[
https://issues.apache.org/jira/browse/KAFKA-4056?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15428597#comment-15428597
]
ASF GitHub Bot commented on KAFKA-4056:
---------------------------------------
Github user asfgit closed the pull request at:
https://github.com/apache/kafka/pull/1759
> Kafka logs values of sensitive configs like passwords
> -----------------------------------------------------
>
> Key: KAFKA-4056
> URL: https://issues.apache.org/jira/browse/KAFKA-4056
> Project: Kafka
> Issue Type: Bug
> Affects Versions: 0.9.0.1
> Reporter: jaikiran pai
> Assignee: Mickael Maison
> Fix For: 0.10.1.0
>
>
> From the mail discussion here:
> https://www.mail-archive.com/dev@kafka.apache.org/msg55012.html
> {quote}
> We are using 0.9.0.1 of Kafka (Java) libraries for our Kafka consumers and
> producers. In one of our consumers, our consumer config had a SSL specific
> property which ended up being used against a non-SSL Kafka broker port. As a
> result, the logs ended up seeing messages like:
> 17:53:33,722 WARN [o.a.k.c.c.ConsumerConfig] - The configuration
> *ssl.truststore.password = foobar* was supplied but isn't a known config.
> The log message is fine and makes sense, but can Kafka please not log the
> values of the properties and instead just include the config name which it
> considers as unknown? That way it won't ended up logging these potentially
> sensitive values. I understand that only those with access to these log files
> can end up seeing these values but even then some of our internal processes
> forbid logging such sensitive information to the logs. This log message will
> still end up being useful if only the config name is logged without the
> value.
> {quote}
> Apparently (as noted in that thread), there's already code in the Kafka
> library which masks sensitive values like passwords, but it looks like
> there's a bug where it unintentionally logs these raw values.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
