This article will help you in enabling masking of sensitive properties that are exposed as plain text in the druid configuration files so that they are not logged into the druid service logs.
By default, druid masks passwords before logging them into the service logs, but you may want to protect additional sensitive properties that are exposed in the configurations files.
1. You need to set
druid.startup.logging.maskProperties in the druid configuration properties file specifying the keywords which will be used to identify the sensitive details and to mask them.
For example, if you have configured the AWS access details in druid configurations (i.e properties like
druid.s3.accessKey ) and want to mask accessKey, you should add the
accessKey in the array list as below:
Similarly, you can add more properties in the array list which are sensitive and you want to mask.
2. Once the above changes are made you can start the druid services and can verify the masking in the druid server logs. Eg, for the above example, you could grep for
druid.s3.accessKey in the service logs: grep -i "druid.s3.accessKey" broker.log
2019-12-17T08:11:34,404 INFO [main] org.apache.druid.cli.CliBroker - * druid.s3.accessKey: <masked>