Backport #95325 to 25.10: Mask password in logs and system tables for the redis table function

robot-clickhouse · robot-clickhouse · commit d62b4e035f69 · 2026-01-29T19:23:19.000Z
diff --git a/src/Parsers/FunctionSecretArgumentsFinder.h b/src/Parsers/FunctionSecretArgumentsFinder.h
@@ -144,6 +144,10 @@ class FunctionSecretArgumentsFinder
         {
             findURLSecretArguments();
         }
+        else if (function->name() == "redis")
+        {
+            findRedisFunctionSecretArguments();
+        }
         else if (function->name() == "ytsaurus")
         {
             findYTsaurusStorageTableEngineSecretArguments();
@@ -202,7 +206,7 @@ class FunctionSecretArgumentsFinder
         result.replacement = std::move(uri);
     }
 
-    void findRedisSecretArguments()
+    void findRedisTableEngineSecretArguments()
     {
         /// Redis does not have URL/address argument,
         /// only 'host:port' and separate "password" argument.
@@ -552,7 +556,7 @@ class FunctionSecretArgumentsFinder
         }
         else if (engine_name == "Redis")
         {
-            findRedisSecretArguments();
+            findRedisTableEngineSecretArguments();
         }
         else if (engine_name == "YTsaurus")
         {
@@ -652,6 +656,12 @@ class FunctionSecretArgumentsFinder
             markSecretArgument(url_arg_idx + 4);
     }
 
+    void findRedisFunctionSecretArguments()
+    {
+        // redis(host:port, key, structure, db_index, password, pool_size)
+        markSecretArgument(4);
+    }
+
     void findYTsaurusStorageTableEngineSecretArguments()
     {
         // YTsaurus('base_uri', 'yt_path', 'auth_token')
diff --git a/tests/integration/test_mask_sensitive_info/test.py b/tests/integration/test_mask_sensitive_info/test.py
@@ -293,6 +293,7 @@ def test_create_table():
         f"S3('http://minio1:9001/root/data/test5.csv.gz', 'CSV', access_key_id = 'minio', secret_access_key = '{password}', compression_method = 'gzip')",
         f"ArrowFlight('arrowflight1:5006', 'dataset', 'arrowflight_user', '{password}')",
         f"ArrowFlight(named_collection_1, host = 'arrowflight1', port = 5006, dataset = 'dataset', username = 'arrowflight_user', password = '{password}')",
+        f"Redis('localhost', 0, '{password}') PRIMARY KEY x;",
     ]
 
     def make_test_case(i):
@@ -374,6 +375,7 @@ def make_test_case(i):
             "CREATE TABLE table35 (`x` int) ENGINE = S3('http://minio1:9001/root/data/test5.csv.gz', 'CSV', access_key_id = 'minio', secret_access_key = '[HIDDEN]', compression_method = 'gzip')",
             "CREATE TABLE table36 (`x` int) ENGINE = ArrowFlight('arrowflight1:5006', 'dataset', 'arrowflight_user', '[HIDDEN]')",
             "CREATE TABLE table37 (`x` int) ENGINE = ArrowFlight(named_collection_1, host = 'arrowflight1', port = 5006, dataset = 'dataset', username = 'arrowflight_user', password = '[HIDDEN]')",
+            "CREATE TABLE table38 (`x` int) ENGINE = Redis('localhost', 0, '[HIDDEN]') PRIMARY KEY x",
         ],
         must_not_contain=[password],
     )
@@ -501,6 +503,7 @@ def test_table_functions():
         f"arrowFlight('arrowflight1:5006', 'dataset', 'arrowflight_user', '{password}')",
         f"arrowFlight(named_collection_1, host = 'arrowflight1', port = 5006, dataset = 'dataset', username = 'arrowflight_user', password = '{password}')",
         f"arrowflight(named_collection_1, host = 'arrowflight1', port = 5006, dataset = 'dataset', username = 'arrowflight_user', password = '{password}')",
+        f"redis('localhost', 'key', 'key Int64', 0, '{password}')"
     ]
 
     def make_test_case(i):
@@ -592,6 +595,7 @@ def make_test_case(i):
             "CREATE TABLE tablefunc45 (`x` int) AS arrowFlight('arrowflight1:5006', 'dataset', 'arrowflight_user', '[HIDDEN]')",
             "CREATE TABLE tablefunc46 (`x` int) AS arrowFlight(named_collection_1, host = 'arrowflight1', port = 5006, dataset = 'dataset', username = 'arrowflight_user', password = '[HIDDEN]')",
             "CREATE TABLE tablefunc47 (`x` int) AS arrowflight(named_collection_1, host = 'arrowflight1', port = 5006, dataset = 'dataset', username = 'arrowflight_user', password = '[HIDDEN]')",
+            "CREATE TABLE tablefunc48 (`x` int) AS redis('localhost', 'key', 'key Int64', 0, '[HIDDEN]')",
         ],
         must_not_contain=[password],
     )

Original file line number	Diff line number	Diff line change
`@@ -144,6 +144,10 @@ class FunctionSecretArgumentsFinder`
`144`	`144`	`{`
`145`	`145`	`findURLSecretArguments();`
`146`	`146`	`}`
	`147`	`+ else if (function->name() == "redis")`
	`148`	`+ {`
	`149`	`+ findRedisFunctionSecretArguments();`
	`150`	`+ }`
`147`	`151`	`else if (function->name() == "ytsaurus")`
`148`	`152`	`{`
`149`	`153`	`findYTsaurusStorageTableEngineSecretArguments();`
`@@ -202,7 +206,7 @@ class FunctionSecretArgumentsFinder`
`202`	`206`	`result.replacement = std::move(uri);`
`203`	`207`	`}`
`204`	`208`
`205`		`- void findRedisSecretArguments()`
	`209`	`+ void findRedisTableEngineSecretArguments()`
`206`	`210`	`{`
`207`	`211`	`/// Redis does not have URL/address argument,`
`208`	`212`	`/// only 'host:port' and separate "password" argument.`
`@@ -552,7 +556,7 @@ class FunctionSecretArgumentsFinder`
`552`	`556`	`}`
`553`	`557`	`else if (engine_name == "Redis")`
`554`	`558`	`{`
`555`		`- findRedisSecretArguments();`
	`559`	`+ findRedisTableEngineSecretArguments();`
`556`	`560`	`}`
`557`	`561`	`else if (engine_name == "YTsaurus")`
`558`	`562`	`{`
`@@ -652,6 +656,12 @@ class FunctionSecretArgumentsFinder`
`652`	`656`	`markSecretArgument(url_arg_idx + 4);`
`653`	`657`	`}`
`654`	`658`
	`659`	`+ void findRedisFunctionSecretArguments()`
	`660`	`+ {`
	`661`	`+ // redis(host:port, key, structure, db_index, password, pool_size)`
	`662`	`+ markSecretArgument(4);`
	`663`	`+ }`
	`664`	`+`
`655`	`665`	`void findYTsaurusStorageTableEngineSecretArguments()`
`656`	`666`	`{`
`657`	`667`	`// YTsaurus('base_uri', 'yt_path', 'auth_token')`