[jira] [Commented] (KAFKA-18371) TopicBasedRemoteLogMetadataManagerConfig exposes sensitive configuration data in logs

Mon, 30 Dec 2024 00:55:56 -0800 


    [ 
https://issues.apache.org/jira/browse/KAFKA-18371?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17908809#comment-17908809
 ] 

Vadym Zhytkevych commented on KAFKA-18371:
------------------------------------------

Possible fix is available here: https://github.com/apache/kafka/pull/18349

> TopicBasedRemoteLogMetadataManagerConfig exposes sensitive configuration data 
> in logs
> -------------------------------------------------------------------------------------
>
>                 Key: KAFKA-18371
>                 URL: https://issues.apache.org/jira/browse/KAFKA-18371
>             Project: Kafka
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 3.1.0
>            Reporter: Vadym Zhytkevych
>            Priority: Major
>
> {code:java}
> [2024-12-20 14:52:56,805] INFO Successfully configured topic-based RLMM with 
> config: 
> TopicBasedRemoteLogMetadataManagerConfig{clientIdPrefix='__remote_log_metadata_client_6',
>  metadataTopicPartitionsCount=50, consumeWaitMs=120000, 
> metadataTopicRetentionMs=-1, metadataTopicReplicationFactor=3, 
> initializationRetryMaxTimeoutMs=120000, initializationRetryIntervalMs=100, 
> commonProps={request.timeout.ms=10000, ssl.client.auth=none, 
> ssl.keystore.location=/etc/kafka/ssl/keystore.p12, 
> bootstrap.servers=server1:9094, security.protocol=SASL_SSL, 
> password=CLEARTEXT, ssl.truststore.location=/etc/pki/java/cacerts, 
> ssl.keystore.password=CLEARTEXT, sasl.mechanism=SCRAM-SHA-512, 
> ssl.key.password=CLEARTEXT, 
> sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule 
> required username="username" password="CLEARTEXT";, 
> ssl.truststore.password=CLEARTEXT, …{code}
>  
> Issue is related to using toString() method of 
> TopicBasedRemoteLogMetadataManagerConfig, that prints maps of consumerProps 
> and producerProps withou masking.
>  
> Current workaround: logger for class TopicBasedRemoteLogMetadataManagerConfig 
> can be disabled to not expose sensitive data.
> Expected behavior:  sensitive configuration data masked automatically in logs.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to