fix

gengjun-git · gengjun-git · commit 30e585ecdf2c · 2026-03-17T11:45:05.000+08:00
Signed-off-by: gengjun-git &lt;gengjun@starrocks.com&gt;
diff --git a/fe/fe-core/src/main/java/com/starrocks/common/util/SqlCredentialRedactor.java b/fe/fe-core/src/main/java/com/starrocks/common/util/SqlCredentialRedactor.java
@@ -119,6 +119,25 @@ public class SqlCredentialRedactor {
             Pattern.DOTALL | Pattern.MULTILINE
     );
 
+    private static final Pattern IDENTIFIED_BY_PATTERN = Pattern.compile(
+            "(IDENTIFIED\\s+BY\\s+(?:PASSWORD\\s+)?)" +
+                    "(?:'((?:[^'\\\\]|\\\\.)*)'|\"((?:[^\"\\\\]|\\\\.)*)\")",
+            Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE
+    );
+
+    private static final Pattern IDENTIFIED_WITH_PATTERN = Pattern.compile(
+            "(IDENTIFIED\\s+WITH\\s+[^\\s]+\\s+(?:BY|AS)\\s+)" +
+                    "(?:'((?:[^'\\\\]|\\\\.)*)'|\"((?:[^\"\\\\]|\\\\.)*)\")",
+            Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE
+    );
+
+    private static final Pattern SET_PASSWORD_PATTERN = Pattern.compile(
+            "(SET\\s+PASSWORD(?:\\s+FOR\\s+.+?)?\\s*=\\s*PASSWORD\\s*\\()" +
+                    "(?:'((?:[^'\\\\]|\\\\.)*)'|\"((?:[^\"\\\\]|\\\\.)*)\")" +
+                    "(\\s*\\))",
+            Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE
+    );
+
     private static final String REDACTED_VALUE = "***";
 
     /**
@@ -132,6 +151,14 @@ public static String redact(String sql) {
             return sql;
         }
 
+        sql = redactKeyValueCredentials(sql);
+        sql = redactSqlCredentialClause(sql, IDENTIFIED_BY_PATTERN, 1, 2, 3, 0);
+        sql = redactSqlCredentialClause(sql, IDENTIFIED_WITH_PATTERN, 1, 2, 3, 0);
+        sql = redactSqlCredentialClause(sql, SET_PASSWORD_PATTERN, 1, 2, 3, 4);
+        return sql;
+    }
+
+    private static String redactKeyValueCredentials(String sql) {
         Matcher matcher = KEY_VALUE_PATTERN.matcher(sql);
         StringBuilder result = new StringBuilder(sql.length() + 100);
 
@@ -168,4 +195,31 @@ public static String redact(String sql) {
         result.append(sql, lastEnd, sql.length());
         return result.toString();
     }
+
+    private static String redactSqlCredentialClause(String sql, Pattern pattern, int prefixGroup,
+                                                    int singleQuotedGroup, int doubleQuotedGroup, int suffixGroup) {
+        Matcher matcher = pattern.matcher(sql);
+        StringBuilder result = new StringBuilder(sql.length() + 32);
+        int lastEnd = 0;
+        while (matcher.find()) {
+            result.append(sql, lastEnd, matcher.start());
+
+            result.append(matcher.group(prefixGroup));
+            if (matcher.group(singleQuotedGroup) != null) {
+                result.append('\'').append(REDACTED_VALUE).append('\'');
+            } else if (matcher.group(doubleQuotedGroup) != null) {
+                result.append('"').append(REDACTED_VALUE).append('"');
+            } else {
+                result.append(REDACTED_VALUE);
+            }
+
+            if (suffixGroup > 0) {
+                result.append(matcher.group(suffixGroup));
+            }
+            lastEnd = matcher.end();
+        }
+
+        result.append(sql, lastEnd, sql.length());
+        return result.toString();
+    }
 }
diff --git a/fe/fe-core/src/main/java/com/starrocks/qe/ConnectProcessor.java b/fe/fe-core/src/main/java/com/starrocks/qe/ConnectProcessor.java
@@ -321,15 +321,15 @@ private String formatStmt(String origStmt, StatementBase parsedStmt) {
                 return "this is a desensitized invalid sql";
             }
             return SqlCredentialRedactor.redact(origStmt);
-        } else if (AuditEncryptionChecker.needEncrypt(parsedStmt)) {
-            return SqlCredentialRedactor.redact(origStmt);
-        } else if (Config.enable_sql_desensitize_in_log) {
+        } else if (needEncrypt || Config.enable_sql_desensitize_in_log) {
             // Some information like username, password in the stmt should not be printed.
             return AstToSQLBuilder.toSQL(parsedStmt, FormatOptions.allEnable()
                             .setColumnSimplifyTableName(false)
                             .setHideCredential(needEncrypt)
                             .setEnableDigest(Config.enable_sql_desensitize_in_log))
-                    .orElse("this is a desensitized sql");
+                    .orElseGet(() -> needEncrypt
+                            ? SqlCredentialRedactor.redact(LogUtil.removeLineSeparator(origStmt))
+                            : "this is a desensitized sql");
         } else {
             // Always redact credentials as defense in depth - raw SQL may contain
             // credentials that AuditEncryptionChecker does not yet recognize
diff --git a/fe/fe-core/src/main/java/com/starrocks/sql/formatter/AST2StringVisitor.java b/fe/fe-core/src/main/java/com/starrocks/sql/formatter/AST2StringVisitor.java
@@ -147,6 +147,8 @@
 import static java.util.stream.Collectors.toList;
 
 public class AST2StringVisitor implements AstVisitorExtendInterface<String, Void> {
+    private static final String MASKED_AUTH_TEXT = "*XXX";
+
     // use options:
     //   addFunctionDbName;
     //   withBackquote;
@@ -191,22 +193,25 @@ public StringBuilder buildAuthOptionSql(UserAuthOption authOption) {
             return sb;
         }
 
+        String authString = authOption.getAuthString();
+        String printedAuthString = options.isHideCredential() ? MASKED_AUTH_TEXT : authString;
+
         if (!Strings.isNullOrEmpty(authOption.getAuthPlugin())) {
             sb.append(" IDENTIFIED WITH ").append(authOption.getAuthPlugin());
-            if (!Strings.isNullOrEmpty(authOption.getAuthString())) {
+            if (!Strings.isNullOrEmpty(authString)) {
                 if (authOption.isPasswordPlain()) {
                     sb.append(" BY '");
                 } else {
                     sb.append(" AS '");
                 }
-                sb.append(authOption.getAuthString()).append("'");
+                sb.append(printedAuthString).append("'");
             }
         } else {
-            if (!Strings.isNullOrEmpty(authOption.getAuthString())) {
+            if (!Strings.isNullOrEmpty(authString)) {
                 if (authOption.isPasswordPlain()) {
-                    sb.append(" IDENTIFIED BY '").append("*XXX").append("'");
+                    sb.append(" IDENTIFIED BY '").append(printedAuthString).append("'");
                 } else {
-                    sb.append(" IDENTIFIED BY PASSWORD '").append(authOption.getAuthString()).append("'");
+                    sb.append(" IDENTIFIED BY PASSWORD '").append(printedAuthString).append("'");
                 }
             }
         }
diff --git a/fe/fe-core/src/test/java/com/starrocks/analysis/AlterUserStmtTest.java b/fe/fe-core/src/test/java/com/starrocks/analysis/AlterUserStmtTest.java
@@ -67,7 +67,7 @@ public void testToString() throws Exception {
         sql = "ALTER USER 'user' IDENTIFIED BY PASSWORD '*59c70da2f3e3a5bdf46b68f5c8b8f25762bccef0'";
         stmt = (AlterUserStmt) UtFrameUtils.parseStmtWithNewParser(sql, ConnectContext.get());
         Assertions.assertEquals("user", stmt.getUser().getUser());
-        Assertions.assertEquals("ALTER USER 'user'@'%' IDENTIFIED BY PASSWORD '*59c70da2f3e3a5bdf46b68f5c8b8f25762bccef0'",
+        Assertions.assertEquals("ALTER USER 'user'@'%' IDENTIFIED BY PASSWORD '*XXX'",
                 AstToSQLBuilder.toSQL(stmt));
         Assertions.assertEquals(new String(new UserAuthenticationInfo(stmt.getUser(), stmt.getAuthOption()).getPassword(),
                         StandardCharsets.UTF_8),
@@ -83,7 +83,7 @@ public void testToString() throws Exception {
 
         sql = "ALTER USER 'user' IDENTIFIED WITH MYSQL_NATIVE_PASSWORD BY 'passwd'";
         stmt = (AlterUserStmt) UtFrameUtils.parseStmtWithNewParser(sql, ConnectContext.get());
-        Assertions.assertEquals("ALTER USER 'user'@'%' IDENTIFIED WITH MYSQL_NATIVE_PASSWORD BY 'passwd'",
+        Assertions.assertEquals("ALTER USER 'user'@'%' IDENTIFIED WITH MYSQL_NATIVE_PASSWORD BY '*XXX'",
                 AstToSQLBuilder.toSQL(stmt));
         Assertions.assertEquals(new String(new UserAuthenticationInfo(stmt.getUser(), stmt.getAuthOption()).getPassword(),
                         StandardCharsets.UTF_8),
@@ -93,7 +93,7 @@ public void testToString() throws Exception {
         sql = "ALTER USER 'user' IDENTIFIED WITH MYSQL_NATIVE_PASSWORD AS '*59C70DA2F3E3A5BDF46B68F5C8B8F25762BCCEF0'";
         stmt = (AlterUserStmt) UtFrameUtils.parseStmtWithNewParser(sql, ConnectContext.get());
         Assertions.assertEquals(
-                "ALTER USER 'user'@'%' IDENTIFIED WITH MYSQL_NATIVE_PASSWORD AS '*59C70DA2F3E3A5BDF46B68F5C8B8F25762BCCEF0'",
+                "ALTER USER 'user'@'%' IDENTIFIED WITH MYSQL_NATIVE_PASSWORD AS '*XXX'",
                 AstToSQLBuilder.toSQL(stmt));
         Assertions.assertEquals(new String(new UserAuthenticationInfo(stmt.getUser(), stmt.getAuthOption()).getPassword(),
                         StandardCharsets.UTF_8),
@@ -111,7 +111,7 @@ public void testToString() throws Exception {
         sql = "ALTER USER 'user' IDENTIFIED WITH AUTHENTICATION_LDAP_SIMPLE AS 'uid=gengjun,ou=people,dc=example,dc=io'";
         stmt = (AlterUserStmt) UtFrameUtils.parseStmtWithNewParser(sql, ConnectContext.get());
         Assertions.assertEquals(
-                "ALTER USER 'user'@'%' IDENTIFIED WITH AUTHENTICATION_LDAP_SIMPLE AS 'uid=gengjun,ou=people,dc=example,dc=io'",
+                "ALTER USER 'user'@'%' IDENTIFIED WITH AUTHENTICATION_LDAP_SIMPLE AS '*XXX'",
                 AstToSQLBuilder.toSQL(stmt));
         Assertions.assertEquals(new String(new UserAuthenticationInfo(stmt.getUser(), stmt.getAuthOption()).getPassword(),
                 StandardCharsets.UTF_8), "");
@@ -122,7 +122,7 @@ public void testToString() throws Exception {
         sql = "ALTER USER 'user' IDENTIFIED WITH AUTHENTICATION_LDAP_SIMPLE BY 'uid=gengjun,ou=people,dc=example,dc=io'";
         stmt = (AlterUserStmt) UtFrameUtils.parseStmtWithNewParser(sql, ConnectContext.get());
         Assertions.assertEquals(
-                "ALTER USER 'user'@'%' IDENTIFIED WITH AUTHENTICATION_LDAP_SIMPLE BY 'uid=gengjun,ou=people,dc=example,dc=io'",
+                "ALTER USER 'user'@'%' IDENTIFIED WITH AUTHENTICATION_LDAP_SIMPLE BY '*XXX'",
                 AstToSQLBuilder.toSQL(stmt));
         Assertions.assertEquals(new String(new UserAuthenticationInfo(stmt.getUser(), stmt.getAuthOption()).getPassword(),
                 StandardCharsets.UTF_8), "");
diff --git a/fe/fe-core/src/test/java/com/starrocks/analysis/CreateUserStmtTest.java b/fe/fe-core/src/test/java/com/starrocks/analysis/CreateUserStmtTest.java
@@ -77,7 +77,7 @@ public void testToString() throws Exception {
         stmt = (CreateUserStmt) UtFrameUtils.parseStmtWithNewParser(sql, ConnectContext.get());
         Assertions.assertEquals("user", stmt.getUser().getUser());
         Assertions.assertEquals(
-                "CREATE USER 'user'@'%' IDENTIFIED BY PASSWORD '*59c70da2f3e3a5bdf46b68f5c8b8f25762bccef0'",
+                "CREATE USER 'user'@'%' IDENTIFIED BY PASSWORD '*XXX'",
                 AstToSQLBuilder.toSQL(stmt));
         Assertions.assertEquals(new String(new UserAuthenticationInfo(stmt.getUser(), stmt.getAuthOption()).getPassword(),
                 StandardCharsets.UTF_8), "*59C70DA2F3E3A5BDF46B68F5C8B8F25762BCCEF0");
@@ -92,7 +92,7 @@ public void testToString() throws Exception {
 
         sql = "CREATE USER 'user' IDENTIFIED WITH MYSQL_NATIVE_PASSWORD BY 'passwd'";
         stmt = (CreateUserStmt) UtFrameUtils.parseStmtWithNewParser(sql, ConnectContext.get());
-        Assertions.assertEquals("CREATE USER 'user'@'%' IDENTIFIED WITH MYSQL_NATIVE_PASSWORD BY 'passwd'",
+        Assertions.assertEquals("CREATE USER 'user'@'%' IDENTIFIED WITH MYSQL_NATIVE_PASSWORD BY '*XXX'",
                 AstToSQLBuilder.toSQL(stmt));
         Assertions.assertEquals(new String(new UserAuthenticationInfo(stmt.getUser(), stmt.getAuthOption()).getPassword(),
                 StandardCharsets.UTF_8), "*59C70DA2F3E3A5BDF46B68F5C8B8F25762BCCEF0");
@@ -101,7 +101,7 @@ public void testToString() throws Exception {
         sql = "CREATE USER 'user' IDENTIFIED WITH MYSQL_NATIVE_PASSWORD AS '*59C70DA2F3E3A5BDF46B68F5C8B8F25762BCCEF0'";
         stmt = (CreateUserStmt) UtFrameUtils.parseStmtWithNewParser(sql, ConnectContext.get());
         Assertions.assertEquals(
-                "CREATE USER 'user'@'%' IDENTIFIED WITH MYSQL_NATIVE_PASSWORD AS '*59C70DA2F3E3A5BDF46B68F5C8B8F25762BCCEF0'",
+                "CREATE USER 'user'@'%' IDENTIFIED WITH MYSQL_NATIVE_PASSWORD AS '*XXX'",
                 AstToSQLBuilder.toSQL(stmt));
         Assertions.assertEquals(new String(new UserAuthenticationInfo(stmt.getUser(), stmt.getAuthOption()).getPassword(),
                 StandardCharsets.UTF_8), "*59C70DA2F3E3A5BDF46B68F5C8B8F25762BCCEF0");
@@ -118,7 +118,7 @@ public void testToString() throws Exception {
         sql = "CREATE USER 'user' IDENTIFIED WITH AUTHENTICATION_LDAP_SIMPLE AS 'uid=gengjun,ou=people,dc=example,dc=io'";
         stmt = (CreateUserStmt) UtFrameUtils.parseStmtWithNewParser(sql, ConnectContext.get());
         Assertions.assertEquals(
-                "CREATE USER 'user'@'%' IDENTIFIED WITH AUTHENTICATION_LDAP_SIMPLE AS 'uid=gengjun,ou=people,dc=example,dc=io'",
+                "CREATE USER 'user'@'%' IDENTIFIED WITH AUTHENTICATION_LDAP_SIMPLE AS '*XXX'",
                 AstToSQLBuilder.toSQL(stmt));
         Assertions.assertEquals(new String(new UserAuthenticationInfo(stmt.getUser(), stmt.getAuthOption()).getPassword(),
                 StandardCharsets.UTF_8), "");
@@ -129,7 +129,7 @@ public void testToString() throws Exception {
         sql = "CREATE USER 'user' IDENTIFIED WITH AUTHENTICATION_LDAP_SIMPLE BY 'uid=gengjun,ou=people,dc=example,dc=io'";
         stmt = (CreateUserStmt) UtFrameUtils.parseStmtWithNewParser(sql, ConnectContext.get());
         Assertions.assertEquals(
-                "CREATE USER 'user'@'%' IDENTIFIED WITH AUTHENTICATION_LDAP_SIMPLE BY 'uid=gengjun,ou=people,dc=example,dc=io'",
+                "CREATE USER 'user'@'%' IDENTIFIED WITH AUTHENTICATION_LDAP_SIMPLE BY '*XXX'",
                 AstToSQLBuilder.toSQL(stmt));
         Assertions.assertEquals(new String(new UserAuthenticationInfo(stmt.getUser(), stmt.getAuthOption()).getPassword(),
                 StandardCharsets.UTF_8), "");
diff --git a/fe/fe-core/src/test/java/com/starrocks/common/util/SqlCredentialRedactorTest.java b/fe/fe-core/src/test/java/com/starrocks/common/util/SqlCredentialRedactorTest.java
@@ -260,6 +260,29 @@ public void testMultipleCredentials() {
         Assertions.assertEquals(2, count, "Should have exactly 2 redacted values");
     }
 
+    @Test
+    public void testRedactCreateUserCredentialClauses() {
+        String plainSql = "CREATE USER 'u1' IDENTIFIED BY 'secret'";
+        String plainRedacted = SqlCredentialRedactor.redact(plainSql);
+        Assertions.assertEquals("CREATE USER 'u1' IDENTIFIED BY '***'", plainRedacted);
+
+        String hashedSql = "CREATE USER 'u1' IDENTIFIED BY PASSWORD '*59C70DA2'";
+        String hashedRedacted = SqlCredentialRedactor.redact(hashedSql);
+        Assertions.assertEquals("CREATE USER 'u1' IDENTIFIED BY PASSWORD '***'", hashedRedacted);
+
+        String pluginSql = "CREATE USER 'u1' IDENTIFIED WITH AUTHENTICATION_LDAP_SIMPLE AS 'uid=test,dc=example,dc=io'";
+        String pluginRedacted = SqlCredentialRedactor.redact(pluginSql);
+        Assertions.assertEquals("CREATE USER 'u1' IDENTIFIED WITH AUTHENTICATION_LDAP_SIMPLE AS '***'",
+                pluginRedacted);
+    }
+
+    @Test
+    public void testRedactSetPasswordClause() {
+        String sql = "SET PASSWORD FOR 'test'@'%' = PASSWORD('secret')";
+        String redacted = SqlCredentialRedactor.redact(sql);
+        Assertions.assertEquals("SET PASSWORD FOR 'test'@'%' = PASSWORD('***')", redacted);
+    }
+
     /**
      * java.regex uses NFA algorithm, it cannot guarantee O(N) complexity, might run into timeout
      * when the string is very long.
diff --git a/fe/fe-core/src/test/java/com/starrocks/qe/QueryDetailTest.java b/fe/fe-core/src/test/java/com/starrocks/qe/QueryDetailTest.java
@@ -149,6 +149,31 @@ public void testInternalQuerySource() throws Exception {
         Assertions.assertEquals("INTERNAL", event.querySource);
     }
 
+    @Test
+    public void testSensitiveAuditStmtUsesAstDesensitization() throws Exception {
+        String sql = "CREATE USER 'audit_user' IDENTIFIED WITH AUTHENTICATION_LDAP_SIMPLE "
+                + "AS 'uid=gengjun,ou=people,dc=example,dc=io'";
+        StatementBase statement = SqlParser.parse(sql, connectContext.getSessionVariable()).get(0);
+
+        ConnectContext testContext = new ConnectContext();
+        testContext.setGlobalStateMgr(connectContext.getGlobalStateMgr());
+        testContext.setCurrentUserIdentity(connectContext.getCurrentUserIdentity());
+        testContext.setQualifiedUser(connectContext.getQualifiedUser());
+        testContext.setDatabase("test_db");
+        testContext.setCurrentCatalog("default_catalog");
+        testContext.setQueryId(UUIDUtil.genUUID());
+        testContext.setStartTime();
+
+        ConnectProcessor processor = new ConnectProcessor(testContext);
+        processor.auditAfterExec(sql, statement, null);
+
+        AuditEvent event = testContext.getAuditEventBuilder().build();
+        Assertions.assertEquals(
+                "CREATE USER 'audit_user'@'%' IDENTIFIED WITH AUTHENTICATION_LDAP_SIMPLE AS '*XXX'",
+                event.stmt);
+        Assertions.assertFalse(event.stmt.contains("uid=gengjun"));
+    }
+
     @Test
     public void testImpersonatedUserInQueryDetail() throws Exception {
         String sql = "SELECT 1";
