Obscuring sensitive producer property values
About this task
When configuring a PingDataSync Kafka producer, you might add producer properties that contain sensitive values such as keys or passwords. To prevent storing these sensitive values in plain text, you can use the sensitive-kafka-producer-property configuration property.
You create a sensitive-kafka-producer-property using the following required arguments:
--property-name-
Specifies the name of the sensitive Kafka producer property.
--set sensitive-producer-key:<key>-
Specifies the name of the valid property key that contains a sensitive value.
--set sensitive-producer-value:<value>-
Specifies the sensitive value associated with the producer key.
Steps
-
Create one or more sensitive Kafka producer properties using
dsconfig create-sensitive-kafka-producer-property.Example:
$ bin/dsconfig create-sensitive-kafka-producer-property \ --property-name saslConfig \ --set "sensitive-producer-key:sasl.jaas.config" \ --set "sensitive-producer-value:org.apache.kafka.common.security.scram.ScramLoginModule" \ required username="username" password="password";Result:
Perform an
ldapsearchfor the sensitive property:ldapsearch --baseDN "cn=saslConfig,cn=Sensitive Kafka Producer Property,cn=config" "(objectclass=*)"
The sensitive value is now obscured.
dn: cn=saslConfig,cn=Sensitive Kafka Producer Property,cn=config objectClass: top objectClass: ds-cfg-sensitive-kafka-producer-property cn: saslConfig ds-cfg-sensitive-producer-key: sasl.jaas.config ds-cfg-sensitive-producer-value: AADu9yRP8DyrLndvqqDzeQEK9aqqLvDBZZhgHAZbh++KgovN+kUthhyn9+1o9+AqExDmigO14YQnwakqOpTAB4LnbsvwBJos6PZzYlWMNjFNXsDtOUeBsFhVi/nErPJT+cmQijC5P1EUsKWPvjDVauBe
The
config-audit.logfile that contains thedsconfigchange you made to create the sensitive property also obscures the value. -
Optional: Delete one or more sensitive Kafka producer properties using
dsconfig delete-sensitive-kafka-producer-property.Example:
$ bin/dsconfig delete-sensitive-kafka-producer-property \ --property-name saslConfig