logstash-integration-kafka 12.0.4-java → 12.0.5-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d6257f93b83bc199b7fd5d6d6670f44f97a6368e84cc042eae7b478e745939e8
-  data.tar.gz: 12cad9a22346dc9729c033393baa605b3b4853a43aa9310ecb7f4d0dbd609d10
+  metadata.gz: 9aabb58fee374e97f9acb560f65340e1bd06303a60e39a010113980099dc51e8
+  data.tar.gz: be2acb673a6a9d463d709814bbf93fabc4089dc9d5f96aa4266cd3a18c0208cd
 SHA512:
-  metadata.gz: 18324de34ee2ca9a26a436a80d6a0f42445783de80eabc9ea00eee0e7d9401389e5a3ac5054f6548226f7dcef95cf87912370710ba6405ef9433efee58ab629d
-  data.tar.gz: 84b247220b8aaa9a945aaf26f003e184d295812fa432b17b227900d89067b23c965a215d8541b6a2b7526a702d1178c47f9c4f714f78dcefb60552f68dcd1dbc
+  metadata.gz: 95bd3afc976010cc01bd4ac9e8d6844631f28cadbf5f45121c968bc9d3abd8475dbc7c78f99cda20b16349f84404a88a9fc121f7513bf8fa7baa37988b2d74c0
+  data.tar.gz: 75cc2e4b39d89303dd5b4927c5f8ea1008902f30e79bf8dcc9ac20d774d43020b705237d1c1510cd3eb949fc8832b601c51b08e21edd7b7ce3022262154083c0

data/CHANGELOG.md

@@ -1,3 +1,6 @@
+## 12.0.5
+  - Redact `sasl_jaas_config` to prevent credentials from appearing in debug logs. [#232](https://github.com/logstash-plugins/logstash-integration-kafka/pull/232)
+
 ## 12.0.4
   - Re-packaging the plugin [#221](https://github.com/logstash-plugins/logstash-integration-kafka/pull/221)
 

data/lib/logstash/inputs/kafka.rb

@@ -260,7 +260,7 @@ class LogStash::Inputs::Kafka < LogStash::Inputs::Base
   # different JVM instances.
   config :jaas_path, :validate => :path
   # JAAS configuration settings. This allows JAAS config to be a part of the plugin configuration and allows for different JAAS configuration per each plugin config.
-  config :sasl_jaas_config, :validate => :string
+  config :sasl_jaas_config, :validate => :password
   # Optional path to kerberos config file. This is krb5.conf style as detailed in https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html
   config :kerberos_config, :validate => :path
   # Option to add Kafka metadata like topic, message size and header key values to the event.

data/lib/logstash/plugin_mixins/kafka/common.rb

@@ -40,7 +40,7 @@ module LogStash module PluginMixins module Kafka
       end
 
       props.put("sasl.kerberos.service.name", sasl_kerberos_service_name) unless sasl_kerberos_service_name.nil?
-      props.put("sasl.jaas.config", sasl_jaas_config) unless sasl_jaas_config.nil?
+      props.put("sasl.jaas.config", sasl_jaas_config.value) unless sasl_jaas_config.nil?
       props.put("sasl.client.callback.handler.class", sasl_client_callback_handler_class) unless sasl_client_callback_handler_class.nil?
       props.put("sasl.oauthbearer.token.endpoint.url", sasl_oauthbearer_token_endpoint_url) unless sasl_oauthbearer_token_endpoint_url.nil?
       props.put("sasl.oauthbearer.scope.claim.name", sasl_oauthbearer_scope_claim_name) unless sasl_oauthbearer_scope_claim_name.nil?

data/logstash-integration-kafka.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name            = 'logstash-integration-kafka'
-  s.version         = '12.0.4'
+  s.version         = '12.0.5'
   s.licenses        = ['Apache-2.0']
   s.summary         = "Integration with Kafka - input and output plugins"
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline "+

data/spec/integration/inputs/kafka_spec.rb

@@ -264,6 +264,53 @@ describe "inputs/kafka", :integration => true do
     end
   end
 
+  # ToDo: add tests for other sasl config options as well (https://github.com/logstash-plugins/logstash-integration-kafka/issues/234)
+  context 'setting sasl_jaas_config' do
+    let(:base_config) do
+      {
+        'topics' => ['logstash_integration_topic_plain'],
+        'group_id' => rand(36**8).to_s(36),
+      }
+    end
+
+    shared_examples 'sasl_jaas_config password handling' do
+      it 'stores sasl_jaas_config as password type' do
+        kafka_input = LogStash::Inputs::Kafka.new(consumer_config)
+        expect(kafka_input.sasl_jaas_config).to be_a(LogStash::Util::Password)
+        expect(kafka_input.sasl_jaas_config.value).to eq(jaas_config_value)
+      end
+
+      it 'does not expose password in inspect output' do
+        kafka_input = LogStash::Inputs::Kafka.new(consumer_config)
+        expect(kafka_input.sasl_jaas_config.inspect).to eq('<password>')
+        expect(kafka_input.sasl_jaas_config.inspect).not_to include('admin-secret')
+      end
+    end
+
+    context 'with single-line config' do
+      let(:jaas_config_value) { 'org.apache.kafka.common.security.plain.PlainLoginModule required username="admin" password="admin-secret";' }
+      let(:consumer_config) { base_config.merge('sasl_jaas_config' => jaas_config_value) }
+
+      include_examples 'sasl_jaas_config password handling'
+    end
+
+    context 'with multiline config' do
+      let(:jaas_config_value) do
+        <<~JAAS
+          org.apache.kafka.common.security.plain.PlainLoginModule required
+            username="admin"
+            password="admin-secret"
+            user_admin="admin-secret"
+            user_alice="alice-secret";
+        JAAS
+      end
+      let(:consumer_config) { base_config.merge('sasl_jaas_config' => jaas_config_value) }
+
+      include_examples 'sasl_jaas_config password handling'
+    end
+  end
+
+
   context "static membership 'group.instance.id' setting" do
     let(:base_config) do
       {

data/spec/unit/inputs/kafka_spec.rb

@@ -264,6 +264,43 @@ describe LogStash::Inputs::Kafka do
 
       expect(subject.send(:create_consumer, 'test-client-2', 'group_instance_id')).to be kafka_client
     end
+
+    context 'with sasl_jaas_config' do
+      shared_examples 'sasl_jaas_config password handling' do
+        it "sasl_jaas_config.value returns the original string" do
+          subject.register
+          expect(subject.sasl_jaas_config.value).to eq(jaas_config_value)
+        end
+
+        it "sasl_jaas_config.inspect does not expose the password" do
+          subject.register
+          expect(subject.sasl_jaas_config.inspect).not_to include('admin-secret')
+          expect(subject.sasl_jaas_config.inspect).to eq('<password>')
+        end
+      end
+
+      context 'with single-line config' do
+        let(:jaas_config_value) { 'org.apache.kafka.common.security.plain.PlainLoginModule required username="admin" password="admin-secret";' }
+        let(:config) { super().merge('sasl_jaas_config' => jaas_config_value) }
+
+        include_examples 'sasl_jaas_config password handling'
+      end
+
+      context 'with multiline config' do
+        let(:jaas_config_value) {
+          <<~JAAS
+            org.apache.kafka.common.security.plain.PlainLoginModule required
+              username="admin"
+              password="admin-secret"
+              user_admin="admin-secret"
+              user_alice="alice-secret";
+          JAAS
+        }
+        let(:config) { super().merge('sasl_jaas_config' => jaas_config_value) }
+
+        include_examples 'sasl_jaas_config password handling'
+      end
+    end
   end
 
   describe "schema registry" do

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: logstash-integration-kafka
 version: !ruby/object:Gem::Version
-  version: 12.0.4
+  version: 12.0.5
 platform: java
 authors:
 - Elastic
 bindir: bin
 cert_chain: []
-date: 2026-01-31 00:00:00.000000000 Z
+date: 2026-03-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: logstash-core-plugin-api