Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mask credentials in Rendered Template tab of task instance details page #10855

Closed
abhilash1in opened this issue Sep 10, 2020 · 4 comments
Closed

Mask credentials in Rendered Template tab of task instance details page #10855

abhilash1in opened this issue Sep 10, 2020 · 4 comments
Labels
kind:bug This is a clearly a bug

Comments

@abhilash1in
Copy link
Contributor

abhilash1in commented Sep 10, 2020
edited
Loading

Apache Airflow version: 1.10.12

Kubernetes version (if you are using kubernetes) (use kubectl version): N/A

Environment:

  • Cloud provider or hardware configuration:
  • OS (e.g. from /etc/os-release): Ubuntu 18.04.4 LTS
  • Kernel (e.g. uname -a): Linux upcairflow01 4.15.0-115-generic #116-Ubuntu SMP Wed Aug 26 14:04:49 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
  • Install tools:
  • Others:

What happened:
I have some credentials stored on Airflow which I'm passing to a PythonOperator via op_kwargs as follows:

from airflow.hooks.base_hook import BaseHook
from airflow.operators.python_operator import PythonOperator
from sample_module import sample_python_callable

CONN_ID = 'sample_conn_id'
conn = BaseHook.get_connection(CONN_ID)

# other DAG related code
# ...
sample_task = PythonOperator(
    task_id='sample_task',
    python_callable=sample_python_callable,
    op_kwargs={
        'credentials': {
            'host': conn.host,
            'username': conn.login,
            'password': conn.password
        }
    }
)
# ...
# other DAG related code

The actual plaintext credentials are exposed in the Rendered Template tab of the task instance details page.
Screen Shot 2020-09-09 at 11 23 27 PM

What you expected to happen:

Expected all credentials/passwords stored as Airflow Connections to be masked in the UI.

There should be a way for Airflow to identify credentials/passwords and mask them everywhere (UI and logs) automatically.

How to reproduce it:
Create a task using PythonOperator similar to the example above and pass some credentials stored as Airflow Connections. They are visible in plaintext on the UI.

Anything else we need to know:
@abhilash1in abhilash1in added the kind:bug This is a clearly a bug label Sep 10, 2020
@boring-cyborg
Copy link

boring-cyborg bot commented Sep 10, 2020

Thanks for opening your first issue here! Be sure to follow the issue template!

@mik-laj
Copy link
Member

mik-laj commented Sep 10, 2020
edited
Loading

You should pass conn_id to callable and this callable should use conn = BaseHook.get_connection(CONN_ID) to read credentials. This is the recommended and official way to manage credentials data for operators..

Otherwise, your DAG will make a lot of database queries. In the community, we have automatic tests on CIs that detect and block such DAG file.

airflow/tests/test_example_dags.py

Line 47 in ff72327

def test_should_not_do_database_queries(self):

@kaxil
Copy link
Member

kaxil commented Sep 11, 2020

Similar issues:

@abhilash1in
Copy link
Contributor Author

@mik-laj @kaxil thank you, the similar issues linked above covers this in more detail. Closing this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind:bug This is a clearly a bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kaxil @abhilash1in @mik-laj