Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-30304

Do not log password when failing to connect to Kafka

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 10.10-HF32, 11.3
    • Fix Version/s: 10.10-HF47, 11.x, 2021.x
    • Component/s: Launcher
    • Release Notes Summary:
      Kafka password are masked in the logs.
    • Backlog priority:
      825
    • Sprint:
      nxplatform #33
    • Story Points:
      3

      Description

      When the Nuxeo app fails to connect to Kafka via SSL, it prints the ssl keystore password and the ssl truststore password in the "console.log" file as follows:

      2021-03-24T23:11:08,231 ERROR [NuxeoProcessThread-0] [org.nuxeo.launcher.config.BackingServiceConfigurator] Unable to reach Kafka using: {security.protocol=SSL, ssl.keystore.type=JKS, ssl.truststore.location=/tmp/jks/kafka/trust/kafka-client-truststore.jks, ssl.keystore.password=prints.ssl.keystore.password.here, acks=1, ssl.keystore.location=/tmp/jks/kafka/key/kafka-client-keystore.jks, bootstrap.servers=kafka-bootstrap-server-list, delivery.timeout.ms=120000, default.replication.factor=3, ssl.truststore.password=prints.ssl.truststore.password.here, ssl.truststore.type=JKS}
      2021-03-24T23:11:08,231 ERROR [NuxeoProcessThread-0] [org.nuxeo.launcher.NuxeoLauncher] Could not run configuration: Unable to reach Kafka using: {security.protocol=SSL, ssl.keystore.type=JKS, ssl.truststore.location=/tmp/jks/kafka/trust/kafka-client-truststore.jks, ssl.keystore.password=prints-ssl-keystore-password-here, acks=1, ssl.keystore.location=/tmp/jks/kafka/key/kafka-client-keystore.jks, bootstrap.servers=kafka-bootstrap-server-list, delivery.timeout.ms=120000, default.replication.factor=3, ssl.truststore.password=prints-ssl-truststore-password-here, ssl.truststore.type=JKS} 

      These passwords must not be printed in the logs, or there should be a quiet option not to print them.

       

      Currently Nuxeo simply prints all the properties from the configuration when the error is thrown by KafkaChecker#check:

                  throw new ConfigurationException("Unable to reach Kafka using: " + config.producerProperties.properties, e);
       

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                PagerDuty

                Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.