Currently, the full contents of a job's Config is exposed in at least a couple of places including the logs (logged by SamzaContainer), and the ApplicationMaster UI's config page. There is a security concern with doing that if sensitive information (e.g. credentials) is stored there. It would be nice to be able to mark sensitive config values so that they are not displayed in such ways. The only thing that springs to mind is a special naming convention, perhaps a "sensitive" prefix that would identify these values. Ideally such a capability would be baked into Config itself, but minimally Samza code that exposes Config could be made aware of the convention to avoid displaying the plaintext of sensitive values.