-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Log debug statement logs Kafka secrets #136
Comments
Looks like #100 missed some possible use cases. @mdedetrich could you have a quick look? I'm not too concerned because it is debug logging but it is something we will want to fix in a 1.0.1 release before too long. |
@tkaszuba could you provide some hints about which properties are exposed? I must admit to not understanding when it became the job of open source lib maintainers to redact logs and why companies don't write code or buy products to redact their logs if they choose to expose them to untrusted people. |
That is odd, the PR I used should have fixed any instance of Pekko's Can you double check that Kafka itself is also stripping these values by creating an equivalent base Java |
Thank you for answering and providing me details, I didn't know this is handled in newer versions. If you are in fact inheriting from the standard kafka libs than this is handled correctly already. Sorry for the confusion. |
The following innocent log.debug statement dumps the full contents of the consumer settings. If SASL is used it will also log the user and password in clear text. Secrets in the consumer or producer settings should be obfuscated. The same issue exists in Akka.
https://github.com/apache/incubator-pekko-connectors-kafka/blob/b83b10af1fa8d2afd23d9cd2143db8f2ed0807df/core/src/main/scala/org/apache/pekko/kafka/internal/KafkaConsumerActor.scala#L431
The text was updated successfully, but these errors were encountered: