Dávid Paksy created ZOOKEEPER-5049:
--------------------------------------
Summary: PrometheusMetricsProvider logs KeyStore and TrusStore
passwords in clear text on INFO level
Key: ZOOKEEPER-5049
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-5049
Project: ZooKeeper
Issue Type: Bug
Components: metric system, security
Reporter: Dávid Paksy
When PrometheusMetricsProvider is enabled and configured for HTTPS, on startup,
PrometheusMetricsProvider will log all it's configs in clear text on INFO level.
Excerpt from zoo.cfg:
{noformat}
metricsProvider.className=org.apache.zookeeper.metrics.prometheus.PrometheusMetricsProvider
metricsProvider.httpPort=7000
metricsProvider.httpsPort=7000
metricsProvider.ssl.keyStore.location=keystore.jks
metricsProvider.ssl.keyStore.password=password
metricsProvider.ssl.trustStore.location=truststore.jks
metricsProvider.ssl.trustStore.password=password
{noformat}
Log:
{noformat}
2026-05-13 16:49:22,852 [myid:] - INFO
[main:o.a.z.m.p.PrometheusMetricsProvider@135] - Initializing Prometheus
metrics with Jetty, configuration: {ssl.keyStore.location=keystore.jks,
ssl.keyStore.password=password, ssl.trustStore.password=password,
ssl.enabledProtocols=TLSv1.2,TLSv1.3, httpPort=7000,
ssl.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
ssl.need.client.auth=false, ssl.trustStore.location=truststore.jks,
httpsPort=7000}
{noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
