Skip to content

Commit 6b64c25

Browse files
authored
feat(config): Configuration Endpoint - ConfigurationProvider (#14237)
1 parent 310e27e commit 6b64c25

File tree

28 files changed

+3735
-1
lines changed

28 files changed

+3735
-1
lines changed

CLAUDE.md

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -89,6 +89,16 @@ DataHub is a **schema-first, event-driven metadata platform** with three core la
8989
- Frontend: Tests in `__tests__/` or `.test.tsx` files
9090
- Smoke tests go in the `smoke-test/` directory
9191

92+
#### Security Testing: Configuration Property Classification
93+
94+
**Critical test**: `metadata-io/src/test/java/com/linkedin/metadata/system_info/collectors/PropertiesCollectorConfigurationTest.java`
95+
96+
This test prevents sensitive data leaks by requiring explicit classification of all configuration properties as either sensitive (redacted) or non-sensitive (visible in system info).
97+
98+
**When adding new configuration properties**: The test will fail with clear instructions on which classification list to add your property to. Refer to the test file's comprehensive documentation for template syntax and examples.
99+
100+
This is a mandatory security guardrail - never disable or skip this test.
101+
92102
### Commits
93103

94104
- Follow Conventional Commits format for commit messages

docs/developers.md

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -261,3 +261,25 @@ git reset --hard
261261
```
262262

263263
See also [here](https://stackoverflow.com/questions/5917249/git-symbolic-links-in-windows/59761201#59761201) for more information on how to enable symbolic links on Windows 10/11 and Git.
264+
265+
## Security Testing
266+
267+
### Configuration Property Classification Test
268+
269+
**Location**: `metadata-io/src/test/java/com/linkedin/metadata/system_info/collectors/PropertiesCollectorConfigurationTest.java`
270+
271+
This test ensures all configuration properties are explicitly classified as either sensitive (redacted) or non-sensitive (visible in system info). It prevents accidental exposure of secrets through DataHub's system information endpoints.
272+
273+
**When you add new configuration properties:**
274+
275+
1. The test will fail if your property is unclassified
276+
2. Follow the test failure message to add your property to the appropriate classification list
277+
3. When in doubt, classify as sensitive - it's safer to over-redact than expose secrets
278+
279+
**Run the test:**
280+
281+
```bash
282+
./gradlew :metadata-io:test --tests "*.PropertiesCollectorConfigurationTest"
283+
```
284+
285+
Refer to the test file itself for comprehensive documentation on classification lists, template syntax, and examples. This is a mandatory security guardrail that protects against credential leaks.

metadata-io/README.md

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
# Metadata IO Module
2+
3+
This module contains the core metadata I/O services for DataHub, including system information collection and property management.
4+
5+
## Security: Configuration Property Classification
6+
7+
**Critical Test**: `PropertiesCollectorConfigurationTest` enforces that all configuration properties are explicitly classified as either sensitive (redacted) or non-sensitive (visible in system info).
8+
9+
**Why**: Prevents accidental exposure of secrets through DataHub's system information endpoints.
10+
11+
**When adding new properties**: The test will fail with instructions on which classification list to add your property to. The test file contains comprehensive documentation on:
12+
13+
- The four classification lists (sensitive/non-sensitive, exact/template)
14+
- Template syntax for dynamic properties (`[*]` for indices, `*` for segments)
15+
- Security guidelines and examples
16+
17+
**Test Command**:
18+
19+
```bash
20+
./gradlew :metadata-io:test --tests "*.PropertiesCollectorConfigurationTest"
21+
```
22+
23+
**Security Rule**: When in doubt, classify as sensitive. This test is a mandatory security guardrail - never disable it.
Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
package com.linkedin.metadata.system_info;
2+
3+
import com.fasterxml.jackson.annotation.JsonInclude;
4+
import java.util.Map;
5+
import lombok.Builder;
6+
import lombok.Data;
7+
8+
@Data
9+
@Builder
10+
@JsonInclude(JsonInclude.Include.NON_NULL)
11+
public class ComponentInfo {
12+
private String name;
13+
private ComponentStatus status;
14+
private String version;
15+
private Map<String, Object> properties;
16+
private String errorMessage;
17+
}
Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
package com.linkedin.metadata.system_info;
2+
3+
public enum ComponentStatus {
4+
AVAILABLE,
5+
UNAVAILABLE,
6+
ERROR
7+
}
Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
package com.linkedin.metadata.system_info;
2+
3+
import com.fasterxml.jackson.annotation.JsonInclude;
4+
import lombok.Builder;
5+
import lombok.Data;
6+
7+
@Data
8+
@Builder
9+
@JsonInclude(JsonInclude.Include.NON_NULL)
10+
public class PropertyInfo {
11+
private String key;
12+
private Object value;
13+
private String source;
14+
private String sourceType;
15+
private String resolvedValue;
16+
}
Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
package com.linkedin.metadata.system_info;
2+
3+
import com.fasterxml.jackson.annotation.JsonInclude;
4+
import lombok.Builder;
5+
import lombok.Data;
6+
7+
@Data
8+
@Builder
9+
@JsonInclude(JsonInclude.Include.NON_NULL)
10+
public class PropertySourceInfo {
11+
private String name;
12+
private String type;
13+
private int propertyCount;
14+
}
Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
package com.linkedin.metadata.system_info;
2+
3+
import com.fasterxml.jackson.annotation.JsonInclude;
4+
import lombok.Builder;
5+
import lombok.Data;
6+
7+
@Data
8+
@Builder
9+
@JsonInclude(JsonInclude.Include.NON_NULL)
10+
public class SpringComponentsInfo {
11+
private ComponentInfo gms;
12+
private ComponentInfo maeConsumer;
13+
private ComponentInfo mceConsumer;
14+
}
Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
package com.linkedin.metadata.system_info;
2+
3+
/** Constants for system information components */
4+
public class SystemInfoConstants {
5+
6+
// Component names
7+
public static final String GMS_COMPONENT_NAME = "GMS";
8+
public static final String MAE_COMPONENT_NAME = "MAE Consumer";
9+
public static final String MCE_COMPONENT_NAME = "MCE Consumer";
10+
11+
// Component keys for remote fetching
12+
public static final String GMS_COMPONENT_KEY = "gms";
13+
public static final String MAE_COMPONENT_KEY = "maeConsumer";
14+
public static final String MCE_COMPONENT_KEY = "mceConsumer";
15+
16+
private SystemInfoConstants() {
17+
// Utility class - no instantiation
18+
}
19+
}
Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
package com.linkedin.metadata.system_info;
2+
3+
/** Exception thrown when system information collection fails */
4+
public class SystemInfoException extends RuntimeException {
5+
6+
public SystemInfoException(String message) {
7+
super(message);
8+
}
9+
10+
public SystemInfoException(String message, Throwable cause) {
11+
super(message, cause);
12+
}
13+
}

0 commit comments

Comments
 (0)