Log debug statement logs Kafka secrets

[tkaszuba]

The following innocent log.debug statement dumps the full contents of the consumer settings. If SASL is used it will also log the user and password in clear text. Secrets in the consumer or producer settings should be obfuscated. The same issue exists in Akka.

https://github.com/apache/incubator-pekko-connectors-kafka/blob/b83b10af1fa8d2afd23d9cd2143db8f2ed0807df/core/src/main/scala/org/apache/pekko/kafka/internal/KafkaConsumerActor.scala#L431

[pjfanning]

Looks like #100 missed some possible use cases. @mdedetrich could you have a quick look? I'm not too concerned because it is debug logging but it is something we will want to fix in a 1.0.1 release before too long.

[pjfanning]

@tkaszuba could you provide some hints about which properties are exposed?

I must admit to not understanding when it became the job of open source lib maintainers to redact logs and why companies don't write code or buy products to redact their logs if they choose to expose them to untrusted people.

[mdedetrich]

That is odd, the PR I used should have fixed any instance of Pekko's ConsumerSettings printing out these secrets. Do note that in the implementation of #100 that was referenced, we use Kafka's own internal mechanism for stripping out sensitive values (i.e. Kafka uses this itself).

Can you double check that Kafka itself is also stripping these values by creating an equivalent base Java ConsumerSettings. Also would be helpful to state what is the kafka version and what maybe provide a redacted list of the settings that its printing out which it shouldn't

[tkaszuba]

Thank you for answering and providing me details, I didn't know this is handled in newer versions. If you are in fact inheriting from the standard kafka libs than this is handled correctly already. Sorry for the confusion.