Ryan P created KAFKA-4364:
-----------------------------
Summary: Sink tasks expose secrets in DEBUG logging
Key: KAFKA-4364
URL: https://issues.apache.org/jira/browse/KAFKA-4364
Project: Kafka
Issue Type: Bug
Components: KafkaConnect
Reporter: Ryan P
Assignee: Ewen Cheslack-Postava
As it stands today worker tasks print secrets such as Key/Trust store passwords
to their respective logs.
https://github.com/confluentinc/kafka/blob/trunk/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/WorkerSinkTask.java#L213-L214
i.e.
[2016-11-01 12:50:59,254] DEBUG Initializing connector test-sink with config
{consumer.ssl.truststore.password=password,
connector.class=io.confluent.connect.jdbc.JdbcSinkConnector,
connection.password=password, producer.security.protocol=SSL,
producer.ssl.truststore.password=password, topics=orders, tasks.max=1,
consumer.ssl.truststore.location=/tmp/truststore/kafka.trustore.jks,
producer.ssl.truststore.location=/tmp/truststore/kafka.trustore.jks,
connection.user=connect, name=test-sink, auto.create=true,
consumer.security.protocol=SSL,
connection.url=jdbc:postgresql://localhost/test}
(org.apache.kafka.connect.runtime.WorkerConnector:71)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
