(kafka) branch trunk updated: KAFKA-18047: Add org.apache.kafka.automatic.config.providers to System Properties section (#17920)

Tue, 03 Dec 2024 05:29:39 -0800 

This is an automated email from the ASF dual-hosted git repository.

mimaison pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/kafka.git


The following commit(s) were added to refs/heads/trunk by this push:
     new ac08325bddf KAFKA-18047: Add 
org.apache.kafka.automatic.config.providers to System Properties section 
(#17920)
ac08325bddf is described below

commit ac08325bddf5b707ce75b0fae422f20bcc79da63
Author: TengYao Chi <[email protected]>
AuthorDate: Tue Dec 3 21:28:50 2024 +0800

    KAFKA-18047: Add org.apache.kafka.automatic.config.providers to System 
Properties section (#17920)
    
    
    Reviewers: Mickael Maison <[email protected]>
---
 docs/configuration.html | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/docs/configuration.html b/docs/configuration.html
index 20d2221f44d..9d5454583d1 100644
--- a/docs/configuration.html
+++ b/docs/configuration.html
@@ -258,7 +258,7 @@
     <li>
       <h4><a id="org.apache.kafka.disallowed.login.modules"></a><a 
id="systemproperties_org.apache.kafka.disallowed.login.modules" 
href="#systemproperties_org.apache.kafka.disallowed.login.modules">org.apache.kafka.disallowed.login.modules</a></h4>
       <p>This system property is used to disable the problematic login modules 
usage in SASL JAAS configuration. This property accepts comma-separated list of 
loginModule names. By default 
<b>com.sun.security.auth.module.JndiLoginModule</b> loginModule is disabled.
-      <p>If users want to enable JndiLoginModule, users need to explicitly 
reset the system property like below. We advise the users to validate 
configurations and only allow trusted JNDI configurations. For more details <a 
href="https://nvd.nist.gov/vuln/detail/CVE-2023-25194";>CVE-2023-25194</a>.
+      <p>If users want to enable JndiLoginModule, users need to explicitly 
reset the system property like below. We advise the users to validate 
configurations and only allow trusted JNDI configurations. For more details <a 
href="https://kafka.apache.org/cve-list#CVE-2023-25194";>CVE-2023-25194</a>.
       <p><pre><code 
class="language-bash">-Dorg.apache.kafka.disallowed.login.modules=</code></pre>
       <p>To disable more loginModules, update the system property with 
comma-separated loginModule names. Make sure to explicitly add 
<b>JndiLoginModule</b> module name to the comma-separated list like below.
       <p><pre><code 
class="language-bash">-Dorg.apache.kafka.disallowed.login.modules=com.sun.security.auth.module.JndiLoginModule,com.ibm.security.auth.module.LdapLoginModule,com.ibm.security.auth.module.Krb5LoginModule</code></pre>
@@ -267,6 +267,22 @@
       <tr><th>Default 
Value:</th><td>com.sun.security.auth.module.JndiLoginModule</td></tr>
       </tbody></table>
     </li>
+    <li>
+      <h4><a id="org.apache.kafka.automatic.config.providers"></a><a 
id="systemproperties_org.apache.kafka.automatic.config.providers" 
href="#systemproperties_org.apache.kafka.automatic.config.providers">org.apache.kafka.automatic.config.providers</a></h4>
+      <p>This system property controls the automatic loading of ConfigProvider 
implementations in Apache Kafka. ConfigProviders are used to dynamically supply 
configuration values from sources such as files, directories, or environment 
variables. This property accepts a comma-separated list of ConfigProvider 
names. By default, all built-in ConfigProviders are enabled, including 
<b>FileConfigProvider</b>, <b>DirectoryConfigProvider</b>, and 
<b>EnvVarConfigProvider</b>.</p>
+      <p>If users want to disable all automatic ConfigProviders, they need to 
explicitly set the system property as shown below. Disabling automatic 
ConfigProviders is recommended in environments where configuration data comes 
from untrusted sources or where increased security is required. For more 
details, see <a 
href="https://kafka.apache.org/cve-list#CVE-2024-31141";>CVE-2024-31141</a>.</p>
+      <pre><code 
class="language-bash">-Dorg.apache.kafka.automatic.config.providers=none</code></pre>
+      <p>To allow specific ConfigProviders, update the system property with a 
comma-separated list of ConfigProvider names. For example, to enable only the 
<b>EnvVarConfigProvider</b>, set the property as follows:</p>
+      <pre><code 
class="language-bash">-Dorg.apache.kafka.automatic.config.providers=env</code></pre>
+      <p>To use multiple ConfigProviders, include their names in a 
comma-separated list as shown below:</p>
+      <pre><code 
class="language-bash">-Dorg.apache.kafka.automatic.config.providers=file,env</code></pre>
+      <table>
+        <tbody>
+        <tr><th>Since:</th><td>3.8.0</td></tr>
+        <tr><th>Default Value:</th><td>All built-in ConfigProviders are 
enabled</td></tr>
+        </tbody>
+      </table>
+    </li>
   </ul>
 
   <h3 class="anchor-heading"><a id="tieredstorageconfigs" 
class="anchor-link"></a><a href="#tieredstorageconfigs">3.10 Tiered Storage 
Configs</a></h3>

Reply via email to