[KAFKA-9601] Workers log raw connector configs, including values - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.0.3, 1.1.2, 2.0.2, 2.1.2, 2.2.3, 2.5.0, 2.3.2, 2.4.1
Component/s: connect
Labels:
None

Description

This line right here logs all configs (key and value) for a connector, which is bad, since it can lead to secrets (db credentials, cloud storage credentials, etc.) being logged in plaintext.

We can remove this line. Or change it to just log config keys. Or try to do some super-fancy parsing that masks sensitive values. Well, hopefully not that. That sounds like a lot of work.

Affects all versions of Connect back through 0.10.1.

If you are running a version of Connect that contains this vulnerability, you can set the log level of the org.apache.kafka.connect.runtime.WorkerConnector namespace to INFO or higher in your log4j properties file to prevent raw connector configs from being logged.

Attachments

Issue Links

links to

GitHub Pull Request #8165

Activity

People

Assignee:: Chris Egerton

Reporter:: Chris Egerton

Reviewer:: Randall Hauch

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 25/Feb/20 06:18

Updated:: 27/Feb/20 05:30

Resolved:: 26/Feb/20 23:43