Details
-
Bug
-
Resolution: Done
-
Major
-
1.1.1.Final
-
None
Description
Connector prints sensitive SSL passwords in the connector logs during startup when connector is configured to used Kafka in SSL mode.
Following sensitive properties are printed in the logs which are coming from the connect-base image.
https://github.com/debezium/docker-images/blob/v1.1.1.Final/connect-base/1.1/docker-entrypoint.sh#L173
CONNECT_SSL_KEYSTORE_PASSWORD CONNECT_PRODUCER_SSL_KEYSTORE_PASSWORD CONNECT_SSL_TRUSTSTORE_PASSWORD CONNECT_PRODUCER_SSL_TRUSTSTORE_PASSWORD CONNECT_SSL_KEY_PASSWORD CONNECT_PRODUCER_SSL_KEY_PASSWORD
--- Setting property from CONNECT_INTERNAL_VALUE_CONVERTER: internal.value.converter=org.apache.kafka.connect.json.JsonConverter --- Setting property from CONNECT_PRODUCER_SSL_TRUSTSTORE_TYPE: producer.ssl.truststore.type=JKS --- Setting property from CONNECT_SSL_TRUSTSTORE_LOCATION: ssl.truststore.location=/kafka/ssl/truststore/kafka.truststore.jks --- Setting property from CONNECT_PRODUCER_SSL_TRUSTSTORE_LOCATION: producer.ssl.truststore.location=/data/kafka/ssl/truststore/kafka.truststore.jks --- Setting property from CONNECT_VALUE_CONVERTER: value.converter=org.apache.kafka.connect.json.JsonConverter --- Setting property from CONNECT_REST_ADVERTISED_HOST_NAME: rest.advertised.host.name=172.19.0.4 --- Setting property from CONNECT_SSL_KEYSTORE_TYPE: ssl.keystore.type=JKS --- Setting property from CONNECT_OFFSET_FLUSH_INTERVAL_MS: offset.flush.interval.ms=60000 --- Setting property from CONNECT_PRODUCER_SSL_KEYSTORE_TYPE: producer.ssl.keystore.type=JKS --- Setting property from CONNECT_GROUP_ID: group.id=360 --- Setting property from CONNECT_BOOTSTRAP_SERVERS: bootstrap.servers=kafka:9092 --- Setting property from CONNECT_SSL_KEYSTORE_PASSWORD: ssl.keystore.password=bbb --- Setting property from CONNECT_KEY_CONVERTER: key.converter=org.apache.kafka.connect.json.JsonConverter --- Setting property from CONNECT_MAX_BATCH_SIZE: max.batch.size=32768 --- Setting property from CONNECT_TASK_SHUTDOWN_GRACEFUL_TIMEOUT_MS: task.shutdown.graceful.timeout.ms=10000 --- Setting property from CONNECT_REST_HOST_NAME: rest.host.name=172.19.0.4 --- Setting property from CONNECT_PLUGIN_PATH: plugin.path=/kafka/connect --- Setting property from CONNECT_VALUE_CONVERTER_SCHEMAS_ENABLE: value.converter.schemas.enable=false --- Setting property from CONNECT_REST_PORT: rest.port=8083 --- Setting property from CONNECT_SSL_TRUSTSTORE_TYPE: ssl.truststore.type=JKS --- Setting property from CONNECT_OFFSET_FLUSH_TIMEOUT_MS: offset.flush.timeout.ms=5000 --- Setting property from CONNECT_SSL_TRUSTSTORE_PASSWORD: ssl.truststore.password=ccc --- Setting property from CONNECT_MAX_QUEUE_SIZE: max.queue.size=3000 --- Setting property from CONNECT_STATUS_STORAGE_TOPIC: status.storage.topic=customer360-status --- Setting property from CONNECT_SSL_KEYSTORE_LOCATION: ssl.keystore.location=/data/ssl/keystore/kafka.keystore.jks --- Setting property from CONNECT_INTERNAL_KEY_CONVERTER: internal.key.converter=org.apache.kafka.connect.json.JsonConverter --- Setting property from CONNECT_CONFIG_STORAGE_TOPIC: config.storage.topic=customer360-configs --- Setting property from CONNECT_PRODUCER_SSL_TRUSTSTORE_PASSWORD: producer.ssl.truststore.password=ccc --- Setting property from CONNECT_REST_ADVERTISED_PORT: rest.advertised.port=8083 --- Setting property from CONNECT_PRODUCER_SSL_KEYSTORE_PASSWORD: producer.ssl.keystore.password=bbb --- Setting property from CONNECT_OFFSET_STORAGE_TOPIC: offset.storage.topic=customer360-offsets --- Setting property from CONNECT_PRODUCER_SSL_KEY_PASSWORD: producer.ssl.key.password=aaa --- Setting property from CONNECT_PRODUCER_SSL_KEYSTORE_LOCATION: producer.ssl.keystore.location=/data/ssl/keystore/kafka.keystore.jks --- Setting property from CONNECT_SSL_KEY_PASSWORD: ssl.key.password=aaa
