[jira] [Created] (KAFKA-8774) Connect REST API exposes plaintext secrets in tasks endpoint

Thu, 08 Aug 2019 18:26:02 -0700 

Oleksandr Diachenko created KAFKA-8774:
------------------------------------------

             Summary: Connect REST API exposes plaintext secrets in tasks 
endpoint
                 Key: KAFKA-8774
                 URL: https://issues.apache.org/jira/browse/KAFKA-8774
             Project: Kafka
          Issue Type: Bug
          Components: KafkaConnect
    Affects Versions: 2.3.0
            Reporter: Oleksandr Diachenko
            Assignee: Oleksandr Diachenko


I have configured a Connector to use externalized secrets, and the following 
endpoint returns secrets in the externalized form: 
{code:java}
curl localhost:8083/connectors/foobar|jq
{code}
{code:java}
{
"name": "foobar",
"config": {

"connector.class": "io.confluent.connect.s3.S3SinkConnector",
...
"consumer.override.sasl.jaas.config": 
"org.apache.kafka.common.security.plain.PlainLoginModule required 
username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\" 
password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";",
"admin.override.sasl.jaas.config": 
"org.apache.kafka.common.security.plain.PlainLoginModule required 
username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\" 
password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";",
"consumer.sasl.jaas.config": 
"org.apache.kafka.common.security.plain.PlainLoginModule required 
username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\" 
password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";",
"producer.override.sasl.jaas.config": 
"org.apache.kafka.common.security.plain.PlainLoginModule required 
username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\" 
password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";",
"producer.sasl.jaas.config": 
"org.apache.kafka.common.security.plain.PlainLoginModule required 
username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\" 
password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";",
...
},
"tasks": [

{ "connector": "foobar", "task": 0 }

],
"type": "sink"
}{code}
But another endpoint returns secrets in plain text:
{code:java}
curl localhost:8083/connectors/foobar/tasks|jq
{code}
{code:java}
[
  {
    "id": {
      "connector": "lcc-kgkpm",
      "task": 0
    },
    "config": {
      "connector.class": "io.confluent.connect.s3.S3SinkConnector",
      ...
      "errors.log.include.messages": "true",
      "flush.size": "1000",
      "consumer.override.sasl.jaas.config": 
"org.apache.kafka.common.security.plain.PlainLoginModule required 
username=\"OOPS\" password=\"SURPRISE\";",
      "admin.override.sasl.jaas.config": 
"org.apache.kafka.common.security.plain.PlainLoginModule required 
username=\"OOPS\" password=\"SURPRISE\";",
      "consumer.sasl.jaas.config": 
"org.apache.kafka.common.security.plain.PlainLoginModule required 
username=\"OOPS\" password=\"SURPRISE\";",
      "producer.override.sasl.jaas.config": 
"org.apache.kafka.common.security.plain.PlainLoginModule required 
username=\"OOPS\" password=\"SURPRISE\";",
      "producer.sasl.jaas.config": 
"org.apache.kafka.common.security.plain.PlainLoginModule required 
username=\"OOPS\" password=\"SURPRISE\";",
      ...
    }
  }
]
{code}
 



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

Reply via email to