You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by "Oleg Zhurakousky (JIRA)" <ji...@apache.org> on 2016/02/29 16:17:18 UTC
[jira] [Commented] (NIFI-1558) Kafka processor clients write
potentially sensitive info to the logs
[ https://issues.apache.org/jira/browse/NIFI-1558?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15171969#comment-15171969 ]
Oleg Zhurakousky commented on NIFI-1558:
----------------------------------------
[~joewitt], regardless if the data above is perceived to be sensitive or not it's coming out of Kafka (not NiFi calling some toString() method) whenever default log level is INFO. Assuming the logging settings is set to WARN when in prod, this would be no issue, otherwise we would have to raise the issue with Kafka. Let me know what you think.
> Kafka processor clients write potentially sensitive info to the logs
> --------------------------------------------------------------------
>
> Key: NIFI-1558
> URL: https://issues.apache.org/jira/browse/NIFI-1558
> Project: Apache NiFi
> Issue Type: Bug
> Components: Extensions
> Affects Versions: 0.5.0
> Reporter: Joseph Witt
> Fix For: 0.6.0
>
>
> I noticed the logs on startup have things like the following. This needs to be suppressed as it is of relatively low value but relatively high risk given that it appears it would write out ssl key passphrases and such.
> {quote}
> 2016-02-23 21:13:56,626 INFO [pool-29-thread-7] o.a.k.clients.producer.ProducerConfig ProducerConfig values:
> compression.type = none
> metric.reporters = []
> metadata.max.age.ms = 300000
> metadata.fetch.timeout.ms = 30000
> reconnect.backoff.ms = 50
> sasl.kerberos.ticket.renew.window.factor = 0.8
> bootstrap.servers = [172.31.8.34:9093]
> retry.backoff.ms = 100
> sasl.kerberos.kinit.cmd = /usr/bin/kinit
> buffer.memory = 1048576
> timeout.ms = 30000
> key.serializer = class org.apache.kafka.common.serialization.ByteArraySerializer
> sasl.kerberos.service.name = null
> sasl.kerberos.ticket.renew.jitter = 0.05
> ssl.keystore.type = JKS
> ssl.trustmanager.algorithm = PKIX
> block.on.buffer.full = false
> ssl.key.password = null
> max.block.ms = 60000
> sasl.kerberos.min.time.before.relogin = 60000
> connections.max.idle.ms = 540000
> ssl.truststore.password = null
> max.in.flight.requests.per.connection = 5
> metrics.num.samples = 2
> client.id = NiFi-2243c3f9-bd2b-4bfe-b515-09791ec25c4c
> ssl.endpoint.identification.algorithm = null
> ssl.protocol = TLS
> request.timeout.ms = 30000
> ssl.provider = null
> ssl.enabled.protocols = [TLSv1.2, TLSv1.1, TLSv1]
> acks = 0
> batch.size = 200
> ssl.keystore.location = null
> receive.buffer.bytes = 32768
> ssl.cipher.suites = null
> ssl.truststore.type = JKS
> security.protocol = PLAINTEXT
> retries = 0
> max.request.size = 1048576
> value.serializer = class org.apache.kafka.common.serialization.ByteArraySerializer
> ssl.truststore.location = null
> ssl.keystore.password = null
> ssl.keymanager.algorithm = SunX509
> metrics.sample.window.ms = 30000
> partitioner.class = class org.apache.kafka.clients.producer.internals.DefaultPartitioner
> send.buffer.bytes = 131072
> linger.ms = 5000
> {quote}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)