[jira] [Updated] (ZOOKEEPER-5049) PrometheusMetricsProvider logs KeyStore and TrustStore passwords in clear text on INFO level

Jira Fri, 15 May 2026 05:55:07 -0700


     [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-5049?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Dávid Paksy updated ZOOKEEPER-5049:
-----------------------------------
    Description: 
When PrometheusMetricsProvider is enabled and configured for HTTPS, on startup, 
PrometheusMetricsProvider will log all it's configs in clear text on INFO 
level. This includes KeyStore and TrustStore passwords.

Excerpt from zoo.cfg:

{noformat}
metricsProvider.className=org.apache.zookeeper.metrics.prometheus.PrometheusMetricsProvider
metricsProvider.httpPort=7000
metricsProvider.httpsPort=7000
metricsProvider.ssl.keyStore.location=keystore.jks
metricsProvider.ssl.keyStore.password=password
metricsProvider.ssl.trustStore.location=truststore.jks
metricsProvider.ssl.trustStore.password=password
{noformat}

Log:

{noformat}
2026-05-13 16:49:22,852 [myid:] - INFO  
[main:o.a.z.m.p.PrometheusMetricsProvider@135] - Initializing Prometheus 
metrics with Jetty, configuration: {ssl.keyStore.location=keystore.jks, 
ssl.keyStore.password=password, ssl.trustStore.password=password, 
ssl.enabledProtocols=TLSv1.2,TLSv1.3, httpPort=7000, 
ssl.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 ssl.need.client.auth=false, ssl.trustStore.location=truststore.jks, 
httpsPort=7000}
{noformat}

This only affects master branch (unreleased 3.10.0 version) as the secure 
PrometheusMetricsProvider only exists there. Other ZooKeeper versions are not 
affected.

  was:
When PrometheusMetricsProvider is enabled and configured for HTTPS, on startup, 
PrometheusMetricsProvider will log all it's configs in clear text on INFO 
level. This includes KeyStore and TrustStore passwords.

Excerpt from zoo.cfg:

{noformat}
metricsProvider.className=org.apache.zookeeper.metrics.prometheus.PrometheusMetricsProvider
metricsProvider.httpPort=7000
metricsProvider.httpsPort=7000
metricsProvider.ssl.keyStore.location=keystore.jks
metricsProvider.ssl.keyStore.password=password
metricsProvider.ssl.trustStore.location=truststore.jks
metricsProvider.ssl.trustStore.password=password
{noformat}

Log:

{noformat}
2026-05-13 16:49:22,852 [myid:] - INFO  
[main:o.a.z.m.p.PrometheusMetricsProvider@135] - Initializing Prometheus 
metrics with Jetty, configuration: {ssl.keyStore.location=keystore.jks, 
ssl.keyStore.password=password, ssl.trustStore.password=password, 
ssl.enabledProtocols=TLSv1.2,TLSv1.3, httpPort=7000, 
ssl.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 ssl.need.client.auth=false, ssl.trustStore.location=truststore.jks, 
httpsPort=7000}
{noformat}



> PrometheusMetricsProvider logs KeyStore and TrustStore passwords in clear 
> text on INFO level
> --------------------------------------------------------------------------------------------
>
>                 Key: ZOOKEEPER-5049
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-5049
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: metric system, security
>    Affects Versions: 3.10.0
>            Reporter: Dávid Paksy
>            Assignee: Dávid Paksy
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> When PrometheusMetricsProvider is enabled and configured for HTTPS, on 
> startup, PrometheusMetricsProvider will log all it's configs in clear text on 
> INFO level. This includes KeyStore and TrustStore passwords.
> Excerpt from zoo.cfg:
> {noformat}
> metricsProvider.className=org.apache.zookeeper.metrics.prometheus.PrometheusMetricsProvider
> metricsProvider.httpPort=7000
> metricsProvider.httpsPort=7000
> metricsProvider.ssl.keyStore.location=keystore.jks
> metricsProvider.ssl.keyStore.password=password
> metricsProvider.ssl.trustStore.location=truststore.jks
> metricsProvider.ssl.trustStore.password=password
> {noformat}
> Log:
> {noformat}
> 2026-05-13 16:49:22,852 [myid:] - INFO  
> [main:o.a.z.m.p.PrometheusMetricsProvider@135] - Initializing Prometheus 
> metrics with Jetty, configuration: {ssl.keyStore.location=keystore.jks, 
> ssl.keyStore.password=password, ssl.trustStore.password=password, 
> ssl.enabledProtocols=TLSv1.2,TLSv1.3, httpPort=7000, 
> ssl.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
>  ssl.need.client.auth=false, ssl.trustStore.location=truststore.jks, 
> httpsPort=7000}
> {noformat}
> This only affects master branch (unreleased 3.10.0 version) as the secure 
> PrometheusMetricsProvider only exists there. Other ZooKeeper versions are not 
> affected.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (ZOOKEEPER-5049) PrometheusMetricsProvider logs KeyStore and TrustStore passwords in clear text on INFO level

Reply via email to