You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kafka.apache.org by ij...@apache.org on 2017/04/21 09:47:51 UTC

kafka git commit: KAFKA-5094; Replace SCRAM credentials in broker logs with tag hidden

Repository: kafka
Updated Branches:
  refs/heads/trunk fc5ad22e3 -> d18de0e95


KAFKA-5094; Replace SCRAM credentials in broker logs with tag hidden

Author: Rajini Sivaram <ra...@googlemail.com>

Reviewers: Ismael Juma <is...@juma.me.uk>

Closes #2879 from rajinisivaram/KAFKA-5094


Project: http://git-wip-us.apache.org/repos/asf/kafka/repo
Commit: http://git-wip-us.apache.org/repos/asf/kafka/commit/d18de0e9
Tree: http://git-wip-us.apache.org/repos/asf/kafka/tree/d18de0e9
Diff: http://git-wip-us.apache.org/repos/asf/kafka/diff/d18de0e9

Branch: refs/heads/trunk
Commit: d18de0e9547728e4fa0df985c1778aab5ffec751
Parents: fc5ad22
Author: Rajini Sivaram <ra...@googlemail.com>
Authored: Fri Apr 21 10:27:51 2017 +0100
Committer: Ismael Juma <is...@juma.me.uk>
Committed: Fri Apr 21 10:47:24 2017 +0100

----------------------------------------------------------------------
 .../kafka/server/DynamicConfigManager.scala     |  8 ++++++-
 .../SaslScramSslEndToEndAuthorizationTest.scala | 24 +++++++++++++-------
 2 files changed, 23 insertions(+), 9 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/kafka/blob/d18de0e9/core/src/main/scala/kafka/server/DynamicConfigManager.scala
----------------------------------------------------------------------
diff --git a/core/src/main/scala/kafka/server/DynamicConfigManager.scala b/core/src/main/scala/kafka/server/DynamicConfigManager.scala
index c81ce6c..97760ba 100644
--- a/core/src/main/scala/kafka/server/DynamicConfigManager.scala
+++ b/core/src/main/scala/kafka/server/DynamicConfigManager.scala
@@ -23,7 +23,10 @@ import kafka.utils.Logging
 import kafka.utils.ZkUtils
 
 import scala.collection._
+import scala.collection.JavaConverters._
 import kafka.admin.AdminUtils
+import org.apache.kafka.common.config.types.Password
+import org.apache.kafka.common.security.scram.ScramMechanism
 import org.apache.kafka.common.utils.Time
 
 /**
@@ -142,7 +145,10 @@ class DynamicConfigManager(private val zkUtils: ZkUtils,
       val fullSanitizedEntityName = entityPath.substring(index + 1)
 
       val entityConfig = AdminUtils.fetchEntityConfig(zkUtils, rootEntityType, fullSanitizedEntityName)
-      logger.info(s"Processing override for entityPath: $entityPath with config: $entityConfig")
+      val loggableConfig = entityConfig.asScala.map {
+        case (k, v) => (k, if (ScramMechanism.isScram(k)) Password.HIDDEN else v)
+      }
+      logger.info(s"Processing override for entityPath: $entityPath with config: $loggableConfig")
       configHandlers(rootEntityType).processConfigChanges(fullSanitizedEntityName, entityConfig)
 
     }

http://git-wip-us.apache.org/repos/asf/kafka/blob/d18de0e9/core/src/test/scala/integration/kafka/api/SaslScramSslEndToEndAuthorizationTest.scala
----------------------------------------------------------------------
diff --git a/core/src/test/scala/integration/kafka/api/SaslScramSslEndToEndAuthorizationTest.scala b/core/src/test/scala/integration/kafka/api/SaslScramSslEndToEndAuthorizationTest.scala
index 86db407..0bc4e50 100644
--- a/core/src/test/scala/integration/kafka/api/SaslScramSslEndToEndAuthorizationTest.scala
+++ b/core/src/test/scala/integration/kafka/api/SaslScramSslEndToEndAuthorizationTest.scala
@@ -21,6 +21,7 @@ import kafka.utils.JaasTestUtils
 import kafka.admin.ConfigCommand
 import kafka.utils.ZkUtils
 import scala.collection.JavaConverters._
+import org.junit.Before
 
 class SaslScramSslEndToEndAuthorizationTest extends SaslEndToEndAuthorizationTest {
   override protected def kafkaClientSaslMechanism = "SCRAM-SHA-256"
@@ -33,16 +34,23 @@ class SaslScramSslEndToEndAuthorizationTest extends SaslEndToEndAuthorizationTes
   override def configureSecurityBeforeServersStart() {
     super.configureSecurityBeforeServersStart()
     zkUtils.makeSurePersistentPathExists(ZkUtils.ConfigChangesPath)
-
-    def configCommandArgs(username: String, password: String) : Array[String] = {
-      val credentials = kafkaServerSaslMechanisms.map(m => s"$m=[iterations=4096,password=$password]")
-      Array("--zookeeper", zkConnect,
-            "--alter", "--add-config", credentials.mkString(","),
-            "--entity-type", "users",
-            "--entity-name", username)
-    }
+    // Create broker credentials before starting brokers
     ConfigCommand.main(configCommandArgs(kafkaPrincipal, kafkaPassword))
+  }
+
+  @Before
+  override def setUp() {
+    super.setUp()
+    // Create client credentials after starting brokers so that dynamic credential creation is also tested
     ConfigCommand.main(configCommandArgs(clientPrincipal, clientPassword))
     ConfigCommand.main(configCommandArgs(JaasTestUtils.KafkaScramUser2, JaasTestUtils.KafkaScramPassword2))
   }
+
+  private def configCommandArgs(username: String, password: String) : Array[String] = {
+    val credentials = kafkaServerSaslMechanisms.map(m => s"$m=[iterations=4096,password=$password]")
+    Array("--zookeeper", zkConnect,
+          "--alter", "--add-config", credentials.mkString(","),
+          "--entity-type", "users",
+          "--entity-name", username)
+  }
 }