[Bug] `kyuubi.server.redaction.regex` no longer redacts sensitive values in the "Launching engine:" log line

[brijesh1998]

Code of Conduct

• I agree to follow this project's Code of Conduct

Search before asking

• I have searched in the issues and found no similar issues.

Describe the bug

• kyuubi.server.redaction.regex no longer redacts sensitive values in the "Launching engine:" log line
  starting from v1.10.2.
• Works correctly in: 1.10.1
• Impacted log line: https://github.com/apache/kyuubi/blob/master/kyuubi-server/src/main/scala/org/apache/kyuubi/engine/EngineRef.scala#L258

Steps to Reproduce

1. Set kyuubi.server.redaction.regex=(?i)secret|credential|password|token|access[.]key in
   kyuubi-defaults.conf
2. Add sensitive config in kyuubi-defaults.conf, example: spark.catalog.test.token=my_token
3. Connect via beeline: bin/beeline -u jdbc:kyuubi://192.168.0.4:10009/
4. Observe the Kyuubi server log - the "Launching engine:" line shows the credential value in plain text: --conf spark.catalog.test.token=my_token

Expected Behavior

The value should be redacted:

  --conf spark.catalog.test.token=********(redacted)

Possible Root Cause

#7054 added .serverOnly to SERVER_SECRET_REDACTION_PATTERN

val SERVER_SECRET_REDACTION_PATTERN: OptionalConfigEntry[Regex] =
    buildConf("kyuubi.server.redaction.regex")
      .serverOnly   // <-- added in #7054

Affects Version(s)

1.10.2/1.10.3/1.11.0/1.11.1

Kyuubi Server Log Output

2026-04-06 14:31:54.490 INFO KyuubiSessionManager-exec-pool: Thread-66 org.apache.kyuubi.engine.EngineRef: Launching engine:
/Users/brijesh/Documents/spark-playground/spark-3.5.3-bin-hadoop3/bin/spark-submit \
	--class org.apache.kyuubi.engine.spark.SparkSQLEngine \
	--conf spark.hive.server2.thrift.resultset.default.fetch.size=1000 \
	--conf spark.kyuubi.client.ipAddress=192.168.0.4 \
	--conf spark.kyuubi.client.version=1.11.1 \
	--conf spark.kyuubi.engine.appMgrInfo=eyJyZXNvdXJjZU1hbmFnZXIiOm51bGwsImt1YmVybmV0ZXNJbmZvIjp7ImNvbnRleHQiOm51bGwsIm5hbWVzcGFjZSI6bnVsbH19 \
	--conf spark.kyuubi.engine.engineLog.path=/Users/brijesh/Documents/spark-playground/apache-kyuubi-1.11.1-bin/work/anonymous/kyuubi-spark-sql-engine.log.3 \
	--conf spark.kyuubi.engine.submit.time=1775466114450 \
	--conf spark.kyuubi.ha.addresses=192.168.0.4:2181 \
	--conf spark.kyuubi.ha.engine.ref.id=1e1801f0-2b9f-48a5-a7c7-57c091d87207 \
	--conf spark.kyuubi.ha.namespace=/kyuubi_1.11.1_USER_SPARK_SQL/anonymous/default \
	--conf spark.kyuubi.ha.zookeeper.auth.type=NONE \
	--conf spark.kyuubi.server.ipAddress=192.168.0.4 \
	--conf spark.kyuubi.session.connection.url=192.168.0.4:10009 \
	--conf spark.kyuubi.session.real.user=anonymous \
	--conf spark.app.name=kyuubi_USER_SPARK_SQL_anonymous_default_1e1801f0-2b9f-48a5-a7c7-57c091d87207 \
	--conf spark.catalog.test.credential=my_creds \
	--conf spark.catalog.test.token=my_token \
	--conf spark.kubernetes.driver.label.kyuubi-unique-tag=1e1801f0-2b9f-48a5-a7c7-57c091d87207 \
	--conf spark.yarn.tags=KYUUBI,1e1801f0-2b9f-48a5-a7c7-57c091d87207 \
	--proxy-user anonymous /Users/brijesh/Documents/spark-playground/apache-kyuubi-1.11.1-bin/externals/engines/spark/kyuubi-spark-sql-engine_2.12-1.11.1.jar
2026-04-06 14:32:02.990 INFO NIOServerCxn.Factory:/192.168.0.4:2181 org.apache.kyuubi.shaded.zookeeper.server.NIOServerCnxnFactory: Accepted socket connection from /192.168.0.4:56025

Kyuubi Engine Log Output

Kyuubi Server Configurations

kyuubi.server.redaction.regex=(?i)secret|credential|password|token|access[.]key

spark.catalog.test.token=my_token
spark.catalog.test.credential=my_creds

Kyuubi Engine Configurations

Additional context

No response

Are you willing to submit PR?

• Yes. I would be willing to submit a PR with guidance from the Kyuubi community to fix.
• No. I cannot submit a PR at this time.

[github-actions]

Hello @brijesh1998,
Thanks for finding the time to report the issue!
We really appreciate the community's efforts to improve Apache Kyuubi.