Jump to content

Connect Leeroopedia MCP: Equip your AI agents to search best practices, build plans, verify code, diagnose failures, and look up hyperparameter defaults.

Heuristic:Fede1024 Rust rdkafka Sensitive Config Sanitization

From Leeroopedia



Knowledge Sources
Domains Security, Debugging
Last Updated 2026-02-07 19:30 GMT

Overview

ClientConfig automatically sanitizes sensitive keys (SASL passwords, SSL key passwords, OAuth secrets) in Debug output, replacing their values with `[sanitized for safety]`.

Description

The `ClientConfig` struct maintains a hardcoded list of sensitive configuration keys that are redacted when the config is printed via Rust's `Debug` trait. This prevents accidental credential leakage in logs, error messages, and debug output. The sanitized keys include `sasl.password`, `ssl.key.password`, `ssl.keystore.password`, `ssl.truststore.password`, and `sasl.oauthbearer.client.secret`. This is a defense-in-depth measure that protects against the common mistake of logging configuration objects.

Usage

Use this heuristic when debugging configuration issues that involve authentication. Be aware that Debug output will show `[sanitized for safety]` for password fields. If you need to verify a password value is correct, you must check it directly rather than relying on Debug output. Also, extend this pattern to any custom configuration wrapper you build around rdkafka.

The Insight (Rule of Thumb)

  • Action: Rely on the built-in sanitization; do not implement custom Debug for ClientConfig wrappers that might expose secrets.
  • Value: Five keys are auto-sanitized: `sasl.password`, `ssl.key.password`, `ssl.keystore.password`, `ssl.truststore.password`, `sasl.oauthbearer.client.secret`.
  • Trade-off: Sanitization prevents easy debugging of auth failures; verify credentials through other means.

Reasoning

Credential leakage through logs is a top security risk in distributed systems. Kafka configurations commonly include SASL passwords and SSL key passwords for production deployments. By sanitizing these at the library level, rust-rdkafka prevents accidental exposure regardless of the application's logging configuration.

Code Evidence

Sensitive key list from `src/config.rs:40-48`: 

const SENSITIVE_CONFIG_KEYS: &[&str] = &[
    "sasl.password",
    "ssl.key.password",
    "ssl.keystore.password",
    "ssl.truststore.password",
    "sasl.oauthbearer.client.secret",
];

const SANITIZED_VALUE_PLACEHOLDER: &str = "[sanitized for safety]";

Related Pages

Page Connections

Double-click a node to navigate. Hold to expand connections.
Principle
Implementation
Heuristic
Environment
Retrieved from "https://leeroopedia.com/index.php?title=Heuristic:Fede1024_Rust_rdkafka_Sensitive_Config_Sanitization&oldid=819"