Re: [PR] KAFKA-18047: Add org.apache.kafka.automatic.config.providers to System Properties section [kafka]

Tue, 03 Dec 2024 03:57:53 -0800 


frankvicky commented on code in PR #17920:
URL: https://github.com/apache/kafka/pull/17920#discussion_r1867584991


##########
docs/configuration.html:
##########
@@ -302,6 +302,22 @@ <h4><a 
id="org.apache.kafka.disallowed.login.modules"></a><a id="systempropertie
       <tr><th>Default 
Value:</th><td>com.sun.security.auth.module.JndiLoginModule</td></tr>
       </tbody></table>
     </li>
+    <li>
+      <h4><a id="org.apache.kafka.automatic.config.providers"></a><a 
id="systemproperties_org.apache.kafka.automatic.config.providers" 
href="#systemproperties_org.apache.kafka.automatic.config.providers">org.apache.kafka.automatic.config.providers</a></h4>
+      <p>This system property controls the automatic loading of ConfigProvider 
implementations in Apache Kafka. ConfigProviders are used to dynamically supply 
configuration values from sources such as files, directories, or environment 
variables. This property accepts a comma-separated list of ConfigProvider 
names. By default, all built-in ConfigProviders are enabled, including 
<b>FileConfigProvider</b>, <b>DirectoryConfigProvider</b>, and 
<b>EnvVarConfigProvider</b>.</p>
+      <p>If users want to disable all automatic ConfigProviders, they need to 
explicitly set the system property as shown below. Disabling automatic 
ConfigProviders is recommended in environments where configuration data comes 
from untrusted sources or where increased security is required. For more 
details, see <a 
href="https://nvd.nist.gov/vuln/detail/CVE-2024-31141";>CVE-2024-31141</a>.</p>

Review Comment:
   It is ok for me.  
   Currently, I use the link from `https://nvd.nist.gov/`, to align with the  
   [org.apache.kafka.disallowed.login.modules 
](https://kafka.apache.org/documentation/#systemproperties_org.apache.kafka.disallowed.login.modules)
   
   If we decide to use the CVE link from the kafka-site, I suggest that we also 
update the link for `CVE-2023-25194.`



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to