[jira] [Updated] (ZOOKEEPER-5049) PrometheusMetricsProvider logs KeyStore and TrustStore passwords in clear text on INFO level

Thu, 14 May 2026 07:42:36 -0700 


     [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-5049?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Dávid Paksy updated ZOOKEEPER-5049:
-----------------------------------
    Summary: PrometheusMetricsProvider logs KeyStore and TrustStore passwords 
in clear text on INFO level  (was: PrometheusMetricsProvider logs KeyStore and 
TrusStore passwords in clear text on INFO level)

> PrometheusMetricsProvider logs KeyStore and TrustStore passwords in clear 
> text on INFO level
> --------------------------------------------------------------------------------------------
>
>                 Key: ZOOKEEPER-5049
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-5049
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: metric system, security
>            Reporter: Dávid Paksy
>            Assignee: Dávid Paksy
>            Priority: Major
>
> When PrometheusMetricsProvider is enabled and configured for HTTPS, on 
> startup, PrometheusMetricsProvider will log all it's configs in clear text on 
> INFO level. This includes KeyStore and TrusStore passwords.
> Excerpt from zoo.cfg:
> {noformat}
> metricsProvider.className=org.apache.zookeeper.metrics.prometheus.PrometheusMetricsProvider
> metricsProvider.httpPort=7000
> metricsProvider.httpsPort=7000
> metricsProvider.ssl.keyStore.location=keystore.jks
> metricsProvider.ssl.keyStore.password=password
> metricsProvider.ssl.trustStore.location=truststore.jks
> metricsProvider.ssl.trustStore.password=password
> {noformat}
> Log:
> {noformat}
> 2026-05-13 16:49:22,852 [myid:] - INFO  
> [main:o.a.z.m.p.PrometheusMetricsProvider@135] - Initializing Prometheus 
> metrics with Jetty, configuration: {ssl.keyStore.location=keystore.jks, 
> ssl.keyStore.password=password, ssl.trustStore.password=password, 
> ssl.enabledProtocols=TLSv1.2,TLSv1.3, httpPort=7000, 
> ssl.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
>  ssl.need.client.auth=false, ssl.trustStore.location=truststore.jks, 
> httpsPort=7000}
> {noformat}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to