Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-8774

Connect REST API exposes plaintext secrets in tasks endpoint if config value contains additional characters

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Fixed
    • 2.3.0
    • 2.0.2, 2.1.2, 2.2.2, 2.4.0, 2.3.1
    • connect
    • None

    Description

      I have configured a Connector to use externalized secrets, and the following endpoint returns secrets in the externalized form: 

      curl localhost:8083/connectors/foobar|jq
      
      {
      "name": "foobar",
      "config": {
      
      "connector.class": "io.confluent.connect.s3.S3SinkConnector",
      ...
      "consumer.override.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\" password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";",
      "admin.override.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\" password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";",
      "consumer.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\" password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";",
      "producer.override.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\" password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";",
      "producer.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\" password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";",
      ...
      },
      "tasks": [
      
      { "connector": "foobar", "task": 0 }
      
      ],
      "type": "sink"
      }

      But another endpoint returns secrets in plain text:

      curl localhost:8083/connectors/foobar/tasks|jq
      
      [
        {
          "id": {
            "connector": "lcc-kgkpm",
            "task": 0
          },
          "config": {
            "connector.class": "io.confluent.connect.s3.S3SinkConnector",
            ...
            "errors.log.include.messages": "true",
            "flush.size": "1000",
            "consumer.override.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"OOPS\" password=\"SURPRISE\";",
            "admin.override.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"OOPS\" password=\"SURPRISE\";",
            "consumer.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"OOPS\" password=\"SURPRISE\";",
            "producer.override.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"OOPS\" password=\"SURPRISE\";",
            "producer.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"OOPS\" password=\"SURPRISE\";",
            ...
          }
        }
      ]
      

       
      EDIT: This bug only shows up if the secrets are a substring in the config value. If they form the entirety of the config value, then the secrets are hidden at the /tasks endpoints.

      Attachments

        Issue Links

          Activity

            ChrisEgerton Chris Egerton added a comment -

            odiachenko this problem should have been addressed in https://github.com/apache/kafka/pull/6129. Do you know if this is a regression, or if that fix just didn't address the task configs endpoint like it was supposed to?

            ChrisEgerton Chris Egerton added a comment - odiachenko this problem should have been addressed in  https://github.com/apache/kafka/pull/6129 . Do you know if this is a regression, or if that fix just didn't address the task configs endpoint like it was supposed to?
            githubbot ASF GitHub Bot added a comment -

            wicknicks commented on pull request #7197: KAFKA-8774: Regex can be found anywhere in config value
            URL: https://github.com/apache/kafka/pull/7197

            Signed-off-by: Arjun Satish <arjun@confluent.io>

            *More detailed description of your change,
            if necessary. The PR title and PR message become
            the squashed commit message, so use a separate
            comment to ping reviewers.*

            *Summary of testing strategy (including rationale)
            for the feature or bug fix. Unit and/or integration
            tests are expected for any behaviour change and
            system tests should be considered for larger changes.*

                1. Committer Checklist (excluded from commit message)
            • [ ] Verify design and implementation
            • [ ] Verify test coverage and CI build status
            • [ ] Verify documentation (including upgrade notes)

            ----------------------------------------------------------------
            This is an automated message from the Apache Git Service.
            To respond to the message, please log on to GitHub and use the
            URL above to go to the specific comment.

            For queries about this service, please contact Infrastructure at:
            users@infra.apache.org

            githubbot ASF GitHub Bot added a comment - wicknicks commented on pull request #7197: KAFKA-8774 : Regex can be found anywhere in config value URL: https://github.com/apache/kafka/pull/7197 Signed-off-by: Arjun Satish <arjun@confluent.io> *More detailed description of your change, if necessary. The PR title and PR message become the squashed commit message, so use a separate comment to ping reviewers.* *Summary of testing strategy (including rationale) for the feature or bug fix. Unit and/or integration tests are expected for any behaviour change and system tests should be considered for larger changes.* Committer Checklist (excluded from commit message) [ ] Verify design and implementation [ ] Verify test coverage and CI build status [ ] Verify documentation (including upgrade notes) ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: users@infra.apache.org
            githubbot ASF GitHub Bot added a comment -

            rhauch commented on pull request #7197: KAFKA-8774: Regex can be found anywhere in config value
            URL: https://github.com/apache/kafka/pull/7197

            ----------------------------------------------------------------
            This is an automated message from the Apache Git Service.
            To respond to the message, please log on to GitHub and use the
            URL above to go to the specific comment.

            For queries about this service, please contact Infrastructure at:
            users@infra.apache.org

            githubbot ASF GitHub Bot added a comment - rhauch commented on pull request #7197: KAFKA-8774 : Regex can be found anywhere in config value URL: https://github.com/apache/kafka/pull/7197 ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: users@infra.apache.org
            rhauch Randall Hauch added a comment -

            wicknicks did a great job identifying the root cause, which involved how the AbstractHerder to correctly identifies task configs that contain variables for externalized secrets. The original method incorrectly used `matcher.matches()` instead of `matcher.find()`. The former method expects the entire string to match the regex, whereas the second one can find a pattern anywhere within the input string (which fits this use case more correctly).

            This is why the problem is only in the tasks endpoint (no other endpoints) when connector configs contain externalized secret variables plus additional characters. If a config value contains only the variable, the secret is not exposed on this task endpoint.

            Arjun added unit tests to cover various cases of a config with externalized secrets, and updated system tests to cover case where config value contains additional characters besides secret that requires regex pattern to be found anywhere in the string (as opposed to complete match).

            Merged back to the `2.0` branch, which was when [KIP-297 and externalized secrets](https://cwiki.apache.org/confluence/display/KAFKA/KIP-297%3A+Externalizing+Secrets+for+Connect+Configurations) were introduced.

            rhauch Randall Hauch added a comment - wicknicks did a great job identifying the root cause, which involved how the AbstractHerder to correctly identifies task configs that contain variables for externalized secrets. The original method incorrectly used `matcher.matches()` instead of `matcher.find()`. The former method expects the entire string to match the regex, whereas the second one can find a pattern anywhere within the input string (which fits this use case more correctly). This is why the problem is only in the tasks endpoint (no other endpoints) when connector configs contain externalized secret variables plus additional characters . If a config value contains only the variable, the secret is not exposed on this task endpoint. Arjun added unit tests to cover various cases of a config with externalized secrets, and updated system tests to cover case where config value contains additional characters besides secret that requires regex pattern to be found anywhere in the string (as opposed to complete match). Merged back to the `2.0` branch, which was when [KIP-297 and externalized secrets] ( https://cwiki.apache.org/confluence/display/KAFKA/KIP-297%3A+Externalizing+Secrets+for+Connect+Configurations ) were introduced.

            People

              wicknicks Arjun Satish
              odiachenko Oleksandr Diachenko
              Randall Hauch Randall Hauch
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: