ZOOKEEPER-5049: Redact passwords from PrometheusMetricsProvider configuration logging

[PDavid]

Before

When PrometheusMetricsProvider was enabled and configured for HTTPS, on startup, PrometheusMetricsProvider logged all it's configs in clear text on INFO level. This included KeyStore and TrustStore passwords.

Fix

Use the same redaction logic as ZKConfig to avoid logging passwords.

[PDavid]

Log before:

2026-05-13 16:49:22,852 [myid:] - INFO  [main:o.a.z.m.p.PrometheusMetricsProvider@135] - Initializing Prometheus metrics with Jetty, configuration: {ssl.keyStore.location=keystore.jks, ssl.keyStore.password=password, ssl.trustStore.password=password, ssl.enabledProtocols=TLSv1.2,TLSv1.3, httpPort=7000, ssl.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, ssl.need.client.auth=false, ssl.trustStore.location=truststore.jks, httpsPort=7000}

Log after:

2026-05-15 08:05:36,017 [myid:] - INFO  [main:o.a.z.m.p.PrometheusMetricsProvider@140] - Initializing Prometheus metrics with Jetty, configuration: {httpsPort=7000, ssl.keyStore.location=keystore.jks, ssl.trustStore.location=truststore.jks, ssl.keyStore.password=***, ssl.trustStore.password=***, ssl.need.client.auth=false, httpPort=7000, ssl.enabledProtocols=TLSv1.2,TLSv1.3, ssl.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384}

[anmolnar]

Thank @PDavid , I think this is good. Please check logredactor in ZKConfig and try to consolidate the two approaches.

[PDavid]

Thank @PDavid , I think this is good. Please check logredactor in ZKConfig and try to consolidate the two approaches.

Thanks, good point. I extracted the log redaction logic to a shared utility.

[anmolnar]

lgtm.

[anmolnar]

@meszibalu PTAL.

[anmolnar]

Merged to master branch. Thanks @PDavid !
branch-3.9 has some conflicts, please create separate pull request.

[PDavid]

Merged to master branch. Thanks @PDavid ! branch-3.9 has some conflicts, please create separate pull request.

Many thanks. I'll create a backport.

[PDavid]

Merged to master branch. Thanks @PDavid ! branch-3.9 has some conflicts, please create separate pull request.

@anmolnar I just realized that secure PrometheusMetricsProvider (HTTPS support) only exists on master branch. So on branch-3.9 there will be no passwords logged because in PrometheusMetricsProvider we only load the following properties:

• metricsProvider.httpHost
• metricsProvider.httpPort
• exportJvmInfo
• numWorkerThreads
• maxQueueSize
• workerShutdownTimeoutMs

In PrometheusMetricsProvider we log the whole Properties object on INFO level though. So if I add metricsProvider.ssl.keyStore.password=password to my zoo.cfg, then it will be logged, does not matter but PrometheusMetricsProvider will not use it.

Do you think we still need to backport this patch to branch-3.9?

[PDavid]

I created the 3.9 backport here #2392 (though I'm not sure how useful it is).