[ https://issues.apache.org/jira/browse/KAFKA-8774?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Arjun Satish updated KAFKA-8774: -------------------------------- Summary: Connect REST API exposes plaintext secrets in tasks endpoint if config value contains additional characters (was: Connect REST API exposes plaintext secrets in tasks endpoint) > Connect REST API exposes plaintext secrets in tasks endpoint if config value > contains additional characters > ----------------------------------------------------------------------------------------------------------- > > Key: KAFKA-8774 > URL: https://issues.apache.org/jira/browse/KAFKA-8774 > Project: Kafka > Issue Type: Bug > Components: KafkaConnect > Affects Versions: 2.3.0 > Reporter: Oleksandr Diachenko > Assignee: Oleksandr Diachenko > Priority: Critical > > I have configured a Connector to use externalized secrets, and the following > endpoint returns secrets in the externalized form: > {code:java} > curl localhost:8083/connectors/foobar|jq > {code} > {code:java} > { > "name": "foobar", > "config": { > "connector.class": "io.confluent.connect.s3.S3SinkConnector", > ... > "consumer.override.sasl.jaas.config": > "org.apache.kafka.common.security.plain.PlainLoginModule required > username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\" > password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";", > "admin.override.sasl.jaas.config": > "org.apache.kafka.common.security.plain.PlainLoginModule required > username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\" > password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";", > "consumer.sasl.jaas.config": > "org.apache.kafka.common.security.plain.PlainLoginModule required > username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\" > password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";", > "producer.override.sasl.jaas.config": > "org.apache.kafka.common.security.plain.PlainLoginModule required > username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\" > password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";", > "producer.sasl.jaas.config": > "org.apache.kafka.common.security.plain.PlainLoginModule required > username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\" > password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";", > ... > }, > "tasks": [ > { "connector": "foobar", "task": 0 } > ], > "type": "sink" > }{code} > But another endpoint returns secrets in plain text: > {code:java} > curl localhost:8083/connectors/foobar/tasks|jq > {code} > {code:java} > [ > { > "id": { > "connector": "lcc-kgkpm", > "task": 0 > }, > "config": { > "connector.class": "io.confluent.connect.s3.S3SinkConnector", > ... > "errors.log.include.messages": "true", > "flush.size": "1000", > "consumer.override.sasl.jaas.config": > "org.apache.kafka.common.security.plain.PlainLoginModule required > username=\"OOPS\" password=\"SURPRISE\";", > "admin.override.sasl.jaas.config": > "org.apache.kafka.common.security.plain.PlainLoginModule required > username=\"OOPS\" password=\"SURPRISE\";", > "consumer.sasl.jaas.config": > "org.apache.kafka.common.security.plain.PlainLoginModule required > username=\"OOPS\" password=\"SURPRISE\";", > "producer.override.sasl.jaas.config": > "org.apache.kafka.common.security.plain.PlainLoginModule required > username=\"OOPS\" password=\"SURPRISE\";", > "producer.sasl.jaas.config": > "org.apache.kafka.common.security.plain.PlainLoginModule required > username=\"OOPS\" password=\"SURPRISE\";", > ... > } > } > ] > {code} > > EDIT: This bug only shows up if the secrets are a substring in the config > value. If they form the entirety of the config value, then the secrets are > hidden at the /tasks endpoints. -- This message was sent by Atlassian JIRA (v7.6.14#76016)