This Confluence has been LDAP enabled, if you are an ASF Committer, please use your LDAP Credentials to login. Any problems file an INFRA jira ticket please.

Child pages
  • KIP-242: Mask password in Kafka Connect Rest API response
Skip to end of metadata
Go to start of metadata

 

Status

Current stateUnder Discussion

Discussion thread: here

JIRA: here

Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).

Motivation

Currently in kafka connect, some of the rest api endpoint return with plain password/secrets. This reveals database credentials, and any information that should be hide from public interface. This KIP is to enhance the security of Kafka Connect REST API.

Public Interfaces

Mask any field that is a ConfigDef.Type.PASSWORD type. Following existing endpoints will be impacted:

  • /connectors/<connector_name>
  • /connectors/<connector_name>/config
  • /connectors/<connector_name>tasks

There is no new interface.

Proposed Changes

Modification in org.apache.kafka.connect.runtime.rest.resources.ConnectorsResource class. Adding a new method maskCredentials, and this method will be called in each of the above three endpoint before the routing method returns.

Compatibility, Deprecation, and Migration Plan

To be backwards compatible, a new kafka connect configuration property "password.masking" (type Boolean, default False) will be added. If the user want the password to be masked, they can set this to True.

  • Existing users will no long get the actual password value from Kafka Connect REST endpoint. In stead, they will get a masked value (e.g. "*********").
  • A new deployment of kafka connect is needed

Rejected Alternatives

None identified.

  • No labels