CMAK icon indicating copy to clipboard operation
CMAK copied to clipboard
verified publisher icon yahoo

Kafka-manager prints clear-text password to console

Open cwienands1 opened this issue 6 years ago • 3 comments

The Kafka cluster that I am connecting kafka-manager to requires SASL_PLAINTEXT. To make the connection work, I configure the SASL JAAS Config value of the cluster configuration (in the UI) the following way:

org.apache.kafka.common.security.scram.ScramLoginModule required username="superuser" password="1234";

Observed behavior: Every few seconds the following two lines get printed to the console, exposing the secret password to anybody who has access to the log stream.

2019-09-23 17:55:09,151 - [INFO] k.m.a.c.KafkaStateActor - SASL Mechanism =SASL_MECHANISM_SCRAM512
2019-09-23 17:55:09,151 - [INFO] k.m.a.c.KafkaStateActor - SASL JAAS config=org.apache.kafka.common.security.scram.ScramLoginModule required username="superuser" password="1234"

Expected behavior: At the very least, the password shall be masked to prevent unintended disclosure outside of the kafka-manager container. Alternatively, remove the corresponding log statement completely.

2019-09-23 17:55:09,151 - [INFO] k.m.a.c.KafkaStateActor - SASL Mechanism =SASL_MECHANISM_SCRAM512
2019-09-23 17:55:09,151 - [INFO] k.m.a.c.KafkaStateActor - SASL JAAS config=org.apache.kafka.common.security.scram.ScramLoginModule required username="superuser" password="***"

cwienands1 avatar Sep 23 '19 17:09 cwienands1

as a workaround, i had to setup a jaas file instead by adding -Djava.security.auth.login.config=/etc/kafka/jaas.conf to the CMAK startup script

danielmotaleite avatar Sep 23 '20 00:09 danielmotaleite

But loading a jaas file will not work well when we have multiple kafka clusters

danielmotaleite avatar Nov 07 '20 21:11 danielmotaleite

Please share the jaas config file and also how to enable the logging so that I can view who has logged in.

sxganapa avatar Dec 15 '20 19:12 sxganapa