Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MonitoringEngine.kt leaks passwords #36

Open
colinleroy opened this issue Dec 16, 2022 · 2 comments
Open

MonitoringEngine.kt leaks passwords #36

colinleroy opened this issue Dec 16, 2022 · 2 comments

Comments

@colinleroy
Copy link
Contributor

Describe the bug
The logging of Kafka Configs / Components configs leaks passwords.

To Reproduce
Steps to reproduce the behavior:
configure something like

kafka.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required \
  username="monitoring" \
  password="very-secret-password";
kafka.ssl.truststore.password=another-password

kafka-consumer-lag-monitoring logs Kafka Configs as

Kafka Configs: {ssl.truststore.password=another-password, security.protocol=SASL_SSL, ssl.endpoint.identification.algorithm=, ssl.truststore.location=/etc/ssl/certs/java/cacerts, bootstrap.servers=..., sasl.mechanism=PLAIN, sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="monitor" password="very-secret-password";, client.id=kafka-lag-exporter, ssl.truststore.type=PKCS12}

Expected behavior
kafka-consumer-lag-monitoring logs Kafka Configs as

Kafka Configs: {ssl.truststore.password=[REDACTED], security.protocol=SASL_SSL, ssl.endpoint.identification.algorithm=, ssl.truststore.location=/etc/ssl/certs/java/cacerts, bootstrap.servers=..., sasl.mechanism=PLAIN, sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="monitor" password="[REDACTED]";, client.id=kafka-lag-exporter, ssl.truststore.type=PKCS12}
@colinleroy colinleroy mentioned this issue Dec 16, 2022
Merged
omarsmak pushed a commit that referenced this issue Jan 20, 2023
@colinleroy
Issue #36 Avoid leaking passwords to logs (#37)
5393534 
* Avoid leaking passwords to logs

* Forgot ssl.keystore.certificate.chain

ssl.keystore.certificate.chain is also a password (a
private certificate) according to:
https://docs.confluent.io/platform/current/installation/configuration/admin-configs.html

Co-authored-by: Colin Leroy-Mira <colin.leroy-mira@sigfox.com>
@ghost
Copy link

ghost commented Feb 20, 2023

@omarsmak Are there any plans for a new release containing this fix?

@omarsmak
Copy link
Owner

@jeromewaibel I am trying to release. However I am having issues with both nexus and travis (credit ran out, requested credit). If is critical, you may need to build it locally https://github.com/omarsmak/kafka-consumer-lag-monitoring/tree/0.1.3 . Sorry

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@colinleroy @omarsmak