Couchbase and keystore passwords in plain text

shyampa · April 5, 2023, 9:24am

Hi,
I am using Kafka Connect Couchbase 4.1.11, when i get connector config using rest call to connector (/connectors/cbkc-name/config) then i am getting passwords in plain test of couchbase.password and couchbase.trust.store.password.

Same these 2 properties stored in plain test in config topic also. means passwords stowing in plain test in kafka topic as well in rest call endpoint.

Is there any way to hide this password, we had try by creating env variable like KAFKA_COUCHBASE_TRUST_STORE_PASSWORD and KAFKA_COUCHBASE_PASSWORD to override it but again connector assigning it to these properties.

Rest call response:

{
“connector.class”: “com.couchbase.connect.kafka.CouchbaseSourceConnector”,
“couchbase.persistence.polling.interval”: “0”,
“tasks.max”: “2”,
“couchbase.trust.store.path”: “/run/secrets/keystores/truststore/pki-common-truststore.jks”,
“couchbase.black.hole.topic”: “Couchbase_Kafka_Connector_Black_Hole”,
“couchbase.seed.nodes”: “cluster-srv”,
“couchbase.source.handler”: “com.ResourceHandler”,
“couchbase.enable.tls”: “true”,
“couchbase.bucket”: “data.consistency”,
“couchbase.stream.from”: “NOW”,
“couchbase.username”: “data-consistency”,
“amdocs.app.name”: “data-consistency”,
“name”: “consistency_Data_Consistency_Subscribe”,
“couchbase.password”: “=CB-Password”,
“couchbase.trust.store.password”: “KS-Password”,
“couchbase.topic”: “Data_Consistency_Subscribe”
}

david.nault · April 5, 2023, 4:17pm

Hi @shyampa,

Does this article help?

Thanks,
David

david.nault · April 5, 2023, 7:02pm

By the way, recent versions of the connector no longer require the CA certificate live in a Java keystore (*.jks). If you prefer, you can put one or more certificates in PEM format in a text file, and point the connector at the file using the couchbase.trust.certificate.path config property.

Alternatively, you can add certificates to the JVM’s cacerts file, and the connector will read them from there (unless you specify other certificates to trust).

Thanks,
David

shyampa · April 11, 2023, 5:13am

Thanks to sharing this, Its not working. Currently we are reading creds from secrets only like
"ssl.keystore.password=${secret:/run/secrets/cbkc-pki-client/keystores/cbkc-client-keystore/:password.txt}

it is assigning to property and when api config api gets call, this property is showing plain text password.

david.nault · April 11, 2023, 4:44pm

it is assigning to property and when api config api gets call, this property is showing plain text password.

Interesting. This is out of the Couchbase connector’s control. I would make sure Kafka is upgraded to the latest version. If that doesn’t help, I would get in touch with the Kafka folks. If you have a support contract with a Kafka provider, it might be good to open a support ticket with them. Otherwise, https://forum.confluent.io might have some ideas.

Thanks,
David

shyampa · April 12, 2023, 3:44am

Thanks David. I will check with confluent Kafka team if required then will raise ticket for this.

shyampa · June 30, 2023, 9:44am

Hello @david.nault ,

ConfigProvider is working which will hide password from being print password in clear text.
Because of other env issue my changes didn’t worked for that reason i had said ConfigProvider is not working.

now in connector api response getting this :
“couchbase.password”: “${file:/secret-path/secret-name.yaml:password-key}”

system · September 28, 2023, 9:44am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.