[FLINK-38263][table] add secret store related interfaces by lihaosky · Pull Request #27394 · apache/flink

lihaosky · 2026-01-08T23:21:38Z

What is the purpose of the change

Add secret store related api in FLIP-529

Brief change log

SecretStore, SecretStoreFactory interfaces
Add secret-store kind config option
Use them in TableEnvironmentImpl and EnvironmentSettings

Verifying this change

Unit test

Does this pull request potentially affect one of the following parts:

Dependencies (does it add or upgrade a dependency): (no)
The public API, i.e., is any changed class annotated with @Public(Evolving): (yes)
The serializers: (no)
The runtime per-record code paths (performance sensitive): (no)
Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Kubernetes/Yarn, ZooKeeper: (no)
The S3 file system connector: (no)

Documentation

Does this pull request introduce a new feature? (yes)
If yes, how is the feature documented? (JavaDocs)

flinkbot · 2026-01-08T23:24:29Z

CI report:

ef5948c Azure: SUCCESS

Bot commands

The @flinkbot bot supports the following commands:

@flinkbot run azure re-run the last Azure build

...k-table-api-java/src/main/java/org/apache/flink/table/api/internal/TableEnvironmentImpl.java

...k-table-api-java/src/main/java/org/apache/flink/table/secret/GenericInMemorySecretStore.java

...k-table-api-java/src/main/java/org/apache/flink/table/api/internal/TableEnvironmentImpl.java

...-api-java/src/main/java/org/apache/flink/table/secret/GenericInMemorySecretStoreFactory.java

...link-table-api-java/src/test/java/org/apache/flink/table/factories/TableFactoryUtilTest.java

...-java/src/test/java/org/apache/flink/table/secret/GenericInMemorySecretStoreFactoryTest.java

...ble-api-java/src/test/java/org/apache/flink/table/secret/GenericInMemorySecretStoreTest.java

...ink-table-common/src/main/java/org/apache/flink/table/secret/exceptions/SecretException.java

...ble-api-java/src/test/java/org/apache/flink/table/secret/GenericInMemorySecretStoreTest.java

twalthr

Thanks @lihaosky.

twalthr · 2026-02-03T15:56:55Z

...k-table-api-java/src/main/java/org/apache/flink/table/api/internal/TableEnvironmentImpl.java

+        // TODO (FLINK-38261): pass secret store to catalog manager for encryption/decryption
+        final SecretStore secretStore =
+                settings.getSecretStore() != null
+                        ? settings.getSecretStore()


We should not discover a factory if a secret store is already provided. Please also update the CatalogStoreFactory above which has the same issue. Also the TableFactoryUtil class is kind of deprecated. Move the methods for both secret and catalog store to a new org.apache.flink.table.api.internal.ApiFactoryUtil

I created a new PR for the refactoring: #27531

twalthr · 2026-02-03T15:58:45Z

...table/flink-table-api-java/src/main/java/org/apache/flink/table/api/EnvironmentSettings.java


+    @Internal
+    @Nullable
+    public SecretStore getSecretStore() {


Use Optional, maybe also for CatalogStore for consistency.

Put in new PR: #27531

twalthr · 2026-02-03T16:02:00Z

...k-table-api-java/src/main/java/org/apache/flink/table/secret/GenericInMemorySecretStore.java

+@Internal
+public class GenericInMemorySecretStore implements ReadableSecretStore, WritableSecretStore {
+
+    private static final ObjectMapper objectMapper = new ObjectMapper();


No need for Jackson deps here. We can store Java objects and avoid ser/de.

Store an immutable Map<String, String>

davidradl reviewed Jan 9, 2026

View reviewed changes

...k-table-api-java/src/main/java/org/apache/flink/table/api/internal/TableEnvironmentImpl.java Outdated Show resolved Hide resolved

github-actions bot added the community-reviewed PR has been reviewed by the community. label Jan 9, 2026

airlock-confluentinc bot force-pushed the connection-api branch from c68b3d5 to 74a6830 Compare January 27, 2026 00:28