[
https://issues.apache.org/jira/browse/KAFKA-8774?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16904024#comment-16904024
]
Chris Egerton commented on KAFKA-8774:
--------------------------------------
[~odiachenko] this problem should have been addressed in
[https://github.com/apache/kafka/pull/6129]. Do you know if this is a
regression, or if that fix just didn't address the task configs endpoint like
it was supposed to?
> Connect REST API exposes plaintext secrets in tasks endpoint
> ------------------------------------------------------------
>
> Key: KAFKA-8774
> URL: https://issues.apache.org/jira/browse/KAFKA-8774
> Project: Kafka
> Issue Type: Bug
> Components: KafkaConnect
> Affects Versions: 2.3.0
> Reporter: Oleksandr Diachenko
> Assignee: Oleksandr Diachenko
> Priority: Critical
>
> I have configured a Connector to use externalized secrets, and the following
> endpoint returns secrets in the externalized form:
> {code:java}
> curl localhost:8083/connectors/foobar|jq
> {code}
> {code:java}
> {
> "name": "foobar",
> "config": {
> "connector.class": "io.confluent.connect.s3.S3SinkConnector",
> ...
> "consumer.override.sasl.jaas.config":
> "org.apache.kafka.common.security.plain.PlainLoginModule required
> username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\"
> password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";",
> "admin.override.sasl.jaas.config":
> "org.apache.kafka.common.security.plain.PlainLoginModule required
> username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\"
> password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";",
> "consumer.sasl.jaas.config":
> "org.apache.kafka.common.security.plain.PlainLoginModule required
> username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\"
> password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";",
> "producer.override.sasl.jaas.config":
> "org.apache.kafka.common.security.plain.PlainLoginModule required
> username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\"
> password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";",
> "producer.sasl.jaas.config":
> "org.apache.kafka.common.security.plain.PlainLoginModule required
> username=\"${file:/some/secret/path/secrets.properties:kafka.api.key}\"
> password=\"${file:/some/secret/path/secrets.properties:kafka.api.secret}\";",
> ...
> },
> "tasks": [
> { "connector": "foobar", "task": 0 }
> ],
> "type": "sink"
> }{code}
> But another endpoint returns secrets in plain text:
> {code:java}
> curl localhost:8083/connectors/foobar/tasks|jq
> {code}
> {code:java}
> [
> {
> "id": {
> "connector": "lcc-kgkpm",
> "task": 0
> },
> "config": {
> "connector.class": "io.confluent.connect.s3.S3SinkConnector",
> ...
> "errors.log.include.messages": "true",
> "flush.size": "1000",
> "consumer.override.sasl.jaas.config":
> "org.apache.kafka.common.security.plain.PlainLoginModule required
> username=\"OOPS\" password=\"SURPRISE\";",
> "admin.override.sasl.jaas.config":
> "org.apache.kafka.common.security.plain.PlainLoginModule required
> username=\"OOPS\" password=\"SURPRISE\";",
> "consumer.sasl.jaas.config":
> "org.apache.kafka.common.security.plain.PlainLoginModule required
> username=\"OOPS\" password=\"SURPRISE\";",
> "producer.override.sasl.jaas.config":
> "org.apache.kafka.common.security.plain.PlainLoginModule required
> username=\"OOPS\" password=\"SURPRISE\";",
> "producer.sasl.jaas.config":
> "org.apache.kafka.common.security.plain.PlainLoginModule required
> username=\"OOPS\" password=\"SURPRISE\";",
> ...
> }
> }
> ]
> {code}
>
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
