-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 10.10-HF32, 11.3
-
Fix Version/s: 10.10-HF47, 11.x, 2021.3
-
Component/s: Launcher
-
Release Notes Summary:Kafka password are masked in the logs.
-
Tags:
-
Backlog priority:825
-
Sprint:nxplatform #33
-
Story Points:3
When the Nuxeo app fails to connect to Kafka via SSL, it prints the ssl keystore password and the ssl truststore password in the "console.log" file as follows:
2021-03-24T23:11:08,231 ERROR [NuxeoProcessThread-0] [org.nuxeo.launcher.config.BackingServiceConfigurator] Unable to reach Kafka using: {security.protocol=SSL, ssl.keystore.type=JKS, ssl.truststore.location=/tmp/jks/kafka/trust/kafka-client-truststore.jks, ssl.keystore.password=prints.ssl.keystore.password.here, acks=1, ssl.keystore.location=/tmp/jks/kafka/key/kafka-client-keystore.jks, bootstrap.servers=kafka-bootstrap-server-list, delivery.timeout.ms=120000, default.replication.factor=3, ssl.truststore.password=prints.ssl.truststore.password.here, ssl.truststore.type=JKS}
2021-03-24T23:11:08,231 ERROR [NuxeoProcessThread-0] [org.nuxeo.launcher.NuxeoLauncher] Could not run configuration: Unable to reach Kafka using: {security.protocol=SSL, ssl.keystore.type=JKS, ssl.truststore.location=/tmp/jks/kafka/trust/kafka-client-truststore.jks, ssl.keystore.password=prints-ssl-keystore-password-here, acks=1, ssl.keystore.location=/tmp/jks/kafka/key/kafka-client-keystore.jks, bootstrap.servers=kafka-bootstrap-server-list, delivery.timeout.ms=120000, default.replication.factor=3, ssl.truststore.password=prints-ssl-truststore-password-here, ssl.truststore.type=JKS}
These passwords must not be printed in the logs, or there should be a quiet option not to print them.
Currently Nuxeo simply prints all the properties from the configuration when the error is thrown by KafkaChecker#check:
throw new ConfigurationException("Unable to reach Kafka using: " + config.producerProperties.properties, e);
- causes
-
-
- Resolved
-
- Is referenced in
(1 Is referenced in)
