[
https://issues.apache.org/jira/browse/ZOOKEEPER-5049?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Dávid Paksy reassigned ZOOKEEPER-5049:
--------------------------------------
Assignee: Dávid Paksy
> PrometheusMetricsProvider logs KeyStore and TrusStore passwords in clear text
> on INFO level
> -------------------------------------------------------------------------------------------
>
> Key: ZOOKEEPER-5049
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-5049
> Project: ZooKeeper
> Issue Type: Bug
> Components: metric system, security
> Reporter: Dávid Paksy
> Assignee: Dávid Paksy
> Priority: Major
>
> When PrometheusMetricsProvider is enabled and configured for HTTPS, on
> startup, PrometheusMetricsProvider will log all it's configs in clear text on
> INFO level.
> Excerpt from zoo.cfg:
> {noformat}
> metricsProvider.className=org.apache.zookeeper.metrics.prometheus.PrometheusMetricsProvider
> metricsProvider.httpPort=7000
> metricsProvider.httpsPort=7000
> metricsProvider.ssl.keyStore.location=keystore.jks
> metricsProvider.ssl.keyStore.password=password
> metricsProvider.ssl.trustStore.location=truststore.jks
> metricsProvider.ssl.trustStore.password=password
> {noformat}
> Log:
> {noformat}
> 2026-05-13 16:49:22,852 [myid:] - INFO
> [main:o.a.z.m.p.PrometheusMetricsProvider@135] - Initializing Prometheus
> metrics with Jetty, configuration: {ssl.keyStore.location=keystore.jks,
> ssl.keyStore.password=password, ssl.trustStore.password=password,
> ssl.enabledProtocols=TLSv1.2,TLSv1.3, httpPort=7000,
> ssl.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
> ssl.need.client.auth=false, ssl.trustStore.location=truststore.jks,
> httpsPort=7000}
> {noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
