Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-9601

Workers log raw connector configs, including values

    XMLWordPrintableJSON

    Details

      Description

      This line right here logs all configs (key and value) for a connector, which is bad, since it can lead to secrets (db credentials, cloud storage credentials, etc.) being logged in plaintext.

      We can remove this line. Or change it to just log config keys. Or try to do some super-fancy parsing that masks sensitive values. Well, hopefully not that. That sounds like a lot of work.

      Affects all versions of Connect back through 0.10.1.

       

      If you are running a version of Connect that contains this vulnerability, you can set the log level of the org.apache.kafka.connect.runtime.WorkerConnector namespace to INFO or higher in your log4j properties file to prevent raw connector configs from being logged.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                ChrisEgerton Chris Egerton
                Reporter:
                ChrisEgerton Chris Egerton
                Reviewer:
                Randall Hauch
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: