[KAFKA-14115] Password configs are logged in plaintext in KRaft - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.3.0, 3.4.0, 3.2.3
Component/s: kraft
Labels:
None

Description

While investigating ~~KAFKA-14111~~, I also noticed that ConfigurationControlManager is logging sensitive configs in plaintext at INFO level.

[2022-07-27 12:14:09,927] INFO [Controller 1] ConfigResource(type=BROKER, name='1'): set configuration listener.name.external.ssl.key.password to bar (org.apache.kafka.controller.ConfigurationControlManager)

Once this new config reaches the broker, it is logged again, but this time it is redacted

[2022-07-27 12:14:09,957] INFO [BrokerMetadataPublisher id=1] Updating broker 1 with new configuration : listener.name.external.ssl.key.password -> [hidden] (kafka.server.metadata.BrokerMetadataPublisher)

Attachments

Issue Links

links to

GitHub Pull Request #12481

Activity

People

Assignee:: David Arthur

Reporter:: David Arthur

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 27/Jul/22 16:16

Updated:: 13/Sep/22 07:32

Resolved:: 04/Aug/22 20:31