kafka-consumer-lag-monitoring icon indicating copy to clipboard operation
kafka-consumer-lag-monitoring copied to clipboard

Published 20 hours ago verified publisher icon omarsmak

MonitoringEngine.kt leaks passwords

Open colinleroy opened this issue 2 years ago • 2 comments

Describe the bug The logging of Kafka Configs / Components configs leaks passwords.

To Reproduce Steps to reproduce the behavior: configure something like

kafka.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required \
  username="monitoring" \
  password="very-secret-password";
kafka.ssl.truststore.password=another-password

kafka-consumer-lag-monitoring logs Kafka Configs as

Kafka Configs: {ssl.truststore.password=another-password, security.protocol=SASL_SSL, ssl.endpoint.identification.algorithm=, ssl.truststore.location=/etc/ssl/certs/java/cacerts, bootstrap.servers=..., sasl.mechanism=PLAIN, sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="monitor" password="very-secret-password";, client.id=kafka-lag-exporter, ssl.truststore.type=PKCS12}

Expected behavior kafka-consumer-lag-monitoring logs Kafka Configs as

Kafka Configs: {ssl.truststore.password=[REDACTED], security.protocol=SASL_SSL, ssl.endpoint.identification.algorithm=, ssl.truststore.location=/etc/ssl/certs/java/cacerts, bootstrap.servers=..., sasl.mechanism=PLAIN, sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="monitor" password="[REDACTED]";, client.id=kafka-lag-exporter, ssl.truststore.type=PKCS12}

colinleroy avatar Dec 16 '22 09:12 colinleroy

@omarsmak Are there any plans for a new release containing this fix?

ghost avatar Feb 20 '23 09:02 ghost

@jeromewaibel I am trying to release. However I am having issues with both nexus and travis (credit ran out, requested credit). If is critical, you may need to build it locally https://github.com/omarsmak/kafka-consumer-lag-monitoring/tree/0.1.3 . Sorry

omarsmak avatar Feb 20 '23 10:02 omarsmak