Bahdan Siamionau created KAFKA-7242:
---------------------------------------
Summary: Externalized secrets are revealed in task configuration
Key: KAFKA-7242
URL: https://issues.apache.org/jira/browse/KAFKA-7242
Project: Kafka
Issue Type: Bug
Reporter: Bahdan Siamionau
Trying to use new [externalized
secrets|https://issues.apache.org/jira/browse/KAFKA-6886] feature I noticed
that task configuration is being saved in config topic with disclosed secrets.
It seems like the main goal of feature was not achieved - secrets are still
persisted in plain-text. Probably I'm misusing this new config, please correct
me if I wrong.
I'm running connect in distributed mode, creating connector with following
config:
{code:java}
{
"name" : "jdbc-sink-test",
"config" : {
"connector.class" : "io.confluent.connect.jdbc.JdbcSinkConnector",
"tasks.max" : "1",
"config.providers" : "file",
"config.providers.file.class" :
"org.apache.kafka.common.config.provider.FileConfigProvider",
"config.providers.file.param.secrets" : "/opt/mysecrets",
"topics" : "test_topic",
"connection.url" : "${file:/opt/mysecrets:url}",
"connection.user" : "${file:/opt/mysecrets:user}",
"connection.password" : "${file:/opt/mysecrets:password}",
"insert.mode" : "upsert",
"pk.mode" : "record_value",
"pk.field" : "id"
}
}
{code}
Connector works fine, placeholders are substituted with correct values from
file, but then updated config is written into the topic again (see 3 following
records in config topic):
{code:java}
key: connector-jdbc-sink-test
value:
{
"properties": {
"connector.class": "io.confluent.connect.jdbc.JdbcSinkConnector",
"tasks.max": "1",
"config.providers": "file",
"config.providers.file.class":
"org.apache.kafka.common.config.provider.FileConfigProvider",
"config.providers.file.param.secrets": "/opt/mysecrets",
"topics": "test_topic",
"connection.url": "${file:/opt/mysecrets:url}",
"connection.user": "${file:/opt/mysecrets:user}",
"connection.password": "${file:/opt/mysecrets:password}",
"insert.mode": "upsert",
"pk.mode": "record_value",
"pk.field": "id",
"name": "jdbc-sink-test"
}
}
key: task-jdbc-sink-test-0
value:
{
"properties": {
"connector.class": "io.confluent.connect.jdbc.JdbcSinkConnector",
"config.providers.file.param.secrets": "/opt/mysecrets",
"connection.password": "actualpassword",
"tasks.max": "1",
"topics": "test_topic",
"config.providers": "file",
"pk.field": "id",
"task.class": "io.confluent.connect.jdbc.sink.JdbcSinkTask",
"connection.user": "datawarehouse",
"name": "jdbc-sink-test",
"config.providers.file.class":
"org.apache.kafka.common.config.provider.FileConfigProvider",
"connection.url":
"jdbc:postgresql://actualurl:5432/datawarehouse?stringtype=unspecified",
"insert.mode": "upsert",
"pk.mode": "record_value"
}
}
key: commit-jdbc-sink-test
value:
{
"tasks":1
}
{code}
Please advice have I misunderstood the goal of the given feature, have I missed
smth in configuration or is it actually a bug? Thank you
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
