9.3.1. Kafka scheduler and SASL_PLAINTEXT credentials

LauriPessiLauriPessi Vertica Customer
in General Discussion

Is there a preferred approach for passing SASL_PLAINTEXT username & password to vkconfig?

Documentation suggests setting sasl.username and sasl.password to rdkafka via kafka_conf -parameter, but these expose the credentials to logs as cleartext with COPY commands generated by the scheduler.

Tagged:

Best Answers

  • SergeBSergeB - Select Field - Employee
    Answer ✓

    That's the only mechanism to pass these parameters at the moment. I will log an enhancement request to obfuscate the password in the logs (as is done for other sensitive parameters.

  • SergeBSergeB - Select Field - Employee
    Answer ✓

    This has been addressed in 12.0.4, there is now an extra parameter called kafka_conf_secret where you can put sensitive configuration options such as sasl.password. see: https://docs.vertica.com/12.0.x/en/new-features/12.0.4/kafka-integration/

Answers

  • LauriPessiLauriPessi Vertica Customer

    We're now 2 major versions (v11.1.1-11) ahead of this discussion, the format of kafka_conf has changed to json but sasl.password passed with kafka_conf still seems to end up on query_requests and vertica.log as is?

  • LauriPessiLauriPessi Vertica Customer

    Thanks, seems that we're due for an version upgrade.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Format
SpoilerCodeQuote
Heading 2Heading 1
Emoji
:):D:(;):/:o:s:p:'(:|B):#:*<3o:)>:)
Url
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file
Home General DiscussionComment As ...