Vadym Zhytkevych created KAFKA-18371:
----------------------------------------
Summary: TopicBasedRemoteLogMetadataManagerConfig exposes
sensitive configuration data in logs
Key: KAFKA-18371
URL: https://issues.apache.org/jira/browse/KAFKA-18371
Project: Kafka
Issue Type: Bug
Components: core
Affects Versions: 3.1.0
Reporter: Vadym Zhytkevych
{code:java}
[2024-12-20 14:52:56,805] INFO Successfully configured topic-based RLMM with
config:
TopicBasedRemoteLogMetadataManagerConfig{clientIdPrefix='__remote_log_metadata_client_6',
metadataTopicPartitionsCount=50, consumeWaitMs=120000,
metadataTopicRetentionMs=-1, metadataTopicReplicationFactor=3,
initializationRetryMaxTimeoutMs=120000, initializationRetryIntervalMs=100,
commonProps={request.timeout.ms=10000, ssl.client.auth=none,
ssl.keystore.location=/etc/kafka/ssl/keystore.p12,
bootstrap.servers:9094=server1, security.protocol=SASL_SSL, password=CLEARTEXT,
ssl.truststore.location=/etc/pki/java/cacerts, ssl.keystore.password=CLEARTEXT,
sasl.mechanism=SCRAM-SHA-512, ssl.key.password=CLEARTEXT,
sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule
required username="username" password="CLEARTEXT";,
ssl.truststore.password=CLEARTEXT, …{code}
Issue is related to using toString() method of
TopicBasedRemoteLogMetadataManagerConfig, that prints maps of consumerProps and
producerProps withou masking.
Current workaround: logger for class TopicBasedRemoteLogMetadataManagerConfig
can be disabled to not expose sensitive data.
Expected behavior: sensitive configuration data masked automatically in logs.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
