Current state: Under Discussion
Discussion thread: here
JIRA: here
Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).
Currently in kafka connect, some of the rest api endpoint return with plain password/secrets. This reveals database credentials, and any information that should be hide from public interface. This KIP is to enhance the security of Kafka Connect REST API.
Mask any field that is a ConfigDef.Type.PASSWORD type. Following existing endpoints will be impacted:
There is no new interface.
Modification in org.apache.kafka.connect.runtime.rest.resources.ConnectorsResource class. Adding a new method maskCredentials, and this method will be called in each of the above three endpoint before the routing method returns.
To be backwards compatible, a new kafka connect configuration property "password.masking" (type Boolean, default False) will be added. If the user want the password to be masked, they can set this to True.
None identified.