[jira] [Updated] (ZOOKEEPER-5049) PrometheusMetricsProvider logs KeyStore and TrustStore passwords in clear text on INFO level

Jira Thu, 14 May 2026 07:41:15 -0700


     [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-5049?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Dávid Paksy updated ZOOKEEPER-5049:
-----------------------------------
    Description: 
When PrometheusMetricsProvider is enabled and configured for HTTPS, on startup, 
PrometheusMetricsProvider will log all it's configs in clear text on INFO 
level. This includes KeyStore and TrustStore passwords.

Excerpt from zoo.cfg:

{noformat}
metricsProvider.className=org.apache.zookeeper.metrics.prometheus.PrometheusMetricsProvider
metricsProvider.httpPort=7000
metricsProvider.httpsPort=7000
metricsProvider.ssl.keyStore.location=keystore.jks
metricsProvider.ssl.keyStore.password=password
metricsProvider.ssl.trustStore.location=truststore.jks
metricsProvider.ssl.trustStore.password=password
{noformat}

Log:

{noformat}
2026-05-13 16:49:22,852 [myid:] - INFO  
[main:o.a.z.m.p.PrometheusMetricsProvider@135] - Initializing Prometheus 
metrics with Jetty, configuration: {ssl.keyStore.location=keystore.jks, 
ssl.keyStore.password=password, ssl.trustStore.password=password, 
ssl.enabledProtocols=TLSv1.2,TLSv1.3, httpPort=7000, 
ssl.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 ssl.need.client.auth=false, ssl.trustStore.location=truststore.jks, 
httpsPort=7000}
{noformat}


  was:
When PrometheusMetricsProvider is enabled and configured for HTTPS, on startup, 
PrometheusMetricsProvider will log all it's configs in clear text on INFO 
level. This includes KeyStore and TrusStore passwords.

Excerpt from zoo.cfg:

{noformat}
metricsProvider.className=org.apache.zookeeper.metrics.prometheus.PrometheusMetricsProvider
metricsProvider.httpPort=7000
metricsProvider.httpsPort=7000
metricsProvider.ssl.keyStore.location=keystore.jks
metricsProvider.ssl.keyStore.password=password
metricsProvider.ssl.trustStore.location=truststore.jks
metricsProvider.ssl.trustStore.password=password
{noformat}

Log:

{noformat}
2026-05-13 16:49:22,852 [myid:] - INFO  
[main:o.a.z.m.p.PrometheusMetricsProvider@135] - Initializing Prometheus 
metrics with Jetty, configuration: {ssl.keyStore.location=keystore.jks, 
ssl.keyStore.password=password, ssl.trustStore.password=password, 
ssl.enabledProtocols=TLSv1.2,TLSv1.3, httpPort=7000, 
ssl.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 ssl.need.client.auth=false, ssl.trustStore.location=truststore.jks, 
httpsPort=7000}
{noformat}



> PrometheusMetricsProvider logs KeyStore and TrustStore passwords in clear 
> text on INFO level
> --------------------------------------------------------------------------------------------
>
>                 Key: ZOOKEEPER-5049
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-5049
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: metric system, security
>            Reporter: Dávid Paksy
>            Assignee: Dávid Paksy
>            Priority: Major
>
> When PrometheusMetricsProvider is enabled and configured for HTTPS, on 
> startup, PrometheusMetricsProvider will log all it's configs in clear text on 
> INFO level. This includes KeyStore and TrustStore passwords.
> Excerpt from zoo.cfg:
> {noformat}
> metricsProvider.className=org.apache.zookeeper.metrics.prometheus.PrometheusMetricsProvider
> metricsProvider.httpPort=7000
> metricsProvider.httpsPort=7000
> metricsProvider.ssl.keyStore.location=keystore.jks
> metricsProvider.ssl.keyStore.password=password
> metricsProvider.ssl.trustStore.location=truststore.jks
> metricsProvider.ssl.trustStore.password=password
> {noformat}
> Log:
> {noformat}
> 2026-05-13 16:49:22,852 [myid:] - INFO  
> [main:o.a.z.m.p.PrometheusMetricsProvider@135] - Initializing Prometheus 
> metrics with Jetty, configuration: {ssl.keyStore.location=keystore.jks, 
> ssl.keyStore.password=password, ssl.trustStore.password=password, 
> ssl.enabledProtocols=TLSv1.2,TLSv1.3, httpPort=7000, 
> ssl.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
>  ssl.need.client.auth=false, ssl.trustStore.location=truststore.jks, 
> httpsPort=7000}
> {noformat}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (ZOOKEEPER-5049) PrometheusMetricsProvider logs KeyStore and TrustStore passwords in clear text on INFO level

Reply via email to