Ignore secure vault during secret masking

commit_hash:216085eee6bf6d1fb553f14aef15be8aa2d52767
author: ziganshinmr <[email protected]> 2025-06-18 18:24:12 +0300
committer: ziganshinmr <[email protected]> 2025-06-18 19:10:27 +0300
commit: 6c1c32e876eeb5a58183d027b26ce7420eaa7c81 (patch)
tree: 1d8cdbff31ecc4e5fe1b51bb49b8a962c6396af1
parent: 0ac6c9eac8c5c9d71141af3c89f7cfc1b66a279e (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/yt/yql/providers/yt/gateway/native/yql_yt_spec.cpp b/yt/yql/providers/yt/gateway/native/yql_yt_spec.cpp
index 5391dc9c31c..4bfcfe7fdcf 100644
--- a/yt/yql/providers/yt/gateway/native/yql_yt_spec.cpp
+++ b/yt/yql/providers/yt/gateway/native/yql_yt_spec.cpp
@@ -552,7 +552,11 @@ void CheckSpecForSecretsImpl(
 
     YQL_ENSURE(secretMasker);
 
-    auto maskedSpecStr = NYT::NodeToYsonString(spec);
+    // Secure vault is guaranteed not to be exposed by YT
+    auto cleanSpec = spec.AsMap();
+    cleanSpec.erase("secure_vault");
+    auto maskedSpecStr = NYT::NodeToYsonString(cleanSpec);
+
     auto secrets = secretMasker->Mask(maskedSpecStr);
     if (!secrets.empty()) {
         auto maskedSpecStrBuf = TStringBuf(maskedSpecStr);
author	ziganshinmr <[email protected]>	2025-06-18 18:24:12 +0300
committer	ziganshinmr <[email protected]>	2025-06-18 19:10:27 +0300
commit	6c1c32e876eeb5a58183d027b26ce7420eaa7c81 (patch)
tree	1d8cdbff31ecc4e5fe1b51bb49b8a962c6396af1
parent	0ac6c9eac8c5c9d71141af3c89f7cfc1b66a279e (diff)