Hi all, I've created KIP-242, a proposal to secure credentials in kafka connect rest endpoint.
https://cwiki.apache.org/confluence/display/KAFKA/KIP-242%3A+Mask+password+in+Kafka+Connect+Rest+API+response Here are something I'd like to discuss: - The "masked" value is set to "*********" (9 stars) currently. It's an arbitrary value I picked. Are there any better options? - The proposal change is in the *org.apache.kafka.connect.runtime.rest.resources.ConnectorsResource* class, where before the response is returned we go through config and mask the password. This has been proven to work. However I think it's cleaner if we do the masking in *org.apache.kafka.connect.runtime.rest.entities.ConnectorInfo* where config() method can return the masked config, so that we don't have to mask the value in each endpoint (and new endpoints if added in the future). I ran into some issue with this. So after a while, I start seeing incorrect password being used for the connector. My conjecture is that the value stored in kafka has been changed to the mask value. Can someone confirm this might happen with kafka connect? Feel like *ConnectorInfo.Config()* is used somewhere to update connect config storage topic. If there's any comments on the KIP let me know. Thank you very much. -Vincent
