You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@kafka.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2017/11/27 20:13:00 UTC

[jira] [Commented] (KAFKA-5117) Kafka Connect REST endpoints reveal Password typed values

    [ https://issues.apache.org/jira/browse/KAFKA-5117?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16267400#comment-16267400 ] 

ASF GitHub Bot commented on KAFKA-5117:
---------------------------------------

GitHub user qiao-meng-zefr opened a pull request:

    https://github.com/apache/kafka/pull/4269

    KAFKA-5117: Add password masking for kafka connect REST endpoint

    *More detailed description of your change,
    Mask all password type config parameter with "*" instead of displaying the plain text in kafka connect REST endpoint.
    
    ### Committer Checklist (excluded from commit message)
    - [ ] Verify design and implementation 
    - [ ] Verify test coverage and CI build status
    - [ ] Verify documentation (including upgrade notes)


You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/qiao-meng-zefr/kafka mask_password

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/kafka/pull/4269.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #4269
    
----
commit 51665eae52eadb9e6db4107dffac12e0bd40585a
Author: Vincent Meng <qi...@zefr.com>
Date:   2017-11-27T19:41:11Z

    Add password masking

----


> Kafka Connect REST endpoints reveal Password typed values
> ---------------------------------------------------------
>
>                 Key: KAFKA-5117
>                 URL: https://issues.apache.org/jira/browse/KAFKA-5117
>             Project: Kafka
>          Issue Type: Bug
>          Components: KafkaConnect
>    Affects Versions: 0.10.2.0
>            Reporter: Thomas Holmes
>
> A Kafka Connect connector can specify ConfigDef keys as type of Password. This type was added to prevent logging the values (instead "[hidden]" is logged).
> This change does not apply to the values returned by executing a GET on {{connectors/\{connector-name\}}} and {{connectors/\{connector-name\}/config}}. This creates an easily accessible way for an attacker who has infiltrated your network to gain access to potential secrets that should not be available.
> I have started on a code change that addresses this issue by parsing the config values through the ConfigDef for the connector and returning their output instead (which leads to the masking of Password typed configs as [hidden]).



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)