You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "Randall Hauch (Jira)" <ji...@apache.org> on 2020/02/26 23:44:00 UTC
[jira] [Resolved] (KAFKA-9601) Workers log raw connector configs,
including values
[ https://issues.apache.org/jira/browse/KAFKA-9601?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Randall Hauch resolved KAFKA-9601.
----------------------------------
Reviewer: Randall Hauch
Resolution: Fixed
Thanks for the fix, [~ChrisEgerton]!
Merged to trunk and cherry-picked to the 2.5, 2.4, 2.3, 2.2, 2.1, 2.0, 1.1, and 1.0 branches; I didn't go back farther since it's unlikely we will issue additional patches for earlier branches.
> Workers log raw connector configs, including values
> ---------------------------------------------------
>
> Key: KAFKA-9601
> URL: https://issues.apache.org/jira/browse/KAFKA-9601
> Project: Kafka
> Issue Type: Bug
> Components: KafkaConnect
> Reporter: Chris Egerton
> Assignee: Chris Egerton
> Priority: Critical
> Fix For: 1.0.3, 1.1.2, 2.0.2, 2.1.2, 2.2.3, 2.5.0, 2.3.2, 2.4.1
>
>
> [This line right here|https://github.com/apache/kafka/blob/5359b2e3bc1cf13a301f32490a6630802afc4974/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/WorkerConnector.java#L78] logs all configs (key and value) for a connector, which is bad, since it can lead to secrets (db credentials, cloud storage credentials, etc.) being logged in plaintext.
> We can remove this line. Or change it to just log config keys. Or try to do some super-fancy parsing that masks sensitive values. Well, hopefully not that. That sounds like a lot of work.
> Affects all versions of Connect back through 0.10.1.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)