Description
A Kafka Connect connector can specify ConfigDef keys as type of Password. This type was added to prevent logging the values (instead "[hidden]" is logged).
This change does not apply to the values returned by executing a GET on connectors/{connector-name} and connectors/{connector-name}/config. This creates an easily accessible way for an attacker who has infiltrated your network to gain access to potential secrets that should not be available.
I have started on a code change that addresses this issue by parsing the config values through the ConfigDef for the connector and returning their output instead (which leads to the masking of Password typed configs as [hidden]).
Attachments
Issue Links
- duplicates
-
KAFKA-6886 Externalize Secrets for Kafka Connect Configurations
-
- Resolved
-
- is related to
-
KAFKA-8774 Connect REST API exposes plaintext secrets in tasks endpoint if config value contains additional characters
-
- Resolved
-
- links to
- mentioned in
-
Page Loading...