feat: hide password from logs for kafka-logger

NiuBlibing commented 1 year ago

Current Behavior

https://github.com/apache/apisix/blob/4ea0dda7b7afc58c2d69a4b420637e90ff2bda61/apisix/utils/batch-processor-manager.lua#L60-L61 will write kafka's password to log

Expected Behavior

Don't log password

Error Logs

2023/08/10 07:53:03 [warn] 10#10: *11078359 [lua] batch-processor-manager.lua:60: removing batch processor stale object, conf: {"include_resp_body":false,"required_acks":1,"cluster_name":1,"producer_batch_num":200,"producer_batch_size":1048576,"producer_max_buffering":50000,"producer_time_linger":1,"inactive_timeout":5,"include_req_body":false,"name":"kafka logger","meta_format":"default","retry_delay":1,"_meta":{"disable":false},"kafka_topic":"persistent://apisix/pro/accesslog","producer_type":"async","batch_max_size":1000,"brokers":[{"host":"127.0.0.1","sasl_config":{"password":"token:password","mechanism":"PLAIN","user":"apisix/pro"},"port":9092}],"timeout":3,"max_retry_count":0,"buffer_duration":60,"meta_refresh_interval":30}, context: ngx.timer, client: 10.1.226.250, server: 0.0.0.0:9080

Steps to Reproduce

Deploy apisix with bitnami' helm
config kafka logger with sasl global

Environment

APISIX version (run apisix version): 3.4.1
Operating system (run uname -a):
OpenResty / Nginx version (run openresty -V or nginx -V):
etcd version, if relevant (run curl http://127.0.0.1:9090/v1/server_info):
APISIX Dashboard version, if relevant:
Plugin runner version, for issues related to plugin runners:
LuaRocks version, for installation issues (run luarocks --version):

monkeyDluffy6017 commented 12 months ago

Hi @NiuBlibing @Revolyssup, I think you could remove this log

Revolyssup commented 12 months ago

Hi @NiuBlibing @Revolyssup, I think you could remove this log

Given the number of considerations to be taken to hide the password, I think your suggestion to just remove this log makes sense. I will do this

monkeyDluffy6017 commented 12 months ago

If looking at error log is a security issue then user can just as easily GET for the route configuration and see the password.

@Revolyssup about your consideration, we have secret and encrypted-storage-fields to hide the password

Zeeeeta commented 3 months ago

If looking at error log is a security issue then user can just as easily GET for the route configuration and see the password.

@Revolyssup about your consideration, we have secret and encrypted-storage-fields to hide the password

Is that encrypted-storage-fields need to be implemented by the plugin rather than I can config myself? If so, seems it is not impleted yet? Thanks.

apache / apisix