[jira] [Commented] (KAFKA-8774) Connect REST API exposes plaintext secrets in tasks endpoint if config value contains additional characters

Tue, 13 Aug 2019 07:41:13 -0700 


    [ 
https://issues.apache.org/jira/browse/KAFKA-8774?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16906275#comment-16906275
 ] 

ASF GitHub Bot commented on KAFKA-8774:
---------------------------------------

rhauch commented on pull request #7197: KAFKA-8774: Regex can be found anywhere 
in config value
URL: https://github.com/apache/kafka/pull/7197
 
 
   
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Connect REST API exposes plaintext secrets in tasks endpoint if config value 
> contains additional characters
> -----------------------------------------------------------------------------------------------------------
>
>                 Key: KAFKA-8774
>                 URL: https://issues.apache.org/jira/browse/KAFKA-8774
>             Project: Kafka
>          Issue Type: Bug
>          Components: KafkaConnect
>    Affects Versions: 2.3.0
>            Reporter: Oleksandr Diachenko
>            Assignee: Oleksandr Diachenko
>            Priority: Critical
>
> I have configured a Connector to use externalized secrets, and the following 
> endpoint returns secrets in the externalized form: 
> {code:java}
> curl localhost:8083/connectors/foobar|jq
> {code}
> {code:java}
> {
> "name": "foobar",
> "config": {
> "connector.class": "io.confluent.connect.s3.S3SinkConnector",
> ...
> "consumer.override.sasl.jaas.config": 
> "org.apache.kafka.common.security.plain.PlainLoginModule required 
> username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\" 
> password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";",
> "admin.override.sasl.jaas.config": 
> "org.apache.kafka.common.security.plain.PlainLoginModule required 
> username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\" 
> password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";",
> "consumer.sasl.jaas.config": 
> "org.apache.kafka.common.security.plain.PlainLoginModule required 
> username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\" 
> password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";",
> "producer.override.sasl.jaas.config": 
> "org.apache.kafka.common.security.plain.PlainLoginModule required 
> username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\" 
> password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";",
> "producer.sasl.jaas.config": 
> "org.apache.kafka.common.security.plain.PlainLoginModule required 
> username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\" 
> password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";",
> ...
> },
> "tasks": [
> { "connector": "foobar", "task": 0 }
> ],
> "type": "sink"
> }{code}
> But another endpoint returns secrets in plain text:
> {code:java}
> curl localhost:8083/connectors/foobar/tasks|jq
> {code}
> {code:java}
> [
>   {
>     "id": {
>       "connector": "lcc-kgkpm",
>       "task": 0
>     },
>     "config": {
>       "connector.class": "io.confluent.connect.s3.S3SinkConnector",
>       ...
>       "errors.log.include.messages": "true",
>       "flush.size": "1000",
>       "consumer.override.sasl.jaas.config": 
> "org.apache.kafka.common.security.plain.PlainLoginModule required 
> username=\"OOPS\" password=\"SURPRISE\";",
>       "admin.override.sasl.jaas.config": 
> "org.apache.kafka.common.security.plain.PlainLoginModule required 
> username=\"OOPS\" password=\"SURPRISE\";",
>       "consumer.sasl.jaas.config": 
> "org.apache.kafka.common.security.plain.PlainLoginModule required 
> username=\"OOPS\" password=\"SURPRISE\";",
>       "producer.override.sasl.jaas.config": 
> "org.apache.kafka.common.security.plain.PlainLoginModule required 
> username=\"OOPS\" password=\"SURPRISE\";",
>       "producer.sasl.jaas.config": 
> "org.apache.kafka.common.security.plain.PlainLoginModule required 
> username=\"OOPS\" password=\"SURPRISE\";",
>       ...
>     }
>   }
> ]
> {code}
>  
> EDIT: This bug only shows up if the secrets are a substring in the config 
> value. If they form the entirety of the config value, then the secrets are 
> hidden at the /tasks endpoints.



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

Reply via email to