You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@kafka.apache.org by "Randall Hauch (JIRA)" <ji...@apache.org> on 2019/08/13 15:03:01 UTC

[jira] [Resolved] (KAFKA-8774) Connect REST API exposes plaintext secrets in tasks endpoint if config value contains additional characters

     [ https://issues.apache.org/jira/browse/KAFKA-8774?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Randall Hauch resolved KAFKA-8774.
----------------------------------
       Resolution: Fixed
         Reviewer: Randall Hauch
    Fix Version/s: 2.3.1
                   2.4.0
                   2.2.2
                   2.1.2
                   2.0.2

[~wicknicks] did a great job identifying the root cause, which involved how the AbstractHerder to correctly identifies task configs that contain variables for externalized secrets. The original method incorrectly used `matcher.matches()` instead of `matcher.find()`. The former method expects the entire string to match the regex, whereas the second one can find a pattern anywhere within the input string (which fits this use case more correctly).

This is why the problem is only in the tasks endpoint (no other endpoints) when connector configs contain externalized secret variables _plus additional characters_. If a config value contains only the variable, the secret is not exposed on this task endpoint. 

Arjun added unit tests to cover various cases of a config with externalized secrets, and updated system tests to cover case where config value contains additional characters besides secret that requires regex pattern to be found anywhere in the string (as opposed to complete match).

Merged back to the `2.0` branch, which was when [KIP-297 and externalized secrets](https://cwiki.apache.org/confluence/display/KAFKA/KIP-297%3A+Externalizing+Secrets+for+Connect+Configurations) were introduced.


> Connect REST API exposes plaintext secrets in tasks endpoint if config value contains additional characters
> -----------------------------------------------------------------------------------------------------------
>
>                 Key: KAFKA-8774
>                 URL: https://issues.apache.org/jira/browse/KAFKA-8774
>             Project: Kafka
>          Issue Type: Bug
>          Components: KafkaConnect
>    Affects Versions: 2.3.0
>            Reporter: Oleksandr Diachenko
>            Assignee: Arjun Satish
>            Priority: Critical
>             Fix For: 2.0.2, 2.1.2, 2.2.2, 2.4.0, 2.3.1
>
>
> I have configured a Connector to use externalized secrets, and the following endpoint returns secrets in the externalized form: 
> {code:java}
> curl localhost:8083/connectors/foobar|jq
> {code}
> {code:java}
> {
> "name": "foobar",
> "config": {
> "connector.class": "io.confluent.connect.s3.S3SinkConnector",
> ...
> "consumer.override.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\" password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";",
> "admin.override.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\" password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";",
> "consumer.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\" password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";",
> "producer.override.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\" password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";",
> "producer.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\" password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";",
> ...
> },
> "tasks": [
> { "connector": "foobar", "task": 0 }
> ],
> "type": "sink"
> }{code}
> But another endpoint returns secrets in plain text:
> {code:java}
> curl localhost:8083/connectors/foobar/tasks|jq
> {code}
> {code:java}
> [
>   {
>     "id": {
>       "connector": "lcc-kgkpm",
>       "task": 0
>     },
>     "config": {
>       "connector.class": "io.confluent.connect.s3.S3SinkConnector",
>       ...
>       "errors.log.include.messages": "true",
>       "flush.size": "1000",
>       "consumer.override.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"OOPS\" password=\"SURPRISE\";",
>       "admin.override.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"OOPS\" password=\"SURPRISE\";",
>       "consumer.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"OOPS\" password=\"SURPRISE\";",
>       "producer.override.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"OOPS\" password=\"SURPRISE\";",
>       "producer.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"OOPS\" password=\"SURPRISE\";",
>       ...
>     }
>   }
> ]
> {code}
>  
> EDIT: This bug only shows up if the secrets are a substring in the config value. If they form the entirety of the config value, then the secrets are hidden at the /tasks endpoints.



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)