logstash-integration-kafka 12.0.4-java → 12.0.6-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d6257f93b83bc199b7fd5d6d6670f44f97a6368e84cc042eae7b478e745939e8
-  data.tar.gz: 12cad9a22346dc9729c033393baa605b3b4853a43aa9310ecb7f4d0dbd609d10
+  metadata.gz: afb32084af8da2c0d6fc1742cedff29093a8d55c2a4908afc636728e3cbdee2f
+  data.tar.gz: 289f441a9b23b6a5843b7e45bceafbc487301f9f44902ef8d5476e1f2c488a82
 SHA512:
-  metadata.gz: 18324de34ee2ca9a26a436a80d6a0f42445783de80eabc9ea00eee0e7d9401389e5a3ac5054f6548226f7dcef95cf87912370710ba6405ef9433efee58ab629d
-  data.tar.gz: 84b247220b8aaa9a945aaf26f003e184d295812fa432b17b227900d89067b23c965a215d8541b6a2b7526a702d1178c47f9c4f714f78dcefb60552f68dcd1dbc
+  metadata.gz: 12bf222b6766785f64ee6a6aa988505dfee1e90eed131aeb7b2d8432d7c996d3b53f5fcbbe00ef0e1e483576afc0592b0057ff0438b921bc57230b767d22c600
+  data.tar.gz: 0cdf0beda8aaadd10cff0f5c2921189feafdf70aeaf2f45bc6a8737832162a650ec2e546a44d7afb5f27ec83e755f5f96928d46439b33b8d83a01a11e3592530

data/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 12.0.6
+  - [DOC] Add info about Kafka timestamp behavior [#240](https://github.com/logstash-plugins/logstash-integration-kafka/pull/240)
+
+## 12.0.5
+  - Redact `sasl_jaas_config` to prevent credentials from appearing in debug logs. [#232](https://github.com/logstash-plugins/logstash-integration-kafka/pull/232)
+
 ## 12.0.4
   - Re-packaging the plugin [#221](https://github.com/logstash-plugins/logstash-integration-kafka/pull/221)
 

data/docs/output-kafka.asciidoc

@@ -66,6 +66,24 @@ https://kafka.apache.org/{kafka_client_doc}/documentation.html#producerconfigs
 
 NOTE:  This plugin does not support using a proxy when communicating to the Kafka broker.
 
+.Kafka timestamps and Logstash
+****
+* Kafka 3.6+ introduces stricter timestamp validation with the introduction of two new broker/topic-level properties: https://docs.confluent.io/platform/current/installation/configuration/topic-configs.html#message-timestamp-before-max-ms[log.message.timestamp.before.max.ms] and 
+https://docs.confluent.io/platform/current/installation/configuration/topic-configs.html#message-timestamp-after-max-ms[log.message.timestamp.after.max.ms].
++
+These properties limit the time difference between the message timestamp (from Logstash) and the Kafka broker receive time. 
+Messages can be rejected if the values are exceeded and `log.message.timestamp.type=CreateTime` is set. 
++
+These checks are ignored if `log.message.timestamp.type=LogAppendTime` is set. 
+
+* For Kafka version 0.10.0.0+ the message creation timestamp is set by Logstash and equals the initial timestamp of the event. 
+This behavior affects Kafka’s retention policy. 
+For example, if a Logstash event was created two weeks ago and Kafka retention is set to seven days, then when the message arrives in Kafka today it may be discarded immediately, because its timestamp is older than seven days.
++
+You can change this behavior by setting timestamps on message arrival instead.
+  The message is not discarded but kept for 7 more days. Set `log.message.timestamp.type` to `LogAppendTime` (default `CreateTime`) in your Kafka configuration.
+****
+
 [id="plugins-{type}s-{plugin}-aws_msk_iam_auth"]
 ==== AWS MSK IAM authentication
 If you use AWS MSK, the AWS MSK IAM access control enables you to handle both authentication and authorization for your MSK cluster with AWS IAM.

data/lib/logstash/inputs/kafka.rb

@@ -260,7 +260,7 @@ class LogStash::Inputs::Kafka < LogStash::Inputs::Base
   # different JVM instances.
   config :jaas_path, :validate => :path
   # JAAS configuration settings. This allows JAAS config to be a part of the plugin configuration and allows for different JAAS configuration per each plugin config.
-  config :sasl_jaas_config, :validate => :string
+  config :sasl_jaas_config, :validate => :password
   # Optional path to kerberos config file. This is krb5.conf style as detailed in https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html
   config :kerberos_config, :validate => :path
   # Option to add Kafka metadata like topic, message size and header key values to the event.

data/lib/logstash/plugin_mixins/kafka/common.rb

@@ -40,7 +40,7 @@ module LogStash module PluginMixins module Kafka
       end
 
       props.put("sasl.kerberos.service.name", sasl_kerberos_service_name) unless sasl_kerberos_service_name.nil?
-      props.put("sasl.jaas.config", sasl_jaas_config) unless sasl_jaas_config.nil?
+      props.put("sasl.jaas.config", sasl_jaas_config.value) unless sasl_jaas_config.nil?
       props.put("sasl.client.callback.handler.class", sasl_client_callback_handler_class) unless sasl_client_callback_handler_class.nil?
       props.put("sasl.oauthbearer.token.endpoint.url", sasl_oauthbearer_token_endpoint_url) unless sasl_oauthbearer_token_endpoint_url.nil?
       props.put("sasl.oauthbearer.scope.claim.name", sasl_oauthbearer_scope_claim_name) unless sasl_oauthbearer_scope_claim_name.nil?

data/logstash-integration-kafka.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name            = 'logstash-integration-kafka'
-  s.version         = '12.0.4'
+  s.version         = '12.0.6'
   s.licenses        = ['Apache-2.0']
   s.summary         = "Integration with Kafka - input and output plugins"
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline "+

data/spec/integration/inputs/kafka_spec.rb

@@ -264,6 +264,53 @@ describe "inputs/kafka", :integration => true do
     end
   end
 
+  # ToDo: add tests for other sasl config options as well (https://github.com/logstash-plugins/logstash-integration-kafka/issues/234)
+  context 'setting sasl_jaas_config' do
+    let(:base_config) do
+      {
+        'topics' => ['logstash_integration_topic_plain'],
+        'group_id' => rand(36**8).to_s(36),
+      }
+    end
+
+    shared_examples 'sasl_jaas_config password handling' do
+      it 'stores sasl_jaas_config as password type' do
+        kafka_input = LogStash::Inputs::Kafka.new(consumer_config)
+        expect(kafka_input.sasl_jaas_config).to be_a(LogStash::Util::Password)
+        expect(kafka_input.sasl_jaas_config.value).to eq(jaas_config_value)
+      end
+
+      it 'does not expose password in inspect output' do
+        kafka_input = LogStash::Inputs::Kafka.new(consumer_config)
+        expect(kafka_input.sasl_jaas_config.inspect).to eq('<password>')
+        expect(kafka_input.sasl_jaas_config.inspect).not_to include('admin-secret')
+      end
+    end
+
+    context 'with single-line config' do
+      let(:jaas_config_value) { 'org.apache.kafka.common.security.plain.PlainLoginModule required username="admin" password="admin-secret";' }
+      let(:consumer_config) { base_config.merge('sasl_jaas_config' => jaas_config_value) }
+
+      include_examples 'sasl_jaas_config password handling'
+    end
+
+    context 'with multiline config' do
+      let(:jaas_config_value) do
+        <<~JAAS
+          org.apache.kafka.common.security.plain.PlainLoginModule required
+            username="admin"
+            password="admin-secret"
+            user_admin="admin-secret"
+            user_alice="alice-secret";
+        JAAS
+      end
+      let(:consumer_config) { base_config.merge('sasl_jaas_config' => jaas_config_value) }
+
+      include_examples 'sasl_jaas_config password handling'
+    end
+  end
+
+
   context "static membership 'group.instance.id' setting" do
     let(:base_config) do
       {

data/spec/unit/inputs/kafka_spec.rb

@@ -264,6 +264,43 @@ describe LogStash::Inputs::Kafka do
 
       expect(subject.send(:create_consumer, 'test-client-2', 'group_instance_id')).to be kafka_client
     end
+
+    context 'with sasl_jaas_config' do
+      shared_examples 'sasl_jaas_config password handling' do
+        it "sasl_jaas_config.value returns the original string" do
+          subject.register
+          expect(subject.sasl_jaas_config.value).to eq(jaas_config_value)
+        end
+
+        it "sasl_jaas_config.inspect does not expose the password" do
+          subject.register
+          expect(subject.sasl_jaas_config.inspect).not_to include('admin-secret')
+          expect(subject.sasl_jaas_config.inspect).to eq('<password>')
+        end
+      end
+
+      context 'with single-line config' do
+        let(:jaas_config_value) { 'org.apache.kafka.common.security.plain.PlainLoginModule required username="admin" password="admin-secret";' }
+        let(:config) { super().merge('sasl_jaas_config' => jaas_config_value) }
+
+        include_examples 'sasl_jaas_config password handling'
+      end
+
+      context 'with multiline config' do
+        let(:jaas_config_value) {
+          <<~JAAS
+            org.apache.kafka.common.security.plain.PlainLoginModule required
+              username="admin"
+              password="admin-secret"
+              user_admin="admin-secret"
+              user_alice="alice-secret";
+          JAAS
+        }
+        let(:config) { super().merge('sasl_jaas_config' => jaas_config_value) }
+
+        include_examples 'sasl_jaas_config password handling'
+      end
+    end
   end
 
   describe "schema registry" do

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: logstash-integration-kafka
 version: !ruby/object:Gem::Version
-  version: 12.0.4
+  version: 12.0.6
 platform: java
 authors:
 - Elastic
 bindir: bin
 cert_chain: []
-date: 2026-01-31 00:00:00.000000000 Z
+date: 2026-03-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: logstash-core-plugin-api