You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@kafka.apache.org by "Oleksandr Diachenko (JIRA)" <ji...@apache.org> on 2019/08/09 01:25:00 UTC
[jira] [Created] (KAFKA-8774) Connect REST API exposes plaintext
secrets in tasks endpoint
Oleksandr Diachenko created KAFKA-8774:
------------------------------------------
Summary: Connect REST API exposes plaintext secrets in tasks endpoint
Key: KAFKA-8774
URL: https://issues.apache.org/jira/browse/KAFKA-8774
Project: Kafka
Issue Type: Bug
Components: KafkaConnect
Affects Versions: 2.3.0
Reporter: Oleksandr Diachenko
Assignee: Oleksandr Diachenko
I have configured a Connector to use externalized secrets, and the following endpoint returns secrets in the externalized form:
{code:java}
curl localhost:8083/connectors/foobar|jq
{code}
{code:java}
{
"name": "foobar",
"config": {
"connector.class": "io.confluent.connect.s3.S3SinkConnector",
...
"consumer.override.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\" password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";",
"admin.override.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\" password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";",
"consumer.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\" password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";",
"producer.override.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\" password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";",
"producer.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\" password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";",
...
},
"tasks": [
{ "connector": "foobar", "task": 0 }
],
"type": "sink"
}{code}
But another endpoint returns secrets in plain text:
{code:java}
curl localhost:8083/connectors/foobar/tasks|jq
{code}
{code:java}
[
{
"id": {
"connector": "lcc-kgkpm",
"task": 0
},
"config": {
"connector.class": "io.confluent.connect.s3.S3SinkConnector",
...
"errors.log.include.messages": "true",
"flush.size": "1000",
"consumer.override.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"OOPS\" password=\"SURPRISE\";",
"admin.override.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"OOPS\" password=\"SURPRISE\";",
"consumer.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"OOPS\" password=\"SURPRISE\";",
"producer.override.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"OOPS\" password=\"SURPRISE\";",
"producer.sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"OOPS\" password=\"SURPRISE\";",
...
}
}
]
{code}
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)