Uploaded image for project: 'Debezium'
  1. Debezium
  2. DBZ-2125

kafka SSL passwords need to be added to the Sensitive Properties list

    XMLWordPrintable

Details

    Description

      Connector prints sensitive SSL passwords in the connector logs during startup when connector is configured to used Kafka in SSL mode.

      Following sensitive properties are printed in the logs which are coming from the connect-base image.
      https://github.com/debezium/docker-images/blob/v1.1.1.Final/connect-base/1.1/docker-entrypoint.sh#L173

      CONNECT_SSL_KEYSTORE_PASSWORD
      CONNECT_PRODUCER_SSL_KEYSTORE_PASSWORD
      CONNECT_SSL_TRUSTSTORE_PASSWORD
      CONNECT_PRODUCER_SSL_TRUSTSTORE_PASSWORD
      CONNECT_SSL_KEY_PASSWORD
      CONNECT_PRODUCER_SSL_KEY_PASSWORD
      
      --- Setting property from CONNECT_INTERNAL_VALUE_CONVERTER: internal.value.converter=org.apache.kafka.connect.json.JsonConverter
      --- Setting property from CONNECT_PRODUCER_SSL_TRUSTSTORE_TYPE: producer.ssl.truststore.type=JKS
      --- Setting property from CONNECT_SSL_TRUSTSTORE_LOCATION: ssl.truststore.location=/kafka/ssl/truststore/kafka.truststore.jks
      --- Setting property from CONNECT_PRODUCER_SSL_TRUSTSTORE_LOCATION: producer.ssl.truststore.location=/data/kafka/ssl/truststore/kafka.truststore.jks
      --- Setting property from CONNECT_VALUE_CONVERTER: value.converter=org.apache.kafka.connect.json.JsonConverter
      --- Setting property from CONNECT_REST_ADVERTISED_HOST_NAME: rest.advertised.host.name=172.19.0.4
      --- Setting property from CONNECT_SSL_KEYSTORE_TYPE: ssl.keystore.type=JKS
      --- Setting property from CONNECT_OFFSET_FLUSH_INTERVAL_MS: offset.flush.interval.ms=60000
      --- Setting property from CONNECT_PRODUCER_SSL_KEYSTORE_TYPE: producer.ssl.keystore.type=JKS
      --- Setting property from CONNECT_GROUP_ID: group.id=360
      --- Setting property from CONNECT_BOOTSTRAP_SERVERS: bootstrap.servers=kafka:9092
      --- Setting property from CONNECT_SSL_KEYSTORE_PASSWORD: ssl.keystore.password=bbb
      --- Setting property from CONNECT_KEY_CONVERTER: key.converter=org.apache.kafka.connect.json.JsonConverter
      --- Setting property from CONNECT_MAX_BATCH_SIZE: max.batch.size=32768
      --- Setting property from CONNECT_TASK_SHUTDOWN_GRACEFUL_TIMEOUT_MS: task.shutdown.graceful.timeout.ms=10000
      --- Setting property from CONNECT_REST_HOST_NAME: rest.host.name=172.19.0.4
      --- Setting property from CONNECT_PLUGIN_PATH: plugin.path=/kafka/connect
      --- Setting property from CONNECT_VALUE_CONVERTER_SCHEMAS_ENABLE: value.converter.schemas.enable=false
      --- Setting property from CONNECT_REST_PORT: rest.port=8083
      --- Setting property from CONNECT_SSL_TRUSTSTORE_TYPE: ssl.truststore.type=JKS
      --- Setting property from CONNECT_OFFSET_FLUSH_TIMEOUT_MS: offset.flush.timeout.ms=5000
      --- Setting property from CONNECT_SSL_TRUSTSTORE_PASSWORD: ssl.truststore.password=ccc
      --- Setting property from CONNECT_MAX_QUEUE_SIZE: max.queue.size=3000
      --- Setting property from CONNECT_STATUS_STORAGE_TOPIC: status.storage.topic=customer360-status
      --- Setting property from CONNECT_SSL_KEYSTORE_LOCATION: ssl.keystore.location=/data/ssl/keystore/kafka.keystore.jks
      --- Setting property from CONNECT_INTERNAL_KEY_CONVERTER: internal.key.converter=org.apache.kafka.connect.json.JsonConverter
      --- Setting property from CONNECT_CONFIG_STORAGE_TOPIC: config.storage.topic=customer360-configs
      --- Setting property from CONNECT_PRODUCER_SSL_TRUSTSTORE_PASSWORD: producer.ssl.truststore.password=ccc
      --- Setting property from CONNECT_REST_ADVERTISED_PORT: rest.advertised.port=8083
      --- Setting property from CONNECT_PRODUCER_SSL_KEYSTORE_PASSWORD: producer.ssl.keystore.password=bbb
      --- Setting property from CONNECT_OFFSET_STORAGE_TOPIC: offset.storage.topic=customer360-offsets
      --- Setting property from CONNECT_PRODUCER_SSL_KEY_PASSWORD: producer.ssl.key.password=aaa
      --- Setting property from CONNECT_PRODUCER_SSL_KEYSTORE_LOCATION: producer.ssl.keystore.location=/data/ssl/keystore/kafka.keystore.jks
      --- Setting property from CONNECT_SSL_KEY_PASSWORD: ssl.key.password=aaa
      

      Attachments

        Activity

          People

            jpechane Jiri Pechanec
            vkasireddi B K (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: