referenced this pull request Jan 29, 2026
@robot-clickhouse
Backport #95325 to 25.8: Mask password in logs and system tables for …
9d5a8e4 
…the `redis` table function
robot-ch-test-poll added a commit that referenced this pull request Jan 29, 2026
@robot-ch-test-poll
Merge pull request #95403 from ClickHouse/cherrypick/25.10/95325
041a54d 
Cherry pick #95325 to 25.10: Mask password in logs and system tables for the `redis` table function
robot-clickhouse added a commit that referenced this pull request Jan 29, 2026
@robot-clickhouse
Backport #95325 to 25.10: Mask password in logs and system tables for…
d62b4e0 
… the `redis` table function
@robot-ch-test-poll robot-ch-test-poll mentioned this pull request Jan 29, 2026
Merged
robot-ch-test-poll added a commit that referenced this pull request Jan 29, 2026
@robot-ch-test-poll
Merge pull request #95404 from ClickHouse/cherrypick/25.11/95325
cd04dbc 
Cherry pick #95325 to 25.11: Mask password in logs and system tables for the `redis` table function
robot-clickhouse added a commit that referenced this pull request Jan 29, 2026
@robot-clickhouse
Backport #95325 to 25.11: Mask password in logs and system tables for…
3a00fd8 
… the `redis` table function
@robot-ch-test-poll robot-ch-test-poll mentioned this pull request Jan 29, 2026
Merged
robot-clickhouse added a commit that referenced this pull request Jan 29, 2026
@robot-clickhouse
Merge pull request #95405 from ClickHouse/cherrypick/25.12/95325
53e4bbb 
Cherry pick #95325 to 25.12: Mask password in logs and system tables for the `redis` table function
robot-clickhouse added a commit that referenced this pull request Jan 29, 2026
@robot-clickhouse
Backport #95325 to 25.12: Mask password in logs and system tables for…
f430138 
… the `redis` table function
@robot-clickhouse robot-clickhouse mentioned this pull request Jan 29, 2026
Merged
@robot-ch-test-poll robot-ch-test-poll added the pr-backports-created Backport PRs are successfully created, it won't be processed by CI script anymore label Jan 29, 2026
clickhouse-gh bot added a commit that referenced this pull request Jan 29, 2026
@clickhouse-gh
Merge pull request #95572 from ClickHouse/backport/25.11/95325
7b5264c 
Backport #95325 to 25.11: Mask password in logs and system tables for the `redis` table function
antaljanosbenjamin added a commit that referenced this pull request Jan 30, 2026
@antaljanosbenjamin
Merge pull request #95575 from ClickHouse/backport/25.12/95325
9082478 
Backport #95325 to 25.12: Mask password in logs and system tables for the `redis` table function
antaljanosbenjamin added a commit that referenced this pull request Jan 30, 2026
@antaljanosbenjamin
Merge pull request #95570 from ClickHouse/backport/25.8/95325
cfacd52 
Backport #95325 to 25.8: Mask password in logs and system tables for the `redis` table function
antaljanosbenjamin added a commit that referenced this pull request Jan 30, 2026
@antaljanosbenjamin
Merge pull request #95571 from ClickHouse/backport/25.10/95325
991029c 
Backport #95325 to 25.10: Mask password in logs and system tables for the `redis` table function
antaljanosbenjamin added a commit that referenced this pull request Jan 30, 2026
@antaljanosbenjamin
Merge pull request #95569 from ClickHouse/backport/25.3/95325
e4e296b 
Backport #95325 to 25.3: Mask password in logs and system tables for the `redis` table function
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@kssenii kssenii kssenii approved these changes

Assignees

@kssenii kssenii

Labels

pr-backports-created Backport PRs are successfully created, it won't be processed by CI script anymore pr-critical-bugfix pr-must-backport Pull request should be backported intentionally. Use this label with great care! pr-must-backport-synced The `*-must-backport` labels are synced into the cloud Sync PR pr-synced-to-cloud The PR is synced to the cloud repo

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@antaljanosbenjamin @kssenii @robot-clickhouse @robot-ch-test-poll @robot-ch-test-poll1 @pnovitskiy