[
https://issues.apache.org/jira/browse/KAFKA-4056?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15426541#comment-15426541
]
Ismael Juma commented on KAFKA-4056:
------------------------------------
[~mimaison], the key thing to trigger this issue is to set the config, but use
PLAINTEXT as the security protocol (what is unused is determined dynamically).
The option you suggest is the same one Jaikiran suggested in the mailing list.
It's probably fine. The other option is to use `values` instead of `originals`,
but maybe that's more confusing.
> Kafka logs values of sensitive configs like passwords
> -----------------------------------------------------
>
> Key: KAFKA-4056
> URL: https://issues.apache.org/jira/browse/KAFKA-4056
> Project: Kafka
> Issue Type: Bug
> Affects Versions: 0.9.0.1
> Reporter: jaikiran pai
> Assignee: Mickael Maison
>
> From the mail discussion here:
> https://www.mail-archive.com/dev@kafka.apache.org/msg55012.html
> {quote}
> We are using 0.9.0.1 of Kafka (Java) libraries for our Kafka consumers and
> producers. In one of our consumers, our consumer config had a SSL specific
> property which ended up being used against a non-SSL Kafka broker port. As a
> result, the logs ended up seeing messages like:
> 17:53:33,722 WARN [o.a.k.c.c.ConsumerConfig] - The configuration
> *ssl.truststore.password = foobar* was supplied but isn't a known config.
> The log message is fine and makes sense, but can Kafka please not log the
> values of the properties and instead just include the config name which it
> considers as unknown? That way it won't ended up logging these potentially
> sensitive values. I understand that only those with access to these log files
> can end up seeing these values but even then some of our internal processes
> forbid logging such sensitive information to the logs. This log message will
> still end up being useful if only the config name is logged without the
> value.
> {quote}
> Apparently (as noted in that thread), there's already code in the Kafka
> library which masks sensitive values like passwords, but it looks like
> there's a bug where it unintentionally logs these raw values.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
