[Bug] AMQP passwords displayed in the logging #542
Description
Describe the bug
Our AMQP passwords are displayed in the logging. This is an security issue for us and therefor undesirable.
To Reproduce
Steps to reproduce the behavior:
- Start the connector with an configuration
Expected behavior
No password or a redacted password in the logging
Screenshots
The snip from the logging:
2023-02-22T13:54:33,331+0000 [abc/namespace1/amqp-source-0] INFO org.apache.pulsar.functions.instance.JavaInstanceRunnable - Starting Java Instance amqp-source :
Details = tenant: "abc"
namespace: "namespace1"
name: "amqp-source"
className: "org.apache.pulsar.functions.api.utils.IdentityFunction"
autoAck: true
parallelism: 1
source {
className: "org.apache.pulsar.ecosystem.io.amqp.AmqpSource"
configs: "{"protocol":"amqps","password":"XXXXXXXX","port":"443","host":"localhost","queue":"topic::queue","username":"amq-user","onlyTextMessage":true}"
typeClassName: "java.nio.ByteBuffer"
}
sink {
topic: "persistent://abc/namespace1/topic"
typeClassName: "java.nio.ByteBuffer"
forwardSourceMessageProperty: true
}
resources {
cpu: 1.0
ram: 1073741824
disk: 10737418240
}
componentType: SOURCE
Environment (please complete the following information):
- OS: Openshift Kubernetes
- Pulsar version: 2.10.x
- Deployment: cluster
- Connector version: e.g. 2.10.x
Additional context
We now excluded the org.apache.pulsar.functions.instance.JavaInstanceRunnable class from the log4j2 config. Also this configuration is also logged in the pulsar broker. So we had to to exclude some classes there aswell.
I think this can be achieved by annotating the password field in the AmqpBaseConfig class with @ToString.Exclude. Or by overriding the lombok toString method with a custom toString method
@ToString.Exclude
private String password;
I saw the same behavior for the RabbitMQ connector.