1

When using Kafka Connect Api to post connectors or check their statuses, the password are visible in plain text.

To hide this sensitive information, we went with the approach of Externalising Secrets mentioned by in the documentation

This helped us hide sensitive information when trying to post connectors, but the information is still visible in the /connectors/<connector-name>/config api.

I am unable to understand that is this the expected behaviour or is there an issue in in the implementation.

I have taken the following steps to implement the approach.

Since we use docker for implementing Kafka Connect, we pass the following config -e CONNECT_CONFIG_PROVIDERS=file -e CONNECT_CONFIG_PROVIDERS_FILE_CLASS=org.apache.kafka.common.config.provider.FileConfigProvider

While posting a connector, we post sensitive values in the following manner

"connection.user": "${file:<file-location>:<property-name>}", "connection.password": "${file:<file-location>:<property-name>}"

I would really appreciate if someone can guide me, with the steps that I am missing here.

Thanks

gunj_desai
  • 782
  • 6
  • 19
  • I think if you want to protect the REST API, you need to use SSL – OneCricketeer Oct 18 '18 at 19:57
  • Hey @cricket_007, thanks for the suggestion, my question is that even if i use ssl, if anyone were to get access to my public url, they can still find out details. I was wondering if there was any methodology for authentication or hashing important fields. – gunj_desai Oct 19 '18 at 20:03
  • I haven't used the new API yet, but I was under the impression that if someone hit the URL, then they would only see the `${name}` formatted provider, not the real value. – OneCricketeer Oct 19 '18 at 20:04
  • i did try it out, but it converts it into string in the api response, I am guessing thats not how its supposed to work and i have made some mistake. – gunj_desai Oct 19 '18 at 20:09
  • Sounds like a bug, so you could file a JIRA ticket in the Kafka project – OneCricketeer Oct 19 '18 at 21:44
  • will do that, once i am bit sure with my implementation. thanks @cricket_007 – gunj_desai Oct 23 '18 at 22:28
  • The behavior you have experienced was a bug. See linked comment on the issue: https://issues.apache.org/jira/browse/KAFKA-5117?focusedCommentId=16737143&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-16737143 – krzychu Sep 16 '19 at 13:56

0 Answers0