You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kafka.apache.org by ij...@apache.org on 2017/04/21 09:47:51 UTC
kafka git commit: KAFKA-5094;
Replace SCRAM credentials in broker logs with tag hidden
Repository: kafka
Updated Branches:
refs/heads/trunk fc5ad22e3 -> d18de0e95
KAFKA-5094; Replace SCRAM credentials in broker logs with tag hidden
Author: Rajini Sivaram <ra...@googlemail.com>
Reviewers: Ismael Juma <is...@juma.me.uk>
Closes #2879 from rajinisivaram/KAFKA-5094
Project: http://git-wip-us.apache.org/repos/asf/kafka/repo
Commit: http://git-wip-us.apache.org/repos/asf/kafka/commit/d18de0e9
Tree: http://git-wip-us.apache.org/repos/asf/kafka/tree/d18de0e9
Diff: http://git-wip-us.apache.org/repos/asf/kafka/diff/d18de0e9
Branch: refs/heads/trunk
Commit: d18de0e9547728e4fa0df985c1778aab5ffec751
Parents: fc5ad22
Author: Rajini Sivaram <ra...@googlemail.com>
Authored: Fri Apr 21 10:27:51 2017 +0100
Committer: Ismael Juma <is...@juma.me.uk>
Committed: Fri Apr 21 10:47:24 2017 +0100
----------------------------------------------------------------------
.../kafka/server/DynamicConfigManager.scala | 8 ++++++-
.../SaslScramSslEndToEndAuthorizationTest.scala | 24 +++++++++++++-------
2 files changed, 23 insertions(+), 9 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/kafka/blob/d18de0e9/core/src/main/scala/kafka/server/DynamicConfigManager.scala
----------------------------------------------------------------------
diff --git a/core/src/main/scala/kafka/server/DynamicConfigManager.scala b/core/src/main/scala/kafka/server/DynamicConfigManager.scala
index c81ce6c..97760ba 100644
--- a/core/src/main/scala/kafka/server/DynamicConfigManager.scala
+++ b/core/src/main/scala/kafka/server/DynamicConfigManager.scala
@@ -23,7 +23,10 @@ import kafka.utils.Logging
import kafka.utils.ZkUtils
import scala.collection._
+import scala.collection.JavaConverters._
import kafka.admin.AdminUtils
+import org.apache.kafka.common.config.types.Password
+import org.apache.kafka.common.security.scram.ScramMechanism
import org.apache.kafka.common.utils.Time
/**
@@ -142,7 +145,10 @@ class DynamicConfigManager(private val zkUtils: ZkUtils,
val fullSanitizedEntityName = entityPath.substring(index + 1)
val entityConfig = AdminUtils.fetchEntityConfig(zkUtils, rootEntityType, fullSanitizedEntityName)
- logger.info(s"Processing override for entityPath: $entityPath with config: $entityConfig")
+ val loggableConfig = entityConfig.asScala.map {
+ case (k, v) => (k, if (ScramMechanism.isScram(k)) Password.HIDDEN else v)
+ }
+ logger.info(s"Processing override for entityPath: $entityPath with config: $loggableConfig")
configHandlers(rootEntityType).processConfigChanges(fullSanitizedEntityName, entityConfig)
}
http://git-wip-us.apache.org/repos/asf/kafka/blob/d18de0e9/core/src/test/scala/integration/kafka/api/SaslScramSslEndToEndAuthorizationTest.scala
----------------------------------------------------------------------
diff --git a/core/src/test/scala/integration/kafka/api/SaslScramSslEndToEndAuthorizationTest.scala b/core/src/test/scala/integration/kafka/api/SaslScramSslEndToEndAuthorizationTest.scala
index 86db407..0bc4e50 100644
--- a/core/src/test/scala/integration/kafka/api/SaslScramSslEndToEndAuthorizationTest.scala
+++ b/core/src/test/scala/integration/kafka/api/SaslScramSslEndToEndAuthorizationTest.scala
@@ -21,6 +21,7 @@ import kafka.utils.JaasTestUtils
import kafka.admin.ConfigCommand
import kafka.utils.ZkUtils
import scala.collection.JavaConverters._
+import org.junit.Before
class SaslScramSslEndToEndAuthorizationTest extends SaslEndToEndAuthorizationTest {
override protected def kafkaClientSaslMechanism = "SCRAM-SHA-256"
@@ -33,16 +34,23 @@ class SaslScramSslEndToEndAuthorizationTest extends SaslEndToEndAuthorizationTes
override def configureSecurityBeforeServersStart() {
super.configureSecurityBeforeServersStart()
zkUtils.makeSurePersistentPathExists(ZkUtils.ConfigChangesPath)
-
- def configCommandArgs(username: String, password: String) : Array[String] = {
- val credentials = kafkaServerSaslMechanisms.map(m => s"$m=[iterations=4096,password=$password]")
- Array("--zookeeper", zkConnect,
- "--alter", "--add-config", credentials.mkString(","),
- "--entity-type", "users",
- "--entity-name", username)
- }
+ // Create broker credentials before starting brokers
ConfigCommand.main(configCommandArgs(kafkaPrincipal, kafkaPassword))
+ }
+
+ @Before
+ override def setUp() {
+ super.setUp()
+ // Create client credentials after starting brokers so that dynamic credential creation is also tested
ConfigCommand.main(configCommandArgs(clientPrincipal, clientPassword))
ConfigCommand.main(configCommandArgs(JaasTestUtils.KafkaScramUser2, JaasTestUtils.KafkaScramPassword2))
}
+
+ private def configCommandArgs(username: String, password: String) : Array[String] = {
+ val credentials = kafkaServerSaslMechanisms.map(m => s"$m=[iterations=4096,password=$password]")
+ Array("--zookeeper", zkConnect,
+ "--alter", "--add-config", credentials.mkString(","),
+ "--entity-type", "users",
+ "--entity-name", username)
+ }
}