kafka-jira mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Randall Hauch (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (KAFKA-5117) Kafka Connect REST endpoints reveal Password typed values
Date Mon, 11 Dec 2017 15:12:00 GMT

    [ https://issues.apache.org/jira/browse/KAFKA-5117?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16286021#comment-16286021
] 

Randall Hauch commented on KAFKA-5117:
--------------------------------------

BTW, the KIP doesn't have to be that complex, since this is a straighforward change. Just
follow the process outlined [here|https://cwiki.apache.org/confluence/display/KAFKA/Kafka+Improvement+Proposals].
The "Migration Plan and Compatibility" section of the KIP should highlight the fact that the
public response of several methods will change to mask the password configuration values.

> Kafka Connect REST endpoints reveal Password typed values
> ---------------------------------------------------------
>
>                 Key: KAFKA-5117
>                 URL: https://issues.apache.org/jira/browse/KAFKA-5117
>             Project: Kafka
>          Issue Type: Bug
>          Components: KafkaConnect
>    Affects Versions: 0.10.2.0
>            Reporter: Thomas Holmes
>              Labels: needs-kip
>
> A Kafka Connect connector can specify ConfigDef keys as type of Password. This type was
added to prevent logging the values (instead "[hidden]" is logged).
> This change does not apply to the values returned by executing a GET on {{connectors/\{connector-name\}}}
and {{connectors/\{connector-name\}/config}}. This creates an easily accessible way for an
attacker who has infiltrated your network to gain access to potential secrets that should
not be available.
> I have started on a code change that addresses this issue by parsing the config values
through the ConfigDef for the connector and returning their output instead (which leads to
the masking of Password typed configs as [hidden]).



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message