[KAFKA-4364] Sink tasks expose secrets in DEBUG logging - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 0.10.2.0
Component/s: connect
Labels:
None

Description

As it stands today worker tasks print secrets such as Key/Trust store passwords to their respective logs.

https://github.com/confluentinc/kafka/blob/trunk/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/WorkerSinkTask.java#L213-L214

i.e.

[2016-11-01 12:50:59,254] DEBUG Initializing connector test-sink with config

{consumer.ssl.truststore.password=password, connector.class=io.confluent.connect.jdbc.JdbcSinkConnector, connection.password=password, producer.security.protocol=SSL, producer.ssl.truststore.password=password, topics=orders, tasks.max=1, consumer.ssl.truststore.location=/tmp/truststore/kafka.trustore.jks, producer.ssl.truststore.location=/tmp/truststore/kafka.trustore.jks, connection.user=connect, name=test-sink, auto.create=true, consumer.security.protocol=SSL, connection.url=jdbc:postgresql://localhost/test}

(org.apache.kafka.connect.runtime.WorkerConnector:71)

Attachments

Issue Links

links to

GitHub Pull Request #2115

Activity

People

Assignee:: Ryan P

Reporter:: Ryan P

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 01/Nov/16 20:29

Updated:: 09/Nov/16 22:59

Resolved:: 09/Nov/16 22:59