Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-8774

Connect REST API exposes plaintext secrets in tasks endpoint if config value contains additional characters

    XMLWordPrintableJSON

    Details

      Description

      I have configured a Connector to use externalized secrets, and the following endpoint returns secrets in the externalized form: 

      curl localhost:8083/connectors/foobar|jq
      
      {
      "name": "foobar",
      "config": {
      
      "connector.class": "io.confluent.connect.s3.S3SinkConnector",
      ...
      "consumer.override.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\" password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";",
      "admin.override.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\" password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";",
      "consumer.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\" password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";",
      "producer.override.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\" password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";",
      "producer.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\" password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";",
      ...
      },
      "tasks": [
      
      { "connector": "foobar", "task": 0 }
      
      ],
      "type": "sink"
      }

      But another endpoint returns secrets in plain text:

      curl localhost:8083/connectors/foobar/tasks|jq
      
      [
        {
          "id": {
            "connector": "lcc-kgkpm",
            "task": 0
          },
          "config": {
            "connector.class": "io.confluent.connect.s3.S3SinkConnector",
            ...
            "errors.log.include.messages": "true",
            "flush.size": "1000",
            "consumer.override.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"OOPS\" password=\"SURPRISE\";",
            "admin.override.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"OOPS\" password=\"SURPRISE\";",
            "consumer.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"OOPS\" password=\"SURPRISE\";",
            "producer.override.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"OOPS\" password=\"SURPRISE\";",
            "producer.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"OOPS\" password=\"SURPRISE\";",
            ...
          }
        }
      ]
      

       
      EDIT: This bug only shows up if the secrets are a substring in the config value. If they form the entirety of the config value, then the secrets are hidden at the /tasks endpoints.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                wicknicks Arjun Satish
                Reporter:
                odiachenko Oleksandr Diachenko
                Reviewer:
                Randall Hauch
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: