Kafka Connect configuration Password/Secrets encryption

[Oliver Lopes]

Hi, 

is there any way to encrypt the user id details/password/secrets/connect uri string which are passed in kafka/confluent connect configuration while creating the connector.

for example below, wanted to encrypt mongodb.user and mongodb.password

{

"name": "mngdbz-0316",

        "config":{

            "connector.class": "io.debezium.connector.mongodb.MongoDbConnector",

"mongodb.hosts": "srver host",

"mongodb.name": "DB",

"mongodb.user": "user name",

"mongodb.password": "password",

"mongodb.authsource": "$external",

"mongodb.ssl.enabled": true

        }

}

for ex:

"connection.uri": "mongodb://username:password@sever:27017/?ssl=true&readPreference=secondaryPreferred&serverSelectionTimeoutMS=60000&connectTimeoutMS=60000&replicaSet=RSDEV01&authSource=$external&authMechanism=PLAIN",

the problem if we dont do encrypt, if someone download the connector configuration, they can see user/passed details.

[Matthew Tice]

Robin Moffatt has a great write up on how to do this.

https://rmoff.net/2019/05/24/putting-kafka-connect-passwords-in-a-separate-file-/-externalising-secrets/

--
You received this message because you are subscribed to the Google Groups "Confluent Platform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to confluent-platf...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/confluent-platform/a3ed8be3-6ceb-4a97-944a-68b95ab760can%40googlegroups.com.

[Sanju Thomas]

That was a very good write-up. 

You can load config from anywhere if you can write an implementation for org.apache.kafka.common.config.provider.ConfigProvider.

If you got a secret store like HashiCorp Vault, you can load the credentials directly from secret store. An example can be found at https://gitlab.com/axual-public/vault-config-provider/-/tree/master

To view this discussion on the web visit https://groups.google.com/d/msgid/confluent-platform/CA%2BtaBv8wg6nL%2BpAxCXt2B7Mk0dp%2BB7mTgz4dZ1G3h6zentksew%40mail.gmail.com.

[Oliver Lopes]

Thank you all, This is what i am expecting.

Thank you.