[KAFKA-5117] Kafka Connect REST endpoints reveal Password typed values - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 0.10.2.0
Fix Version/s: 2.2.0, 2.1.1, 2.0.2
Component/s: KafkaConnect
Labels:
- needs-kip

Description

A Kafka Connect connector can specify ConfigDef keys as type of Password. This type was added to prevent logging the values (instead "[hidden]" is logged).

This change does not apply to the values returned by executing a GET on connectors/{connector-name} and connectors/{connector-name}/config. This creates an easily accessible way for an attacker who has infiltrated your network to gain access to potential secrets that should not be available.

I have started on a code change that addresses this issue by parsing the config values through the ConfigDef for the connector and returning their output instead (which leads to the masking of Password typed configs as [hidden]).

Attachments

Issue Links

duplicates

KAFKA-6886 Externalize Secrets for Kafka Connect Configurations

Resolved

is related to

KAFKA-8774 Connect REST API exposes plaintext secrets in tasks endpoint if config value contains additional characters

Resolved

links to

GitHub Pull Request #4269

GitHub Pull Request #4441

GitHub Pull Request #6129

mentioned in: Page Loading...

(1 links to, 1 mentioned in)

Activity

People

Assignee:: Chris Egerton

Reporter:: Thomas Holmes

Votes:: 1 Vote for this issue

Watchers:: 10 Start watching this issue

Dates

Created:: 24/Apr/17 17:22

Updated:: 13/Aug/19 15:02

Resolved:: 23/Jan/19 19:06