[KAFKA-8774] Connect REST API exposes plaintext secrets in tasks endpoint if config value contains additional characters - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: 2.3.0
Fix Version/s: 2.0.2, 2.1.2, 2.2.2, 2.4.0, 2.3.1
Component/s: connect
Labels:
None

Description

I have configured a Connector to use externalized secrets, and the following endpoint returns secrets in the externalized form:

curl localhost:8083/connectors/foobar|jq

{
"name": "foobar",
"config": {

"connector.class": "io.confluent.connect.s3.S3SinkConnector",
...
"consumer.override.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\" password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";",
"admin.override.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\" password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";",
"consumer.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\" password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";",
"producer.override.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\" password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";",
"producer.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\" password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";",
...
},
"tasks": [

{ "connector": "foobar", "task": 0 }

],
"type": "sink"
}

But another endpoint returns secrets in plain text:

curl localhost:8083/connectors/foobar/tasks|jq

[
  {
    "id": {
      "connector": "lcc-kgkpm",
      "task": 0
    },
    "config": {
      "connector.class": "io.confluent.connect.s3.S3SinkConnector",
      ...
      "errors.log.include.messages": "true",
      "flush.size": "1000",
      "consumer.override.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"OOPS\" password=\"SURPRISE\";",
      "admin.override.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"OOPS\" password=\"SURPRISE\";",
      "consumer.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"OOPS\" password=\"SURPRISE\";",
      "producer.override.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"OOPS\" password=\"SURPRISE\";",
      "producer.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"OOPS\" password=\"SURPRISE\";",
      ...
    }
  }
]

EDIT: This bug only shows up if the secrets are a substring in the config value. If they form the entirety of the config value, then the secrets are hidden at the /tasks endpoints.

Attachments

Issue Links

relates to

KAFKA-5117 Kafka Connect REST endpoints reveal Password typed values

Resolved

KAFKA-6886 Externalize Secrets for Kafka Connect Configurations

Resolved

links to

GitHub Pull Request #7197

Activity

People

Assignee:: Arjun Satish

Reporter:: Oleksandr Diachenko

Reviewer:: Randall Hauch

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 09/Aug/19 01:24

Updated:: 13/Aug/19 15:02

Resolved:: 13/Aug/19 15:02