logstash-integration-kafka 12.0.3-java → 12.0.5-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: be0ed6c8b60e9c4d0fb140d17c44a279a96d8f321601b2d8e6e4e20e7bb5e5b2
-  data.tar.gz: f23a97eb61490e04a6d172f68a3ce792e00b02760e7975ef102f88d4841fab29
+  metadata.gz: 9aabb58fee374e97f9acb560f65340e1bd06303a60e39a010113980099dc51e8
+  data.tar.gz: be2acb673a6a9d463d709814bbf93fabc4089dc9d5f96aa4266cd3a18c0208cd
 SHA512:
-  metadata.gz: 5c7f92a6fb3e530fcdfbf1ebd72ca6789e66918ca9ab774796f854ee8b2da622d70c17cc1f0c7776c6614707852a6edc4e9bb4218ca8384a802fe83860aa5879
-  data.tar.gz: 15e03c0fa63791487a403c1451c92d348403ec9b853901e75d6f48a25dbd9c0aef24e3f029cf585c6263185ff5d8fbaa16bd91d98b55cad3e0dcf4cfe697cd4b
+  metadata.gz: 95bd3afc976010cc01bd4ac9e8d6844631f28cadbf5f45121c968bc9d3abd8475dbc7c78f99cda20b16349f84404a88a9fc121f7513bf8fa7baa37988b2d74c0
+  data.tar.gz: 75cc2e4b39d89303dd5b4927c5f8ea1008902f30e79bf8dcc9ac20d774d43020b705237d1c1510cd3eb949fc8832b601c51b08e21edd7b7ce3022262154083c0

data/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 12.0.5
+  - Redact `sasl_jaas_config` to prevent credentials from appearing in debug logs. [#232](https://github.com/logstash-plugins/logstash-integration-kafka/pull/232)
+
+## 12.0.4
+  - Re-packaging the plugin [#221](https://github.com/logstash-plugins/logstash-integration-kafka/pull/221)
+
 ## 12.0.3
   - Upgrade `kafka-avro-serializer` dependency [#215](https://github.com/logstash-plugins/logstash-integration-kafka/pull/215)
 

data/lib/logstash/inputs/kafka.rb

@@ -260,7 +260,7 @@ class LogStash::Inputs::Kafka < LogStash::Inputs::Base
   # different JVM instances.
   config :jaas_path, :validate => :path
   # JAAS configuration settings. This allows JAAS config to be a part of the plugin configuration and allows for different JAAS configuration per each plugin config.
-  config :sasl_jaas_config, :validate => :string
+  config :sasl_jaas_config, :validate => :password
   # Optional path to kerberos config file. This is krb5.conf style as detailed in https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html
   config :kerberos_config, :validate => :path
   # Option to add Kafka metadata like topic, message size and header key values to the event.

data/lib/logstash/plugin_mixins/kafka/common.rb

@@ -40,7 +40,7 @@ module LogStash module PluginMixins module Kafka
       end
 
       props.put("sasl.kerberos.service.name", sasl_kerberos_service_name) unless sasl_kerberos_service_name.nil?
-      props.put("sasl.jaas.config", sasl_jaas_config) unless sasl_jaas_config.nil?
+      props.put("sasl.jaas.config", sasl_jaas_config.value) unless sasl_jaas_config.nil?
       props.put("sasl.client.callback.handler.class", sasl_client_callback_handler_class) unless sasl_client_callback_handler_class.nil?
       props.put("sasl.oauthbearer.token.endpoint.url", sasl_oauthbearer_token_endpoint_url) unless sasl_oauthbearer_token_endpoint_url.nil?
       props.put("sasl.oauthbearer.scope.claim.name", sasl_oauthbearer_scope_claim_name) unless sasl_oauthbearer_scope_claim_name.nil?

data/lib/logstash-integration-kafka_jars.rb

@@ -2,14 +2,37 @@
 
 require 'jar_dependencies'
 require_jar('io.confluent', 'kafka-avro-serializer', '8.1.1')
+require_jar('org.apache.kafka', 'kafka-clients', '4.1.0')
+require_jar('at.yawk.lz4', 'lz4-java', '1.10.1')
 require_jar('io.confluent', 'kafka-schema-serializer', '8.1.1')
-require_jar('org.apache.avro', 'avro', '1.12.1')
 require_jar('io.confluent', 'kafka-schema-registry-client', '8.1.1')
-require_jar('com.fasterxml.jackson.datatype', 'jackson-datatype-jdk8', '2.20.0')
-require_jar('org.apache.httpcomponents.client5', 'httpclient5', '5.5')
-require_jar('org.apache.httpcomponents.core5', 'httpcore5', '5.3.4')
-require_jar('org.apache.kafka', 'kafka-clients', '4.1.0')
-require_jar('org.slf4j', 'slf4j-api', '2.0.17')
+require_jar('org.apache.avro', 'avro', '1.12.1')
+require_jar('org.apache.commons', 'commons-compress', '1.28.0')
+require_jar('com.google.guava', 'guava', '32.0.1-jre')
+require_jar('io.confluent', 'logredactor', '1.0.13')
+require_jar('io.confluent', 'common-utils', '8.1.1')
 require_jar('com.github.luben', 'zstd-jni', '1.5.6-10')
-require_jar('at.yawk.lz4', 'lz4-java', '1.10.1')
 require_jar('org.xerial.snappy', 'snappy-java', '1.1.10.7')
+require_jar('org.apache.httpcomponents.client5', 'httpclient5', '5.5')
+require_jar('org.slf4j', 'slf4j-api', '2.0.17')
+require_jar('com.fasterxml.jackson.dataformat', 'jackson-dataformat-csv', '2.20.0')
+require_jar('com.fasterxml.jackson.datatype', 'jackson-datatype-jdk8', '2.20.0')
+require_jar('com.fasterxml.jackson.core', 'jackson-databind', '2.20.0')
+require_jar('com.fasterxml.jackson.core', 'jackson-core', '2.20.0')
+require_jar('org.yaml', 'snakeyaml', '2.0')
+require_jar('io.swagger.core.v3', 'swagger-annotations', '2.2.29')
+require_jar('com.google.guava', 'failureaccess', '1.0.1')
+require_jar('com.google.guava', 'listenablefuture', '9999.0-empty-to-avoid-conflict-with-guava')
+require_jar('com.google.code.findbugs', 'jsr305', '3.0.2')
+require_jar('org.checkerframework', 'checker-qual', '3.33.0')
+require_jar('com.google.errorprone', 'error_prone_annotations', '2.18.0')
+require_jar('com.google.j2objc', 'j2objc-annotations', '2.8')
+require_jar('com.google.re2j', 're2j', '1.6')
+require_jar('io.confluent', 'logredactor-metrics', '1.0.13')
+require_jar('com.eclipsesource.minimal-json', 'minimal-json', '0.9.5')
+require_jar('commons-codec', 'commons-codec', '1.19.0')
+require_jar('commons-io', 'commons-io', '2.20.0')
+require_jar('org.apache.commons', 'commons-lang3', '3.18.0')
+require_jar('com.fasterxml.jackson.core', 'jackson-annotations', '2.20')
+require_jar('org.apache.httpcomponents.core5', 'httpcore5-h2', '5.3.4')
+require_jar('org.apache.httpcomponents.core5', 'httpcore5', '5.3.4')

data/logstash-integration-kafka.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name            = 'logstash-integration-kafka'
-  s.version         = '12.0.3'
+  s.version         = '12.0.5'
   s.licenses        = ['Apache-2.0']
   s.summary         = "Integration with Kafka - input and output plugins"
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline "+

data/spec/integration/inputs/kafka_spec.rb

@@ -264,6 +264,53 @@ describe "inputs/kafka", :integration => true do
     end
   end
 
+  # ToDo: add tests for other sasl config options as well (https://github.com/logstash-plugins/logstash-integration-kafka/issues/234)
+  context 'setting sasl_jaas_config' do
+    let(:base_config) do
+      {
+        'topics' => ['logstash_integration_topic_plain'],
+        'group_id' => rand(36**8).to_s(36),
+      }
+    end
+
+    shared_examples 'sasl_jaas_config password handling' do
+      it 'stores sasl_jaas_config as password type' do
+        kafka_input = LogStash::Inputs::Kafka.new(consumer_config)
+        expect(kafka_input.sasl_jaas_config).to be_a(LogStash::Util::Password)
+        expect(kafka_input.sasl_jaas_config.value).to eq(jaas_config_value)
+      end
+
+      it 'does not expose password in inspect output' do
+        kafka_input = LogStash::Inputs::Kafka.new(consumer_config)
+        expect(kafka_input.sasl_jaas_config.inspect).to eq('<password>')
+        expect(kafka_input.sasl_jaas_config.inspect).not_to include('admin-secret')
+      end
+    end
+
+    context 'with single-line config' do
+      let(:jaas_config_value) { 'org.apache.kafka.common.security.plain.PlainLoginModule required username="admin" password="admin-secret";' }
+      let(:consumer_config) { base_config.merge('sasl_jaas_config' => jaas_config_value) }
+
+      include_examples 'sasl_jaas_config password handling'
+    end
+
+    context 'with multiline config' do
+      let(:jaas_config_value) do
+        <<~JAAS
+          org.apache.kafka.common.security.plain.PlainLoginModule required
+            username="admin"
+            password="admin-secret"
+            user_admin="admin-secret"
+            user_alice="alice-secret";
+        JAAS
+      end
+      let(:consumer_config) { base_config.merge('sasl_jaas_config' => jaas_config_value) }
+
+      include_examples 'sasl_jaas_config password handling'
+    end
+  end
+
+
   context "static membership 'group.instance.id' setting" do
     let(:base_config) do
       {

data/spec/unit/inputs/kafka_spec.rb

@@ -264,6 +264,43 @@ describe LogStash::Inputs::Kafka do
 
       expect(subject.send(:create_consumer, 'test-client-2', 'group_instance_id')).to be kafka_client
     end
+
+    context 'with sasl_jaas_config' do
+      shared_examples 'sasl_jaas_config password handling' do
+        it "sasl_jaas_config.value returns the original string" do
+          subject.register
+          expect(subject.sasl_jaas_config.value).to eq(jaas_config_value)
+        end
+
+        it "sasl_jaas_config.inspect does not expose the password" do
+          subject.register
+          expect(subject.sasl_jaas_config.inspect).not_to include('admin-secret')
+          expect(subject.sasl_jaas_config.inspect).to eq('<password>')
+        end
+      end
+
+      context 'with single-line config' do
+        let(:jaas_config_value) { 'org.apache.kafka.common.security.plain.PlainLoginModule required username="admin" password="admin-secret";' }
+        let(:config) { super().merge('sasl_jaas_config' => jaas_config_value) }
+
+        include_examples 'sasl_jaas_config password handling'
+      end
+
+      context 'with multiline config' do
+        let(:jaas_config_value) {
+          <<~JAAS
+            org.apache.kafka.common.security.plain.PlainLoginModule required
+              username="admin"
+              password="admin-secret"
+              user_admin="admin-secret"
+              user_alice="alice-secret";
+          JAAS
+        }
+        let(:config) { super().merge('sasl_jaas_config' => jaas_config_value) }
+
+        include_examples 'sasl_jaas_config password handling'
+      end
+    end
   end
 
   describe "schema registry" do

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: logstash-integration-kafka
 version: !ruby/object:Gem::Version
-  version: 12.0.3
+  version: 12.0.5
 platform: java
 authors:
 - Elastic
 bindir: bin
 cert_chain: []
-date: 2026-01-17 00:00:00.000000000 Z
+date: 2026-03-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: logstash-core-plugin-api
@@ -244,17 +244,40 @@ files:
 - spec/unit/inputs/kafka_spec.rb
 - spec/unit/outputs/kafka_spec.rb
 - vendor/jar-dependencies/at/yawk/lz4/lz4-java/1.10.1/lz4-java-1.10.1.jar
+- vendor/jar-dependencies/com/eclipsesource/minimal-json/minimal-json/0.9.5/minimal-json-0.9.5.jar
+- vendor/jar-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.20/jackson-annotations-2.20.jar
+- vendor/jar-dependencies/com/fasterxml/jackson/core/jackson-core/2.20.0/jackson-core-2.20.0.jar
+- vendor/jar-dependencies/com/fasterxml/jackson/core/jackson-databind/2.20.0/jackson-databind-2.20.0.jar
+- vendor/jar-dependencies/com/fasterxml/jackson/dataformat/jackson-dataformat-csv/2.20.0/jackson-dataformat-csv-2.20.0.jar
 - vendor/jar-dependencies/com/fasterxml/jackson/datatype/jackson-datatype-jdk8/2.20.0/jackson-datatype-jdk8-2.20.0.jar
 - vendor/jar-dependencies/com/github/luben/zstd-jni/1.5.6-10/zstd-jni-1.5.6-10.jar
+- vendor/jar-dependencies/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.jar
+- vendor/jar-dependencies/com/google/errorprone/error_prone_annotations/2.18.0/error_prone_annotations-2.18.0.jar
+- vendor/jar-dependencies/com/google/guava/failureaccess/1.0.1/failureaccess-1.0.1.jar
+- vendor/jar-dependencies/com/google/guava/guava/32.0.1-jre/guava-32.0.1-jre.jar
+- vendor/jar-dependencies/com/google/guava/listenablefuture/9999.0-empty-to-avoid-conflict-with-guava/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
+- vendor/jar-dependencies/com/google/j2objc/j2objc-annotations/2.8/j2objc-annotations-2.8.jar
+- vendor/jar-dependencies/com/google/re2j/re2j/1.6/re2j-1.6.jar
+- vendor/jar-dependencies/commons-codec/commons-codec/1.19.0/commons-codec-1.19.0.jar
+- vendor/jar-dependencies/commons-io/commons-io/2.20.0/commons-io-2.20.0.jar
+- vendor/jar-dependencies/io/confluent/common-utils/8.1.1/common-utils-8.1.1.jar
 - vendor/jar-dependencies/io/confluent/kafka-avro-serializer/8.1.1/kafka-avro-serializer-8.1.1.jar
 - vendor/jar-dependencies/io/confluent/kafka-schema-registry-client/8.1.1/kafka-schema-registry-client-8.1.1.jar
 - vendor/jar-dependencies/io/confluent/kafka-schema-serializer/8.1.1/kafka-schema-serializer-8.1.1.jar
+- vendor/jar-dependencies/io/confluent/logredactor-metrics/1.0.13/logredactor-metrics-1.0.13.jar
+- vendor/jar-dependencies/io/confluent/logredactor/1.0.13/logredactor-1.0.13.jar
+- vendor/jar-dependencies/io/swagger/core/v3/swagger-annotations/2.2.29/swagger-annotations-2.2.29.jar
 - vendor/jar-dependencies/org/apache/avro/avro/1.12.1/avro-1.12.1.jar
+- vendor/jar-dependencies/org/apache/commons/commons-compress/1.28.0/commons-compress-1.28.0.jar
+- vendor/jar-dependencies/org/apache/commons/commons-lang3/3.18.0/commons-lang3-3.18.0.jar
 - vendor/jar-dependencies/org/apache/httpcomponents/client5/httpclient5/5.5/httpclient5-5.5.jar
+- vendor/jar-dependencies/org/apache/httpcomponents/core5/httpcore5-h2/5.3.4/httpcore5-h2-5.3.4.jar
 - vendor/jar-dependencies/org/apache/httpcomponents/core5/httpcore5/5.3.4/httpcore5-5.3.4.jar
 - vendor/jar-dependencies/org/apache/kafka/kafka-clients/4.1.0/kafka-clients-4.1.0.jar
+- vendor/jar-dependencies/org/checkerframework/checker-qual/3.33.0/checker-qual-3.33.0.jar
 - vendor/jar-dependencies/org/slf4j/slf4j-api/2.0.17/slf4j-api-2.0.17.jar
 - vendor/jar-dependencies/org/xerial/snappy/snappy-java/1.1.10.7/snappy-java-1.1.10.7.jar
+- vendor/jar-dependencies/org/yaml/snakeyaml/2.0/snakeyaml-2.0.jar
 homepage: https://www.elastic.co/logstash
 licenses:
 - Apache-2.0