[jira] [Commented] (KAFKA-7510) KStreams RecordCollectorImpl leaks data to logs on error

Tue, 16 Oct 2018 15:57:56 -0700 


    [ 
https://issues.apache.org/jira/browse/KAFKA-7510?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16652602#comment-16652602
 ] 

Mr Kafka commented on KAFKA-7510:
---------------------------------

To Kafka the key and value are just bytes, those bytes may be anything and 
depend on an end users use case. Kafka has no control what a user sets for 
those values so it's wrong to make assumptions it is safe to log any of them.

In the trivialest scenario an example is the key may be an email address, or 
the key might be a credit card number, it may also be a full Avro record or 
some other complex blob which contains sensitive information, we just don't 
know. Kafka has no way of knowing what the values are or if the values are safe 
to log so it should be behind a feature switch it, easiest being placing them 
at DEBUG level.

> KStreams RecordCollectorImpl leaks data to logs on error
> --------------------------------------------------------
>
>                 Key: KAFKA-7510
>                 URL: https://issues.apache.org/jira/browse/KAFKA-7510
>             Project: Kafka
>          Issue Type: Bug
>          Components: streams
>            Reporter: Mr Kafka
>            Priority: Major
>              Labels: user-experience
>
> org.apache.kafka.streams.processor.internals.RecordCollectorImpl leaks data 
> on error as it dumps the *value* / message payload to the logs.
> This is problematic as it may contain personally identifiable information 
> (pii) or other secret information to plain text log files which can then be 
> propagated to other log systems i.e Splunk.
> I suggest the *key*, and *value* fields be moved to debug level as it is 
> useful for some people while error level contains the *errorMessage, 
> timestamp, topic* and *stackTrace*.
> {code:java}
> private <K, V> void recordSendError(
>     final K key,
>     final V value,
>     final Long timestamp,
>     final String topic,
>     final Exception exception
> ) {
>     String errorLogMessage = LOG_MESSAGE;
>     String errorMessage = EXCEPTION_MESSAGE;
>     if (exception instanceof RetriableException) {
>         errorLogMessage += PARAMETER_HINT;
>         errorMessage += PARAMETER_HINT;
>     }
>     log.error(errorLogMessage, key, value, timestamp, topic, 
> exception.toString());
>     sendException = new StreamsException(
>         String.format(
>             errorMessage,
>             logPrefix,
>             "an error caught",
>             key,
>             value,
>             timestamp,
>             topic,
>             exception.toString()
>         ),
>         exception);
> }{code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to